Bug 916404 (CVE-2013-5603)

Heap-use-after-free in nsContentUtils::ContentIsHostIncludingDescendantOf

RESOLVED FIXED in Firefox 25, Firefox OS v1.2

Status

()

RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: inferno, Assigned: mrbkap)

Tracking

({csectype-uaf, regression, sec-critical})

Trunk
mozilla27
x86_64
All
csectype-uaf, regression, sec-critical
Points:
---
Bug Flags:
sec-bounty +
in-testsuite ?

Firefox Tracking Flags

(firefox24 wontfix, firefox25+ fixed, firefox26+ fixed, firefox27+ verified, firefox-esr17 unaffected, firefox-esr2425+ fixed, b2g18 unaffected, b2g-v1.1hd unaffected, b2g-v1.2 fixed)

Details

(Whiteboard: [asan][adv-main25+][adv-esr24-1+])

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 804830 [details]
Testcase

Need to install Jesse's fuzzPriv extension.

>==19928==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160020b5520 at pc 0x7f18a8bb0b38 bp 0x7fff1ca5cc20 sp 0x7fff1ca5cc18
>READ of size 8 at 0x6160020b5520 thread T0
>    #0 0x7f18a8bb0b37 in get objdir-ff-asan/content/base/src/../../../dist/include/nsCOMPtr.h:800
>    #1 0x7f18a8bb0b37 in operator-> objdir-ff-asan/content/base/src/../../../dist/include/nsCOMPtr.h:820
>    #2 0x7f18a8bb0b37 in NodeType objdir-ff-asan/content/base/src/../../../dist/include/nsINode.h:506
>    #3 0x7f18a8bb0b37 in nsContentUtils::ContentIsHostIncludingDescendantOf(nsINode const*, nsINode const*) content/base/src/nsContentUtils.cpp:1862
>    #4 0x7f18a8d15a72 in IsAllowedAsChild(nsIContent*, nsINode*, bool, nsINode*) content/base/src/nsINode.cpp:1542
>    #5 0x7f18a8d12720 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) content/base/src/nsINode.cpp:1747
>    #6 0x7f18ab855e25 in InsertBefore objdir-ff-asan/dom/bindings/../../dist/include/nsINode.h:1515
>    #7 0x7f18ab855e25 in mozilla::dom::NodeBinding::insertBefore(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) objdir-ff-asan/dom/bindings/NodeBinding.cpp:477
>    #8 0x7f18ab84d7fe in mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*) objdir-ff-asan/dom/bindings/NodeBinding.cpp:1230
>    #9 0x7f18ad83247a in native js/src/jscntxtinlines.h:218
>    #10 0x7f18ad83247a in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:478
>    #11 0x7f18ad8257f7 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2454
>    #12 0x7f18ad813ff1 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:435
>    #13 0x7f18ad8346fb in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) js/src/vm/Interpreter.cpp:619
>    #14 0x7f18ad834a56 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) js/src/vm/Interpreter.cpp:655
>    #15 0x7f18ada25f6d in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) js/src/jsapi.cpp:4897
>    #16 0x7f18a961f8eb in nsJSUtils::EvaluateString(JSContext*, nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions&, JS::Value*, void**) dom/base/nsJSUtils.cpp:280
>    #17 0x7f18a960d71f in nsJSContext::EvaluateString(nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, bool, JS::Value*, void**) dom/base/nsJSEnvironment.cpp:994
>    #18 0x7f18a95cb7a4 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) dom/base/nsGlobalWindow.cpp:10489
>    #19 0x7f18a95aff22 in nsGlobalWindow::RunTimeout(nsTimeout*) dom/base/nsGlobalWindow.cpp:10733
>    #20 0x7f18a95ca9bc in nsGlobalWindow::TimerCallback(nsITimer*, void*) dom/base/nsGlobalWindow.cpp:10980
>    #21 0x7f18abff59d1 in nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp:546
>    #22 0x7f18abff6076 in nsTimerEvent::Run() xpcom/threads/nsTimerImpl.cpp:630
>    #23 0x7f18abfebb29 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:622
>    #24 0x7f18abf13601 in NS_ProcessNextEvent(nsIThread*, bool) objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:238
>    #25 0x7f18aacaaf30 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:116
>    #26 0x7f18ac105363 in RunInternal ipc/chromium/src/base/message_loop.cc:220
>    #27 0x7f18ac105363 in RunHandler ipc/chromium/src/base/message_loop.cc:213
>    #28 0x7f18ac105363 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:187
>    #29 0x7f18aaa94e2c in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:161
>    #30 0x7f18aa48318e in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:269
>    #31 0x7f18a78842f0 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:3869
>    #32 0x7f18a788522a in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:3937
>    #33 0x7f18a788615b in XRE_main toolkit/xre/nsAppRunner.cpp:4139
>    #34 0x45524d in do_main browser/app/nsBrowserApp.cpp:275
>    #35 0x45524d in main browser/app/nsBrowserApp.cpp:635
>    #36 0x7f18b6b4976c in
>    #37 0x45483c in _start
>0x6160020b5520 is located 32 bytes inside of 144-byte region [0x6160020b5500,0x6160020b5590)
>freed by thread T0 here:
>    #0 0x441785 in free _asan_rtl_
>    #1 0x7f18ac012144 in SnowWhiteKiller::~SnowWhiteKiller() xpcom/base/nsCycleCollector.cpp:1993
>    #2 0x7f18ac00967e in nsCycleCollector_doDeferredDeletion() xpcom/base/nsCycleCollector.cpp:3153
>    #3 0x7f18abfebb29 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:622
>    #4 0x7f18abf13601 in NS_ProcessNextEvent(nsIThread*, bool) objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:238
>    #5 0x7f18aacaaf51 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:81
>    #6 0x7f18ac105363 in RunInternal ipc/chromium/src/base/message_loop.cc:220
>    #7 0x7f18ac105363 in RunHandler ipc/chromium/src/base/message_loop.cc:213
>    #8 0x7f18ac105363 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:187
>    #9 0x7f18aaa94e2c in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:161
>    #10 0x7f18a788522a in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:3937
>    #11 0x7f18a788615b in XRE_main toolkit/xre/nsAppRunner.cpp:4139
>    #12 0x45524d in do_main browser/app/nsBrowserApp.cpp:275
>    #13 0x45524d in main browser/app/nsBrowserApp.cpp:635
>    #14 0x7f18b6b4976c in
>previously allocated by thread T0 here:
>    #0 0x4418c5 in malloc _asan_rtl_
>    #1 0x7f18b7f044e8 in moz_xmalloc memory/mozalloc/mozalloc.cpp:54
>Shadow bytes around the buggy address:
>  0x0c2c8040ea50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x0c2c8040ea60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c2c8040ea70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c2c8040ea80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c2c8040ea90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>=>0x0c2c8040eaa0: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
>  0x0c2c8040eab0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c2c8040eac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c2c8040ead0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c2c8040eae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c2c8040eaf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>Shadow byte legend (one shadow byte represents 8 application bytes):
>  Addressable:           00
>  Partially addressable: 01 02 03 04 05 06 07
>  Heap left redzone:     fa
>  Heap right redzone:    fb
>  Freed heap region:     fd
>  Stack left redzone:    f1
>  Stack mid redzone:     f2
>  Stack right redzone:   f3
>  Stack partial redzone: f4
>  Stack after return:    f5
>  Stack use after scope: f8
>  Global redzone:        f9
>  Global init order:     f6
>  Poisoned by user:      f7
>  ASan internal:         fe
>==19928==ABORTING
>
>

Comment 1

5 years ago
Couldn't reproduce in a non-ASAN build. But based on the stack trace this might be 
regression from bug 818976.
Olli how would you rate this one?
Flags: needinfo?(bugs)
I am also unable to reproduce on m-c ASan build from 2013-09-11.

Comment 4

5 years ago
Stack trace hints sg-critical
Flags: needinfo?(bugs)
Keywords: sec-critical
(Reporter)

Comment 5

5 years ago
(In reply to Matt Wobensmith from comment #3)
> I am also unable to reproduce on m-c ASan build from 2013-09-11.

I just retested using trunk build. I can reproduce it very easily by loading testcase from command line. Did you forget to install the fuzzPriv extension https://www.squarefree.com/extensions/domFuzzLite3.xpi ?
Hi Matt just making sure comment 5 is on your radar.
Flags: needinfo?(mwobensmith)
Keywords: csec-uaf
Whiteboard: [asan]
Created attachment 808605 [details] [diff] [review]
Possible fix

HTMLTemplateElement needs to make sure that it calls SetHost(nullptr) on its mContent member, but if we get unlinked, then it's possible for us to null out mContent without calling SetHost first.
Attachment #808605 - Flags: review?(continuation)
Comment on attachment 808605 [details] [diff] [review]
Possible fix

Review of attachment 808605 [details] [diff] [review]:
-----------------------------------------------------------------

Fun.  Thanks for fixing this.
Attachment #808605 - Flags: review?(continuation) → review+
Assignee: nobody → mrbkap
Comment on attachment 808605 [details] [diff] [review]
Possible fix

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Moderate difficulty: it's clear that this has to do with template elements and their host. A little searching will show that the host will be the document fragment. The hardest part will be to make the jump to causing the CC to unlink (and collect) the template and then using the document fragment.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Which older supported branches are affected by this flaw?

The code was checked in for Firefox 22.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

This patch applies to all branches.

How likely is this patch to cause regressions; how much testing does it need?

This patch is very safe, I don't see how it could cause any regressions off the top of my head (I manually expanded a macro and added a single, safe function call).
Attachment #808605 - Flags: sec-approval?
Attachment #808605 - Flags: approval-mozilla-beta?
Attachment #808605 - Flags: approval-mozilla-aurora?
status-b2g18: --- → ?
status-firefox24: --- → wontfix
status-firefox25: --- → affected
status-firefox26: --- → affected
status-firefox27: --- → affected
status-firefox-esr17: --- → unaffected
tracking-firefox25: --- → ?
tracking-firefox26: --- → ?
tracking-firefox27: --- → +
Comment on attachment 808605 [details] [diff] [review]
Possible fix

sec-approval+ for trunk. This should be safe enough to take on Aurora and Beta, I expect.
Attachment #808605 - Flags: sec-approval? → sec-approval+

Updated

5 years ago
tracking-firefox25: ? → +
tracking-firefox26: ? → +
Comment on attachment 808605 [details] [diff] [review]
Possible fix

Marking this for Aurora and Beta approval since it is in and we plussed it for branch tracking, which generally indicates release management approval. :-)
Attachment #808605 - Flags: approval-mozilla-beta?
Attachment #808605 - Flags: approval-mozilla-beta+
Attachment #808605 - Flags: approval-mozilla-aurora?
Attachment #808605 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/331a8e2fa56b
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox27: affected → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
https://hg.mozilla.org/releases/mozilla-aurora/rev/ad676365b814
https://hg.mozilla.org/releases/mozilla-beta/rev/39c1e363005c

Al, you marked firefox24 as wontfix, but should this be considered for esr24?
status-b2g18: ? → unaffected
status-b2g-v1.1hd: --- → unaffected
status-b2g-v1.2: --- → fixed
status-firefox25: affected → fixed
status-firefox26: affected → fixed
status-firefox-esr24: --- → affected
Yeah, good catch, this should go on ESR-17, pending approval or whatever.
tracking-firefox-esr24: --- → ?
ESR-24, rather.  My fingers are too trained to type "-17" once I type ESR, it would seem.
Yes, the "wontfix" for Firefox 24 doesn't apply to ESR24. That flag simply means "we shipped 24 and this wasn't fixed." 

This should be considered for 24.
I never was able to reproduce the crash. I definitely have fuzzPriv installed with ASan builds from around and before 2013-09-13.

Abhishek, can you verify this crash has been fixed, on any branch? Doing so would give us more confidence. Thank you.
(Reporter)

Comment 19

5 years ago
tested on trunk, it is fixed.
Thanks Abhishek!
status-firefox27: fixed → verified
Flags: needinfo?(mwobensmith)
tracking-firefox-esr24: ? → 25+
Attachment #808605 - Flags: approval-mozilla-esr24?

Updated

5 years ago
Attachment #808605 - Flags: approval-mozilla-esr24? → approval-mozilla-esr24+
Whiteboard: [asan] → [asan][adv-main25+]
Keywords: checkin-needed
https://hg.mozilla.org/releases/mozilla-esr24/rev/c19709803a23
status-firefox-esr24: affected → fixed
Keywords: checkin-needed
Whiteboard: [asan][adv-main25+] → [asan][adv-main25+][adv-esr24-1+]
Alias: CVE-2013-5603
Keywords: regression
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: core-security
You need to log in before you can comment on or make changes to this bug.