Closed Bug 978862 (CVE-2014-1540) Opened 11 years ago Closed 11 years ago

heap-use-after-free in nsEventListenerManager::CompileEventHandlerInternal

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Version:
30 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox28 --- unaffected
firefox29 --- wontfix
firefox30 --- verified
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- unaffected
b2g-v1.3 --- unaffected
b2g-v1.4 --- fixed
seamonkey2.26 --- fixed

People

(Reporter: tsmith, Assigned: smaug)

References

Details

(6 keywords, Whiteboard: [adv-main30+])

Crash Data

Attachments

(3 files)

BC7FAF8C-242032.html
162 bytes, text/html
Details
asan_output.txt
23.65 KB, text/plain
Details
be more careful when to touch aListenerStruct
3.55 KB, patch
jst
: review+
lsblakk
: approval-mozilla-aurora+
abillings
: sec-approval+
Details | Diff | Splinter Review
Attached file BC7FAF8C-242032.html
Found by the BlackBerry Security Automated Analysis Team's fuzzing framework ALF. ==5540==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000d75f8 at pc 0x7fcb6095eb42 bp 0x7fffa2779990 sp 0x7fffa2779988 READ of size 8 at 0x60c0000d75f8 thread T0 #0 0x7fcb6095eb41 (libxul.so!nsEventListenerManager::CompileEventHandlerInternal(nsListenerStruct*, nsAString_internal const*, mozilla::dom::Element*)+0x2b91) Line 793 of "../../dist/include/nsCOMPtr.h" #1 0x7fcb6095f59d (libxul.so!nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEvent*, mozilla::dom::EventTarget*)+0x14d) Line 946 of "/builds/slave/m-in-l64-asan-0000000000000000/build/dom/events/nsEventListenerManager.cpp" #2 0x7fcb6096074f (libxul.so!nsEventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*)+0x92f) Line 1021 of "/builds/slave/m-in-l64-asan-0000000000000000/build/dom/events/nsEventListenerManager.cpp" #3 0x7fcb60a10ac0 (libxul.so!nsEventTargetChainItem::HandleEventTargetChain(nsTArray<nsEventTargetChainItem>&, nsEventChainPostVisitor&, nsDispatchingCallback*, ELMCreationDetector&)+0x810) Line 303 of "/builds/slave/m-in-l64-asan-0000000000000000/build/dom/events/nsEventDispatcher.cpp" #4 0x7fcb609e758a (libxul.so!nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*)+0x292a) Line 592 of "/builds/slave/m-in-l64-asan-0000000000000000/build/dom/events/nsEventDispatcher.cpp" ...
Keywords: crash, csectype-uaf, testcase
Attached file asan_output.txt
Status: UNCONFIRMED → NEW
Ever confirmed: true
Severity: normal → critical
Keywords: sec-critical
Crash from release nightly (free poisoning enabled): bp-e0e01f5c-53ab-4133-8a22-b28f82140303
Crash Signature: [@ nsEventListenerManager::CompileEventHandlerInternal(nsListenerStruct*, nsAString_internal const*, mozilla::dom::Element*) ]
Assignee: nobody → bugs
Unfortunately the patch doesn't show the problematic WrapNewBindingObject which ends up re-entering listenermanager.
Attachment #8384851 - Flags: review?(jst)
Attachment #8384851 - Flags: review?(jst) → review+
Comment on attachment 8384851 [details] [diff] [review] be more careful when to touch aListenerStruct [Security approval request comment] How easily could an exploit be constructed based on the patch? The patch does spot where the issue is, but I'd say it is still a bit hard to figure out that one needs to use certain element type to trigger the issue. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? The patch has effectively kungfuDeathGrip, so yes, there is a bulls-eye. Which older supported branches are affected by this flaw? 29 should be, although I couldn't reproduce the crash there. The testcase might need some tweak. If not all supported branches, which bug introduced the flaw? bug 941876 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? The same patch should apply with some --fuzz How likely is this patch to cause regressions; how much testing does it need? Should be safe.
Attachment #8384851 - Flags: sec-approval?
Comment on attachment 8384851 [details] [diff] [review] be more careful when to touch aListenerStruct sec-approval+ for trunk. Please make an Aurora patch as well and nominate it.
Attachment #8384851 - Flags: sec-approval? → sec-approval+
Comment on attachment 8384851 [details] [diff] [review] be more careful when to touch aListenerStruct I thought I asked approval for Aurora too... oh well. [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 941876 User impact if declined: sec crash Testing completed (on m-c, etc.): about to land m-c Risk to taking this patch (and alternatives if risky): low risk String or IDL/UUID changes made by this patch: NA
Attachment #8384851 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/373012140ff7
Status: NEW → RESOLVED
Closed: 11 years ago
status-b2g18: --- → unaffected
status-b2g-v1.1hd: --- → unaffected
status-b2g-v1.2: --- → unaffected
status-b2g-v1.3: --- → unaffected
status-b2g-v1.4: --- → fixed
status-firefox30: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Attachment #8384851 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Whiteboard: [adv-main30+]
Alias: CVE-2014-1540
Confirmed crash on 2014-02-11 Fx30. Verified fixed on 2014-05-07 Fx30.
Status: RESOLVED → VERIFIED
status-firefox29: affectedwontfix
status-firefox30: fixedverified
Adding bounty request per Tyson's communication with Christoph.
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: