Closed
Bug 916685
(CVE-2013-5601)
Opened 10 years ago
Closed 10 years ago
ASAN use-after free in GC allocation in nsEventListenerManager::SetEventHandler
Categories
(Core :: DOM: Events, defect)
Tracking
()
RESOLVED
FIXED
mozilla27
| Tracking | Status | |
|---|---|---|
| firefox24 | --- | wontfix |
| firefox25 | + | fixed |
| firefox26 | + | fixed |
| firefox27 | + | verified |
| firefox-esr17 | --- | unaffected |
| firefox-esr24 | 25+ | fixed |
| b2g18 | --- | unaffected |
| b2g-v1.1hd | --- | unaffected |
| b2g-v1.2 | --- | fixed |
People
(Reporter: nils, Assigned: smaug)
References
Details
(Keywords: csectype-uaf, regression, sec-critical, Whiteboard: [asan][adv-main25+][adv-esr24-1+])
Attachments
(3 files)
|
2.16 KB,
text/html
|
Details | |
|
15.87 KB,
text/plain
|
Details | |
|
1.74 KB,
patch
|
bzbarsky
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
abillings
:
approval-mozilla-esr24+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The attached testcase crashes the nightly ASAN build. It require domFuzzLite3. ASAN output attached in stack.txt.
|
Assignee | |
Updated•10 years ago
|
Attachment #805180 -
Attachment mime type: text/plain → text/html
|
|
Assignee | |
Comment 4•10 years ago
|
||
Bring back the pre-EventHandler behavior
Assignee: continuation → bugs
Attachment #810312 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 5•10 years ago
|
||
http://mxr.mozilla.org/comm-esr17/source/mozilla/content/events/src/nsEventListenerManager.cpp?rev=618ffd249ae7&mark=778-780#777 has the old behavior.
|
||
Comment 6•10 years ago
|
||
Comment on attachment 810312 [details] [diff] [review] patch r=me, but how are we getting a null boundHandler here? Is the JSObjectFromInterface failing? Seems like the only way that could happen...
Attachment #810312 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 7•10 years ago
|
||
We end up to BindCompiledEventHandler when mIsInitialized is false. nsJSContext hasn't been unlinked yet, so we're dealing with a context which initialization somehow failed.
|
|
Assignee | |
Comment 8•10 years ago
|
||
Comment on attachment 810312 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): I think Bug 807226 User impact if declined: crashes, possibly exploitable Testing completed (on m-c, etc.): NA Risk to taking this patch (and alternatives if risky): Should be safe. Setting a member variable explicitly to null String or IDL/UUID changes made by this patch: NA
Attachment #810312 -
Flags: sec-approval?
Attachment #810312 -
Flags: approval-mozilla-esr24?
Attachment #810312 -
Flags: approval-mozilla-beta?
Attachment #810312 -
Flags: approval-mozilla-aurora?
|
||
Updated•10 years ago
|
status-b2g18:
--- → ?
status-firefox24:
--- → wontfix
status-firefox25:
--- → affected
status-firefox26:
--- → affected
status-firefox27:
--- → affected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → affected
tracking-firefox27:
--- → +
|
|
||
Comment 9•10 years ago
|
||
Comment on attachment 810312 [details] [diff] [review] patch sec-approval+ for trunk. As you say, this looks pretty safe so I'm giving it branch approval elsewhere for after it makes it into trunk and things are green. Is B2G affected?
Attachment #810312 -
Flags: sec-approval?
Attachment #810312 -
Flags: sec-approval+
Attachment #810312 -
Flags: approval-mozilla-esr24?
Attachment #810312 -
Flags: approval-mozilla-esr24+
Attachment #810312 -
Flags: approval-mozilla-beta?
Attachment #810312 -
Flags: approval-mozilla-beta+
Attachment #810312 -
Flags: approval-mozilla-aurora?
Attachment #810312 -
Flags: approval-mozilla-aurora+
|
|
||
Updated•10 years ago
|
|
|
Assignee | |
Comment 10•10 years ago
|
||
I have no idea which branch b2g uses these days, so I don't know whether it is affected. b2g-18 shouldn't be.
|
|
Assignee | |
Comment 11•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/802e8457aef7
|
||
Updated•10 years ago
|
status-b2g-v1.2:
--- → affected
|
||
Comment 12•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/802e8457aef7
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
|
|
||
Comment 13•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/a684bd944d90 https://hg.mozilla.org/releases/mozilla-beta/rev/e57b395d27d3 https://hg.mozilla.org/releases/mozilla-esr24/rev/79e83c7512d5
|
||
Comment 14•10 years ago
|
||
Hi Nils - I'm not able to recreate the crash with an ASan build from 2013-09-16 and the domFuzz extension. Would you mind trying this on a recent build to verify that we've indeed fixed it? Any branch. Thank you.
|
Reporter | |
Comment 15•10 years ago
|
||
Hi Matt, I can confirm that this testcase doesn't crash anymore in the latest ASAN build. I will keep a look out for similar crashes in my next fuzzing run.
|
|
||
Comment 16•10 years ago
|
||
Thank you, Nils.
|
|
||
Updated•10 years ago
|
Whiteboard: [asan] → [asan][adv-main25+][adv-esr24-1+]
|
|
||
Updated•10 years ago
|
Alias: CVE-2013-5601
|
||
Updated•10 years ago
|
|
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•