Closed Bug 978862 (CVE-2014-1540) Opened 6 years ago Closed 6 years ago

heap-use-after-free in nsEventListenerManager::CompileEventHandlerInternal


(Core :: DOM: Events, defect, critical)

30 Branch
Not set



Tracking Status
firefox28 --- unaffected
firefox29 --- wontfix
firefox30 --- verified
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- unaffected
b2g-v1.3 --- unaffected
b2g-v1.4 --- fixed
seamonkey2.26 --- fixed


(Reporter: tsmith, Assigned: smaug)



(5 keywords, Whiteboard: [adv-main30+])

Crash Data


(3 files)

Attached file BC7FAF8C-242032.html
Found by the BlackBerry Security Automated Analysis Team's fuzzing framework ALF.

==5540==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000d75f8 at pc 0x7fcb6095eb42 bp 0x7fffa2779990 sp 0x7fffa2779988
READ of size 8 at 0x60c0000d75f8 thread T0
    #0 0x7fcb6095eb41 (!nsEventListenerManager::CompileEventHandlerInternal(nsListenerStruct*, nsAString_internal const*, mozilla::dom::Element*)+0x2b91)
	Line 793 of "../../dist/include/nsCOMPtr.h"
    #1 0x7fcb6095f59d (!nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEvent*, mozilla::dom::EventTarget*)+0x14d)
	Line 946 of "/builds/slave/m-in-l64-asan-0000000000000000/build/dom/events/nsEventListenerManager.cpp"
    #2 0x7fcb6096074f (!nsEventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*)+0x92f)
	Line 1021 of "/builds/slave/m-in-l64-asan-0000000000000000/build/dom/events/nsEventListenerManager.cpp"
    #3 0x7fcb60a10ac0 (!nsEventTargetChainItem::HandleEventTargetChain(nsTArray<nsEventTargetChainItem>&, nsEventChainPostVisitor&, nsDispatchingCallback*, ELMCreationDetector&)+0x810)
	Line 303 of "/builds/slave/m-in-l64-asan-0000000000000000/build/dom/events/nsEventDispatcher.cpp"
    #4 0x7fcb609e758a (!nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*)+0x292a)
	Line 592 of "/builds/slave/m-in-l64-asan-0000000000000000/build/dom/events/nsEventDispatcher.cpp"
Attached file asan_output.txt
Ever confirmed: true
Severity: normal → critical
Keywords: sec-critical
Crash from release nightly (free poisoning enabled): bp-e0e01f5c-53ab-4133-8a22-b28f82140303
Crash Signature: [@ nsEventListenerManager::CompileEventHandlerInternal(nsListenerStruct*, nsAString_internal const*, mozilla::dom::Element*) ]
Assignee: nobody → bugs
Unfortunately the patch doesn't show the problematic
WrapNewBindingObject which ends up re-entering listenermanager.
Attachment #8384851 - Flags: review?(jst)
Attachment #8384851 - Flags: review?(jst) → review+
Comment on attachment 8384851 [details] [diff] [review]
be more careful when to touch aListenerStruct

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
The patch does spot where the issue is, but I'd say it is still a bit hard to figure out that one needs to use
certain element type to trigger the issue.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
The patch has effectively kungfuDeathGrip, so yes, there is a bulls-eye.

Which older supported branches are affected by this flaw?
29 should be, although I couldn't reproduce the crash there. The testcase might need some tweak.

If not all supported branches, which bug introduced the flaw?
bug 941876

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
The same patch should apply with some --fuzz

How likely is this patch to cause regressions; how much testing does it need?
Should be safe.
Attachment #8384851 - Flags: sec-approval?
Comment on attachment 8384851 [details] [diff] [review]
be more careful when to touch aListenerStruct

sec-approval+ for trunk.

Please make an Aurora patch as well and nominate it.
Attachment #8384851 - Flags: sec-approval? → sec-approval+
Comment on attachment 8384851 [details] [diff] [review]
be more careful when to touch aListenerStruct

I thought I asked approval for Aurora too... oh well.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 941876 
User impact if declined: sec crash
Testing completed (on m-c, etc.): about to land m-c
Risk to taking this patch (and alternatives if risky): low risk 
String or IDL/UUID changes made by this patch: NA
Attachment #8384851 - Flags: approval-mozilla-aurora?
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Attachment #8384851 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Whiteboard: [adv-main30+]
Alias: CVE-2014-1540
Confirmed crash on 2014-02-11 Fx30.
Verified fixed on 2014-05-07 Fx30.
Adding bounty request per Tyson's communication with Christoph.
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: core-security
You need to log in before you can comment on or make changes to this bug.