Last Comment Bug 916685 - (CVE-2013-5601) ASAN use-after free in GC allocation in nsEventListenerManager::SetEventHandler
(CVE-2013-5601)
: ASAN use-after free in GC allocation in nsEventListenerManager::SetEventHandler
Status: RESOLVED FIXED
[asan][adv-main25+][adv-esr24-1+]
: csectype-uaf, regression, sec-critical
Product: Core
Classification: Components
Component: DOM: Events (show other bugs)
: Trunk
: x86_64 Linux
: -- normal (vote)
: mozilla27
Assigned To: Olli Pettay [:smaug]
:
Mentors:
Depends on:
Blocks: 807226
  Show dependency treegraph
 
Reported: 2013-09-16 00:32 PDT by Nils
Modified: 2015-02-25 20:16 PST (History)
7 users (show)
ryanvm: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
wontfix
+
fixed
+
fixed
+
verified
unaffected
25+
fixed
unaffected
unaffected
fixed


Attachments
crash.html (2.16 KB, text/html)
2013-09-16 00:32 PDT, Nils
no flags Details
stack.txt (ASAN output) (15.87 KB, text/plain)
2013-09-16 00:32 PDT, Nils
no flags Details
patch (1.74 KB, patch)
2013-09-25 18:52 PDT, Olli Pettay [:smaug]
bzbarsky: review+
abillings: approval‑mozilla‑aurora+
abillings: approval‑mozilla‑beta+
abillings: approval‑mozilla‑esr24+
abillings: sec‑approval+
Details | Diff | Splinter Review

Description Nils 2013-09-16 00:32:06 PDT
Created attachment 805180 [details]
crash.html

The attached testcase crashes the nightly ASAN build.  It require domFuzzLite3. ASAN output attached in stack.txt.
Comment 1 Nils 2013-09-16 00:32:33 PDT
Created attachment 805181 [details]
stack.txt (ASAN output)
Comment 2 David Bolter [:davidb] 2013-09-18 10:33:50 PDT
Sounds bad.
Comment 3 Andrew McCreight [:mccr8] 2013-09-23 09:22:44 PDT
I'll take a look at this this week.
Comment 4 Olli Pettay [:smaug] 2013-09-25 18:52:58 PDT
Created attachment 810312 [details] [diff] [review]
patch

Bring back the pre-EventHandler behavior
Comment 6 Boris Zbarsky [:bz] 2013-09-25 19:23:19 PDT
Comment on attachment 810312 [details] [diff] [review]
patch

r=me, but how are we getting a null boundHandler here?  Is the JSObjectFromInterface failing?  Seems like the only way that could happen...
Comment 7 Olli Pettay [:smaug] 2013-09-26 07:19:09 PDT
We end up to BindCompiledEventHandler when mIsInitialized is false. nsJSContext hasn't been
unlinked yet, so we're dealing with a context which initialization somehow failed.
Comment 8 Olli Pettay [:smaug] 2013-09-26 09:19:21 PDT
Comment on attachment 810312 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): I think Bug 807226
User impact if declined: crashes, possibly exploitable
Testing completed (on m-c, etc.):  NA
Risk to taking this patch (and alternatives if risky): Should be safe. Setting a member variable explicitly to null 
String or IDL/UUID changes made by this patch: NA
Comment 9 Al Billings [:abillings] 2013-09-26 10:37:44 PDT
Comment on attachment 810312 [details] [diff] [review]
patch

sec-approval+ for trunk. As you say, this looks pretty safe so I'm giving it branch approval elsewhere for after it makes it into trunk and things are green.

Is B2G affected?
Comment 10 Olli Pettay [:smaug] 2013-09-26 12:39:12 PDT
I have no idea which branch b2g uses these days, so I don't know whether it is affected.
b2g-18 shouldn't be.
Comment 12 Ryan VanderMeulen [:RyanVM] 2013-09-26 18:55:49 PDT
https://hg.mozilla.org/mozilla-central/rev/802e8457aef7
Comment 14 Matt Wobensmith [:mwobensmith][:matt:] 2013-10-07 16:21:51 PDT
Hi Nils - I'm not able to recreate the crash with an ASan build from 2013-09-16 and the domFuzz extension.

Would you mind trying this on a recent build to verify that we've indeed fixed it? Any branch. Thank you.
Comment 15 Nils 2013-10-09 12:58:27 PDT
Hi Matt, I can confirm that this testcase doesn't crash anymore in the latest ASAN build. I will keep a look out for similar crashes in my next fuzzing run.
Comment 16 Matt Wobensmith [:mwobensmith][:matt:] 2013-10-09 16:49:51 PDT
Thank you, Nils.

Note You need to log in before you can comment on or make changes to this bug.