Closed
Bug 926361
(CVE-2013-5618)
Opened 11 years ago
Closed 11 years ago
ASAN use-after-free in nsNodeUtils::LastRelease on anonymous node from ShowInlineTableEditingUI
Categories
(Core :: DOM: Editor, defect)
Tracking
()
People
(Reporter: nils, Assigned: smaug)
Details
(Keywords: csectype-uaf, sec-critical, Whiteboard: [asan][adv-main26+][adv-esr24.2+])
Attachments
(3 files)
|
703 bytes,
text/html
|
Details | |
|
14.94 KB,
text/plain
|
Details | |
|
741 bytes,
patch
|
jst
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta-
abillings
:
approval-mozilla-esr24+
bajaj
:
approval-mozilla-b2g18+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The attached testcase crashes the latest nightly ASAN build. It requires domFuzzLite https://www.squarefree.com/extensions/domFuzzLite3.xpi
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → bugs
|
||
Updated•11 years ago
|
Keywords: csec-uaf,
sec-critical
Whiteboard: [asan]
|
|
Assignee | |
Comment 2•11 years ago
|
||
This is lovely. I'd say a bug in NS_RELEASE, but one could say a feature.
So we end up last-releasing <body>, but while doing the last release,
an <a> has still mParent pointing to <body> (because releasing that mParent caused the initial last-release) and we end up trying to re-unbind.
Attachment #816762 -
Flags: review?(jst)
|
||
Updated•11 years ago
|
Attachment #816762 -
Flags: review?(jst) → review+
|
|
Assignee | |
Comment 3•11 years ago
|
||
Comment on attachment 816762 [details] [diff] [review]
patch
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Not easily. I haven't see this kind of crash ever before, so one needs to figure out a way
to use editor in a particular way and run gc/cc just at the right moment.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Well, the patch is rather obvious, but it is hard to combine that to the functionality of editor/ code
Which older supported branches are affected by this flaw?
all
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
there was a file rename nsGenericElement.cpp -> Element.cpp, but otherwise the code looks the same
How likely is this patch to cause regressions; how much testing does it need?
Hmm, not totally risk-free. Some code might rely on the mParent to point to somewhere while doing the release...
Attachment #816762 -
Flags: sec-approval?
Attachment #816762 -
Flags: approval-mozilla-esr24?
Attachment #816762 -
Flags: approval-mozilla-esr17?
Attachment #816762 -
Flags: approval-mozilla-beta?
Attachment #816762 -
Flags: approval-mozilla-b2g18?
Attachment #816762 -
Flags: approval-mozilla-aurora?
|
||
Comment 4•11 years ago
|
||
Release Management, how do you feel about taking this at this point in the cycle? I assume it is probably ok but I wanted to check.
Flags: needinfo?(release-mgmt)
|
||
Comment 5•11 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #3)
> How likely is this patch to cause regressions; how much testing does it need?
> Hmm, not totally risk-free. Some code might rely on the mParent to point to
> somewhere while doing the release...
This makes me nervous. I'd need to know more about worst case scenarios. If we do decide to take this, it'll need to land for Thursday's Beta.
|
|
Assignee | |
Comment 6•11 years ago
|
||
Well, some code might work differently if element doesn't have parentNode anyway.
Not likely, but in theory possible.
And I'm talking about Gecko internal code.
Crashes or anything like that should be very unlikely.
|
|
||
Comment 7•11 years ago
|
||
I think the possibility of a web regressions (if I'm reading your comment correctly) should preclude this from landing in our final beta.
|
|
||
Updated•11 years ago
|
status-firefox24:
--- → affected
status-firefox25:
--- → wontfix
status-firefox26:
--- → affected
status-firefox27:
--- → affected
status-firefox-esr17:
--- → wontfix
status-firefox-esr24:
--- → affected
tracking-firefox26:
--- → +
tracking-firefox27:
--- → +
tracking-firefox-esr24:
--- → ?
|
|
||
Comment 8•11 years ago
|
||
Comment on attachment 816762 [details] [diff] [review]
patch
sec-approval+ for trunk.
Aurora approval. Let's get it in.
I want this in ESR24 but I expect we'll need to land it for the 26+ tracking release, not the current 25+ tracking. So I'm not sure how you want to track it to land it on ESR24 after we branch in two weeks.
I'm going to won't fix this for ESR17 since it is done after the next release.
Attachment #816762 -
Flags: sec-approval?
Attachment #816762 -
Flags: sec-approval+
Attachment #816762 -
Flags: approval-mozilla-esr24?
Attachment #816762 -
Flags: approval-mozilla-esr24+
Attachment #816762 -
Flags: approval-mozilla-esr17?
Attachment #816762 -
Flags: approval-mozilla-beta?
Attachment #816762 -
Flags: approval-mozilla-beta-
Attachment #816762 -
Flags: approval-mozilla-aurora?
Attachment #816762 -
Flags: approval-mozilla-aurora+
|
|
||
Comment 9•11 years ago
|
||
Tracking with the ESR24 tracking flag. Duh.
|
||
Updated•11 years ago
|
Flags: needinfo?(release-mgmt)
|
|
Assignee | |
Comment 10•11 years ago
|
||
|
||
Comment 11•11 years ago
|
||
fixed in mozilla-central https://hg.mozilla.org/mozilla-central/rev/77a86dcd14d8
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
|
||
Comment 12•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/381e38e1d23d
In my queue to land on esr24 and b2g18 when Gecko26 hits beta.
|
|
||
Updated•11 years ago
|
Whiteboard: [asan] → [asan][land on esr24 and b2g18 when gecko26 is on beta]
|
|
||
Comment 13•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-esr24/rev/1d96edd4c6fe
https://hg.mozilla.org/releases/mozilla-b2g18/rev/6b412d620325
Whiteboard: [asan][land on esr24 and b2g18 when gecko26 is on beta] → [asan]
|
|
||
Comment 14•11 years ago
|
||
|
|
||
Comment 15•11 years ago
|
||
Comment on attachment 816762 [details] [diff] [review]
patch
Just a+ on the b2g18 approval for sanity. Although this is already landed
Attachment #816762 -
Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18+
|
||
Comment 16•11 years ago
|
||
I'm not able to reproduce the crash on a pre-patch ASan build. Also, I see the same debug output both before and after the patch.
Example output:
WARNING: Someone passed native anonymous content directly into frame construction. Stop doing that!: file /builds/slave/try-osx64-d-000000000000000000/build/layout/base/nsCSSFrameConstructor.cpp, line 6047
Nils, can you verify on at least one affected branch that the issue no longer reproduces for you? Thanks.
|
|
||
Updated•11 years ago
|
Whiteboard: [asan] → [asan][adv-main26+][adv-esr24.2+]
|
|
||
Updated•11 years ago
|
Alias: CVE-2013-5618
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•