Bug 918864 (CVE-2013-5597)

[FIX] Heap-use-after-free in nsDocLoader::doStopDocumentLoad()

RESOLVED FIXED in Firefox 25, Firefox OS v1.1hd

Status

()

Core
DOM
RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: lifeasageek, Assigned: smaug)

Tracking

({csectype-uaf, regression, sec-critical})

Trunk
mozilla27
x86_64
Linux
csectype-uaf, regression, sec-critical
Points:
---
Bug Flags:
sec-bounty +
in-testsuite ?

Firefox Tracking Flags

(firefox24 wontfix, firefox25+ verified, firefox26+ verified, firefox27+ verified, firefox-esr17+ verified, firefox-esr24+ verified, b2g18+ fixed, b2g-v1.1hd fixed, b2g-v1.2 fixed)

Details

(Whiteboard: [asan][adv-main25+][adv-esr1710+][adv-esr24-1+])

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36

Steps to reproduce:

Heap-use-after-free in nsDocLoader::doStopDocumentLoad().
Tested on asan firefox build (1377823661 and 1379548174) and 23.0 (crashed).
OS : Debian 7.1 and Ubuntu 10.04 LTS

Please put a.html and b.html in the same directory, and open a.html.


=== a.html ===
<html>                                                                                                                                                                  
<script>                                                                                                                                                                
function killChildFrame() {                                                                                                                                             
    window[0].home();                                                                                                                                                   
    document.body.removeChild(document.getElementsByTagName('iframe')[0]);                                                                                              
}                                                                                                                                                                       
</script>                                                                                                                                                               
<iframe src="b.html"></iframe>                                                                                                                                          
</html>                                                                                                                                                                 

=== b.html ===
<html manifest="x">                                                                                                                                                     
<script>                                                                                                                                                                
window.applicationCache.onchecking = function() {                                                                                                                       
    parent.killChildFrame();                                                                                                                                            
}                                                                                                                                                                                                                                                                                                                        
</script>                                                                                                                                                               
</html>                                                                                                                                                                 



Actual results:

==18678==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060009b8100 at pc 0x7f3781adb4e0 bp 0x7fff04361db0 sp 0x7fff04361da8
READ of size 8 at 0x6060009b8100 thread T0
    #0 0x7f3781adb4df in ~nsCOMPtr /dist/include/nsCOMPtr.h:430
    #1 0x7f3781ada6a3 in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:865
    #2 0x7f3781ad832f in nsDocLoader::DocLoaderIsEmpty(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:755
    #3 0x7f3781ad98aa in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:639
    #4 0x7f3781ada159 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:642
    #5 0x7f377f3b4106 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/base/src/nsLoadGroup.cpp:687
    #6 0x7f37804bfdaa in nsDocument::DoUnblockOnload() /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsDocument.cpp:7999
    #7 0x7f37804bf8af in nsDocument::UnblockOnload(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsDocument.cpp:7927
    #8 0x7f378049e862 in nsDocument::DispatchContentLoadedEvents() /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsDocument.cpp:4713
    #9 0x7f37804e53bc in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() /dist/include/nsThreadUtils.h:363
    #10 0x7f37836d4ba9 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:622
    #11 0x7f37835fe016 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238
    #12 0x7f3781c36dbc in nsXULWindow::ShowModal() /builds/slave/m-cen-l64-asan-000000000000000/build/xpfe/appshell/src/nsXULWindow.cpp:365
    #13 0x7f3781b79015 in nsWindowWatcher::OpenWindowInternal(nsIDOMWindow*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, nsIDOMWindow**) /builds/slave/m-cen-l64-asan-000000000000000/build/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:998
    #14 0x7f3781b74558 in nsWindowWatcher::OpenWindow(nsIDOMWindow*, char const*, char const*, char const*, nsISupports*, nsIDOMWindow**) /builds/slave/m-cen-l64-asan-000000000000000/build/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:344
    #15 0x7f378371c551 in NS_InvokeByIndex /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #16 0x7f37819aa26e in CallMethodHelper::Invoke() /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNative.cpp:2809
    #17 0x7f37819bbfbb in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1316
    #18 0x7f3784f6e27a in JSFunction::native() const /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jscntxtinlines.h:219
    #19 0x7f3784f61352 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:2484
    #20 0x7f3784f4fd51 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:446
    #21 0x7f3784f6e4b3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:508
    #22 0x7f3784f6f298 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:539
    #23 0x7f378517fce7 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jsapi.cpp:5420
    #24 0x7f3781997416 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedJSClass.cpp:1445
    #25 0x7f378198ab3f in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedJS.cpp:587
    #26 0x7f378371d73a in PrepareAndDispatch /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
    #27 0x7f378371c786 in SharedStub /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:0
0x6060009b8100 is located 0 bytes inside of 64-byte region [0x6060009b8100,0x6060009b8140)
freed by thread T0 here:
    #0 0x446015 in __interceptor_free _asan_rtl_
    #1 0x7f3781b4791d in nsAutoRefCnt::operator=(unsigned int) /dist/include/mozilla/mozalloc.h:225
    #2 0x7f3781adb34f in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:1331
    #3 0x7f3781ada6a3 in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:865
    #4 0x7f3781ad832f in nsDocLoader::DocLoaderIsEmpty(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:755
    #5 0x7f3781ad98aa in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:639
    #6 0x7f3781ada159 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:642
    #7 0x7f37804bfdaa in nsDocument::DoUnblockOnload() /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsDocument.cpp:7999
    #8 0x7f37804bf8af in nsDocument::UnblockOnload(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsDocument.cpp:7927
    #9 0x7f378049e862 in nsDocument::DispatchContentLoadedEvents() /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsDocument.cpp:4713
    #10 0x7f37804e53bc in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() /dist/include/nsThreadUtils.h:363
    #11 0x7f37835fe016 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238
    #12 0x7f3781c36dbc in nsXULWindow::ShowModal() /builds/slave/m-cen-l64-asan-000000000000000/build/xpfe/appshell/src/nsXULWindow.cpp:365
    #13 0x7f3781b79015 in nsWindowWatcher::OpenWindowInternal(nsIDOMWindow*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, nsIDOMWindow**) /builds/slave/m-cen-l64-asan-000000000000000/build/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:998
    #14 0x7f3781b74558 in nsWindowWatcher::OpenWindow(nsIDOMWindow*, char const*, char const*, char const*, nsISupports*, nsIDOMWindow**) /builds/slave/m-cen-l64-asan-000000000000000/build/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:344
    #15 0x7f378371c551 in NS_InvokeByIndex /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #16 0x7f37819aa26e in CallMethodHelper::Invoke() /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNative.cpp:2809
    #17 0x7f37819bbfbb in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1316
    #18 0x7f3784f6e27a in JSFunction::native() const /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jscntxtinlines.h:219
    #19 0x7f3784f61352 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:2484
    #20 0x7f3784f4fd51 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:446
    #21 0x7f3784f6e4b3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:508
    #22 0x7f3784f6f298 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:539
    #23 0x7f378517fce7 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jsapi.cpp:5420
    #24 0x7f3781997416 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedJSClass.cpp:1445
    #25 0x7f378198ab3f in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedJS.cpp:587
    #26 0x7f378371d73a in PrepareAndDispatch /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
    #27 0x7f378371c786 in SharedStub /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:0
    #28 0x7f378371c551 in NS_InvokeByIndex /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #29 0x7f37819aa26e in CallMethodHelper::Invoke() /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNative.cpp:2809
previously allocated by thread T0 here:
    #0 0x446155 in __interceptor_malloc _asan_rtl_
    #1 0x7f378865b5c8 in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/memory/mozalloc/mozalloc.cpp:54
    #2 0x7f37803d493e in nsContentSink::ProcessOfflineManifest(nsAString_internal const&) /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsContentSink.cpp:1108
    #3 0x7f378127360b in nsHtml5SpeculativeLoad::Perform(nsHtml5TreeOpExecutor*) /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5SpeculativeLoad.cpp:45
    #4 0x7f37813095f7 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5TreeOpExecutor.cpp:507
    #5 0x7f3781283288 in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5StreamParser.cpp:131
    #6 0x7f37835fe016 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238
    #7 0x7f3781c36dbc in nsXULWindow::ShowModal() /builds/slave/m-cen-l64-asan-000000000000000/build/xpfe/appshell/src/nsXULWindow.cpp:365
    #8 0x7f3781b79015 in nsWindowWatcher::OpenWindowInternal(nsIDOMWindow*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, nsIDOMWindow**) /builds/slave/m-cen-l64-asan-000000000000000/build/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:998
    #9 0x7f3781b74558 in nsWindowWatcher::OpenWindow(nsIDOMWindow*, char const*, char const*, char const*, nsISupports*, nsIDOMWindow**) /builds/slave/m-cen-l64-asan-000000000000000/build/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:344
    #10 0x7f378371c551 in NS_InvokeByIndex /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #11 0x7f37819aa26e in CallMethodHelper::Invoke() /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNative.cpp:2809
    #12 0x7f37819bbfbb in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1316
    #13 0x7f3784f6e27a in JSFunction::native() const /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jscntxtinlines.h:219
    #14 0x7f3784f61352 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:2484
    #15 0x7f3784f4fd51 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:446
    #16 0x7f3784f6e4b3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:508
    #17 0x7f3784f6f298 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:539
    #18 0x7f378517fce7 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jsapi.cpp:5420
    #19 0x7f3781997416 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedJSClass.cpp:1445
    #20 0x7f378198ab3f in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedJS.cpp:587
    #21 0x7f378371d73a in PrepareAndDispatch /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
    #22 0x7f378371c786 in SharedStub /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:0
    #23 0x7f378371c551 in NS_InvokeByIndex /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #24 0x7f37819aa26e in CallMethodHelper::Invoke() /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNative.cpp:2809
    #25 0x7f37819bbfbb in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1316
    #26 0x7f3784f6e27a in JSFunction::native() const /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jscntxtinlines.h:219
    #27 0x7f3784f61352 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:2484
    #28 0x7f3784f4fd51 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:446
    #29 0x7f3784f6e4b3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:508
Shadow bytes around the buggy address:
  0x0c0c8012efd0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c8012efe0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c8012eff0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c8012f000: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c8012f010: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c0c8012f020:[fd]fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c8012f030: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c8012f040: fa fa fa fa 00 00 00 00 00 00 05 fa fa fa fa fa
  0x0c0c8012f050: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
  0x0c0c8012f060: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c8012f070: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==18678==ABORTING
Component: Untriaged → DOM
Product: Firefox → Core
Whiteboard: [asan]
I'll take a first look at this.
Assignee: nobody → continuation
(Reporter)

Comment 2

4 years ago
Andrew@ Thanks. Please let me know if there's anything that I can help you.
I wasn't able to reproduce this on trunk.  I'll try again.
Matt, can you try reproducing this in a current ASAN build?
Flags: sec-bounty?
Flags: needinfo?(mwobensmith)
on the face of it this looks sec-critical if we can confirm it still happens.
Keywords: csec-uaf, sec-critical
(Reporter)

Comment 6

4 years ago
Just tested on the lasted asan build (https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1380106412/) and it triggered use-after-free with the same crash footage.
(Assignee)

Comment 7

4 years ago
Does one need to load the testcase from a server or should a local file be ok?
(Assignee)

Comment 8

4 years ago
Looks like from server is needed. I have this in debugger.
Assignee: continuation → bugs
(Assignee)

Comment 9

4 years ago
Created attachment 810872 [details] [diff] [review]
patch

this is a regression from bug 471227, so rather old.

We end up calling nsOfflineCachePendingUpdate::OnStateChange nestedly, so that
mService->Schedule calls it again. The object is kept alive on stack, but
since NS_RELEASE_THIS() is called more than once, calling Release when
the strong pointer on the stack goes away crashes.

Couldn't figure out anything simpler given the odd refcnt handling.

(I think nsDocLoader should just keep this kind of webprogresslisteners alive in a
strong array, but that would require quite a bit more changes and wouldn't be
safe enough for branches.)
Attachment #810872 - Flags: review?(bzbarsky)
Flags: needinfo?(mwobensmith)
(Assignee)

Updated

4 years ago
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Comment on attachment 810872 [details] [diff] [review]
patch

r=me
Attachment #810872 - Flags: review?(bzbarsky) → review+
(Assignee)

Comment 11

4 years ago
Comment on attachment 810872 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 471227
User impact if declined: Crashes
Testing completed (on m-c, etc.): NA 
Risk to taking this patch (and alternatives if risky): Should be very safe. Adding a flag that we don't do a thing twice 
String or IDL/UUID changes made by this patch: NA

How easily could an exploit be constructed based on the patch?
Note sure about the exploit but crash might be quite easy to get.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Unfortunately the patch is very clear what kind of problem this is about.

Which older supported branches are affected by this flaw?
all

Do you have backports for the affected branches?
The patch seems to apply cleanly to branches

How likely is this patch to cause regressions; how much testing does it need?
Should be very safe.

So, in other words, I think this could land as late as possible of a cycle.
Attachment #810872 - Flags: sec-approval?
Attachment #810872 - Flags: approval-mozilla-esr24?
Attachment #810872 - Flags: approval-mozilla-beta?
Attachment #810872 - Flags: approval-mozilla-aurora?
status-b2g18: --- → affected
status-firefox24: --- → wontfix
status-firefox25: --- → affected
status-firefox26: --- → affected
status-firefox27: --- → affected
status-firefox-esr17: --- → affected
status-firefox-esr24: --- → affected
tracking-b2g18: --- → ?
tracking-firefox25: --- → ?
tracking-firefox26: --- → ?
tracking-firefox27: --- → +
tracking-firefox-esr17: --- → ?
tracking-firefox-esr24: --- → ?
I have no problems sec-approval+'ing this but I want release management to weigh in since we'll need to take this on Aurora and Beta (and ESR24 and maybe ESR17, which is still supported). What I need from them specifically is how late they are comfortable checking this in since it clearly demonstrates the issue. Since this is a safe fix, it shouldn't affect stability really.

I assuming B2G is affected too.
Flags: needinfo?(release-mgmt)
We should be able to land this on 10/17 to get it into our second-to-last Beta (and then elsewhere too) to minimize exposure but also give one extra release's buffer if we needed to backout for any reason - though this is expected to be safe.
tracking-firefox25: ? → +
tracking-firefox26: ? → +
Flags: needinfo?(release-mgmt)
Whiteboard: [asan] → [asan][land 10/17]
Comment on attachment 810872 [details] [diff] [review]
patch

Setting unset branch approval flags and giving sec-approval+.

We should take this on ESR17 too if the patch applies since we are still supporting that for another two releases.
Attachment #810872 - Flags: sec-approval?
Attachment #810872 - Flags: sec-approval+
Attachment #810872 - Flags: approval-mozilla-esr24?
Attachment #810872 - Flags: approval-mozilla-esr24+
Attachment #810872 - Flags: approval-mozilla-beta?
Attachment #810872 - Flags: approval-mozilla-beta+
Attachment #810872 - Flags: approval-mozilla-aurora?
Attachment #810872 - Flags: approval-mozilla-aurora+
Flags: sec-bounty? → sec-bounty+
Blocks: 471227
Keywords: regression
(Assignee)

Updated

4 years ago
Summary: Heap-use-after-free in nsDocLoader::doStopDocumentLoad() → [FIX] Heap-use-after-free in nsDocLoader::doStopDocumentLoad()
https://hg.mozilla.org/integration/mozilla-inbound/rev/e0daf4f7c665
Whiteboard: [asan][land 10/17] → [asan]
https://hg.mozilla.org/releases/mozilla-aurora/rev/c3a6190a6d64
https://hg.mozilla.org/releases/mozilla-beta/rev/3720d4e9348f
https://hg.mozilla.org/releases/mozilla-esr24/rev/592201be19b4
https://hg.mozilla.org/releases/mozilla-b2g18/rev/7fedb6a967ea
https://hg.mozilla.org/releases/mozilla-esr17/rev/d2cca410c297
status-b2g18: affected → fixed
status-b2g-v1.1hd: --- → affected
status-b2g-v1.2: --- → fixed
status-firefox25: affected → fixed
status-firefox26: affected → fixed
status-firefox27: affected → fixed
status-firefox-esr17: affected → fixed
status-firefox-esr24: affected → fixed
tracking-b2g18: ? → +
tracking-firefox-esr17: ? → +
tracking-firefox-esr24: ? → +
Whiteboard: [asan] → [asan][adv-main25+][adv-esr1710+][adv-esr24-1+]
https://hg.mozilla.org/releases/mozilla-b2g18_v1_1_0_hd/rev/7fedb6a967ea
status-b2g-v1.1hd: affected → fixed
https://hg.mozilla.org/mozilla-central/rev/e0daf4f7c665
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Confirmed crash on pre-patch ASan FF27.
Verified fixed on ASan builds of 24esr, 25, 26 and 27, 2013-10-21.

Can't build ASan 17esr at the moment, will verify that in a day or two.
status-firefox25: fixed → verified
status-firefox26: fixed → verified
status-firefox27: fixed → verified
status-firefox-esr24: fixed → verified
Alias: CVE-2013-5597
Verified 17esr, 2013-10-23.
status-firefox-esr17: fixed → verified
Group: core-security
You need to log in before you can comment on or make changes to this bug.