Closed Bug 982285 Opened 6 years ago Closed 6 years ago

Heap-use-after-free/buffer-overflow in nsHtml5TreeBuilder::adoptionAgencyEndTag

Categories

(Core :: HTML: Parser, defect)

defect
Not set

Tracking

()

VERIFIED FIXED
mozilla31
Tracking Status
firefox28 --- unaffected
firefox29 --- unaffected
firefox30 + verified
firefox31 --- verified
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- unaffected
b2g-v1.3 --- unaffected
b2g-v1.3T --- unaffected
b2g-v1.4 --- fixed
b2g-v2.0 --- fixed

People

(Reporter: attekett, Assigned: wchen)

References

Details

(4 keywords)

Attachments

(3 files)

Attached file Repro-file UAF
Tested on:

OS: Ubuntu 12.04 x64

Firefox: ASAN build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1394359324//firefox-30.0a1.en-US.linux-x86_64-asan.tar.bz2


ASAN-report:

=================================================================
==26462==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060006f5128 at pc 0x7f759deeac53 bp 0x7f757e1f0e80 sp 0x7f757e1f0e78
READ of size 8 at 0x6060006f5128 thread T18 (HTML5 Parser)
    #0 0x7f759deeac52 in nsHtml5TreeBuilder::adoptionAgencyEndTag(nsIAtom*) /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5TreeBuilder.cpp:3515:0
    #1 0x7f759de87ee6 in nsHtml5TreeBuilder::endTag(nsHtml5ElementName*) /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5TreeBuilder.cpp:2683:0
    #2 0x7f759de84fee in nsHtml5Tokenizer::emitCurrentTagToken(bool, int) /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5Tokenizer.cpp:303:0
    #3 0x7f759dec47c4 in int nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy>(int, char16_t, int, char16_t*, bool, int, int) /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5Tokenizer.cpp:562:0
    #4 0x7f759de7580a in nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer*) /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5Tokenizer.cpp:413:0
    #5 0x7f759de6fa8b in nsHtml5StreamParser::ParseAvailableData() /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5StreamParser.cpp:1381:0
    #6 0x7f759de7158e in nsHtml5StreamParser::DoDataAvailable(unsigned char const*, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5StreamParser.cpp:1091:0
    #7 0x7f759df0c395 in nsHtml5DataAvailable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5StreamParser.cpp:1123:0
    #8 0x7f759afde7b2 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:694:0
    #9 0x7f759aeb0a71 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsThreadUtils.cpp:263:0
    #10 0x7f759b818d70 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessagePump.cpp:332:0
    #11 0x7f759b78a793 in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:226:0
    #12 0x7f759b78a793 in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:219:0
    #13 0x7f759b78a793 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:193:0
    #14 0x7f759afdb532 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:308:0
    #15 0x7f75a948f009 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:212:0
    #16 0x44cf03 in __asan::AsanThread::ThreadStart(unsigned long) _asan_rtl_:0
    #17 0x7f75ac9b7f8d in start_thread ??:?
    #18 0x7f75abab7a0c in ?? ??:0
0x6060006f5128 is located 8 bytes inside of 56-byte region [0x6060006f5120,0x6060006f5158)
freed by thread T18 (HTML5 Parser) here:
    #0 0x446255 in __interceptor_free _asan_rtl_:0
    #1 0x7f759deed77b in ~nsHtml5StackNode /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/parser/html/../../dist/include/mozilla/mozalloc.h:225:0
    #2 0x7f759deed77b in operator[] /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5StackNode.cpp:215:0
    #3 0x7f759deed77b in nsHtml5TreeBuilder::removeFromStack(int) /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5TreeBuilder.cpp:3458:0
previously allocated by thread T18 (HTML5 Parser) here:
    #0 0x446395 in malloc _asan_rtl_:0
    #1 0x7f75a70b0b18 in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/memory/mozalloc/mozalloc.cpp:52:0
Thread T18 (HTML5 Parser) created by T0 here:
    #0 0x437801 in __interceptor_pthread_create _asan_rtl_:0
    #1 0x7f75a948aea2 in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:453:0
    #2 0x7f75a948a9f7 in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:544:0
Shadow bytes around the buggy address:
  0x0c0c800d69d0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c800d69e0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 04
  0x0c0c800d69f0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c800d6a00: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0c800d6a10: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c800d6a20: fa fa fa fa fd[fd]fd fd fd fd fd fa fa fa fa fa
  0x0c0c800d6a30: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c800d6a40: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c800d6a50: fa fa fa fa 00 00 00 00 00 00 00 04 fa fa fa fa
  0x0c0c800d6a60: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
  0x0c0c800d6a70: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==26462==ABORTING
Attached file Repro-file BOF
The repro-file of the UAF can be further minimized to cause the following BOF

ASAN-report:

==15321==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6150004aba7f at pc 0x7fdc6d40a643 bp 0x7fdc4c574ea0 sp 0x7fdc4c574e98
WRITE of size 18446744073709551608 at 0x6150004aba7f thread T22 (HTML5 Parser)
    #0 0x7fdc6d40a642 in operator class nsHtml5StackNode ** /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5ArrayCopy.h:75
    #1 0x7fdc6d409723 in adoptionAgencyEndTag /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5TreeBuilder.cpp:3619
    #2 0x7fdc6d3a7346 in endTag /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5TreeBuilder.cpp:2683
    #3 0x7fdc6d3a444e in emitCurrentTagToken /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5Tokenizer.cpp:303
    #4 0x7fdc6d3e3c24 in stateLoop<nsHtml5SilentPolicy> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5Tokenizer.cpp:562
    #5 0x7fdc6d394c6a in tokenizeBuffer /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5Tokenizer.cpp:413
    #6 0x7fdc6d38eeeb in ParseAvailableData /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5StreamParser.cpp:1381
    #7 0x7fdc6d38eae7 in DoStopRequest /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5StreamParser.cpp:1021
    #8 0x7fdc6d42b9b4 in Run /builds/slave/m-cen-l64-asan-ntly-0000000000/build/parser/html/nsHtml5StreamParser.cpp:1035
    #9 0x7fdc6a4fe9b2 in ProcessNextEvent /builds/slave/m-cen-l64-asan-ntly-0000000000/build/xpcom/threads/nsThread.cpp:643
    #10 0x7fdc6a3d0ad1 in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-ntly-0000000000/build/xpcom/glue/nsThreadUtils.cpp:263
    #11 0x7fdc6ad391d0 in Run /builds/slave/m-cen-l64-asan-ntly-0000000000/build/ipc/glue/MessagePump.cpp:332
    #12 0x7fdc6acaabf3 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/ipc/chromium/src/base/message_loop.cc:226
    #13 0x7fdc6a4fb732 in ThreadFunc /builds/slave/m-cen-l64-asan-ntly-0000000000/build/xpcom/threads/nsThread.cpp:258
    #14 0x7fdc78d9d009 in _pt_root /builds/slave/m-cen-l64-asan-ntly-0000000000/build/nsprpub/pr/src/pthreads/ptthread.c:212
    #15 0x44cf03 in ThreadStart _asan_rtl_
    #16 0x7fdc7c2b4e99 in start_thread ??:0
    #17 0x7fdc7b3bf3fc in ?? ??:0
0x6150004aba7f is located 1 bytes to the left of 512-byte region [0x6150004aba80,0x6150004abc80)
allocated by thread T0 here:
    #0 0x446395 in __interceptor_malloc _asan_rtl_
    #1 0x7fdc763ddb18 in moz_xmalloc /builds/slave/m-cen-l64-asan-ntly-0000000000/build/memory/mozalloc/mozalloc.cpp:52
Thread T22 (HTML5 Parser) created by T0 here:
    #0 0x437801 in __interceptor_pthread_create _asan_rtl_
    #1 0x7fdc78d98ea2 in _PR_CreateThread /builds/slave/m-cen-l64-asan-ntly-0000000000/build/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7fdc78d989f7 in PR_CreateThread /builds/slave/m-cen-l64-asan-ntly-0000000000/build/nsprpub/pr/src/pthreads/ptthread.c:544
Shadow bytes around the buggy address:
  0x0c2a8008d6f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a8008d700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a8008d710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a8008d720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a8008d730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a8008d740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c2a8008d750:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a8008d760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a8008d770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a8008d780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a8008d790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==15321==ABORTING
Can't reproduce on beta or aurora, but can on nightly.
Is it possible that bug 901319 could have caused this somehow?

The failure mode doesn't point to bug 959150.
I'll look into this, both Bug 901319 and Bug 884795 have touched the AAA recently.
Thanks, William.  I'll assign it to you so we know somebody is looking at it.  Update as needed.
Assignee: nobody → wchen
This bug is a regression from Bug 901319.

It is caused by removing a node from the list of active formatting elements without updating indices into the list. The code later tries to remove a node at a bad index.
Attachment #8390960 - Flags: review?(hsivonen)
Attachment #8390960 - Flags: review?(hsivonen) → review+
Comment on attachment 8390960 [details] [diff] [review]
Update active formatting element list indicies in HTML parser adoption agency algorithm.

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Not easily.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Yes, the comments and the patch loosely suggest that an array is accessed out of bounds.

Which older supported branches are affected by this flaw?
After today's branch, aurora will be affected.

If not all supported branches, which bug introduced the flaw?
Bug 901319

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Patch should apply cleanly on aurora.

How likely is this patch to cause regressions; how much testing does it need?
Not likely to cause a regression. Included test is likely sufficient.
Attachment #8390960 - Flags: sec-approval?
Comment on attachment 8390960 [details] [diff] [review]
Update active formatting element list indicies in HTML parser adoption agency algorithm.

sec-approval+ for trunk. If this is needed for aurora, please ask for branch approval for it too.
Attachment #8390960 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/integration/mozilla-inbound/rev/1fb7e8584dea
Flags: in-testsuite+
OS: Linux → All
Hardware: x86_64 → All
https://hg.mozilla.org/mozilla-central/rev/1fb7e8584dea
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
We need this on Aurora too, right?
Flags: needinfo?(wchen)
Comment on attachment 8390960 [details] [diff] [review]
Update active formatting element list indicies in HTML parser adoption agency algorithm.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 901319
User impact if declined: Browser possibly hangs or crashes.
Testing completed (on m-c, etc.): Test case was committed with patch on m-c that tests the fix.
Risk to taking this patch (and alternatives if risky): None
String or IDL/UUID changes made by this patch: None
Attachment #8390960 - Flags: approval-mozilla-aurora?
Flags: needinfo?(wchen)
Attachment #8390960 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Duplicate of this bug: 987052
Flags: sec-bounty?
Blocks: 901319
Flags: sec-bounty? → sec-bounty+
Reproduced both issues (using the two attachments) from comment #0 using the following build:
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1394359324/

Once I reproduced the original issues, used the following builds for verification:
- https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/latest/
- https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-aurora-linux64-asan/latest/
- https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-beta-linux64-asan/latest/

For each of the above builds, I loaded both of the attachments from comment #0 and ensured they loaded without any issues:
-  Repro-file UAF - Passed (m-c, aurora, beta)
-  Repro-file BOF - Passed (m-c, aurora, beta)

OS Used during verification: Ubuntu 13.10 x64
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.