Closed Bug 987433 Opened 11 years ago Closed 11 years ago

Use after free with relList attribute of <a> element

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla31
Tracking Flags:
Tracking Status
firefox28 --- unaffected
firefox29 + verified
firefox30 + verified
firefox31 + verified
firefox-esr24 --- unaffected
b2g-v1.2 --- unaffected
b2g-v1.3 --- unaffected
b2g-v1.4 --- fixed
b2g-v2.0 --- fixed

People

(Reporter: nils, Assigned: smaug)

Details

(Keywords: csectype-uaf, sec-critical)

Attachments

(3 files, 1 obsolete file)

crash.html
321 bytes, text/html
Details
crash.txt
17.85 KB, text/plain
Details
hopefully less leaky
9.33 KB, patch
khuey
: review+
abillings
: approval-mozilla-aurora+
abillings
: approval-mozilla-beta+
Details | Diff | Splinter Review
Attached file crash.html
Testcase crashes the latest ASAN Firefox build. ASAN output attached in crash.txt. The relList attribute is freed while JS references are still alive. Probably related to changes in bug #968637
Attached file crash.txt
Yes, we don't seem to call DropReference().
Why aren't we just using cycle collection here?
That I can't recall. I think we should just CC here.
Assignee: nobody → bugs
Ouch, I'm sorry I missed that. :( We should definitely kill off that weak ref. For one thing, holding on to the token list means we can mutate attributes, which can trigger mutation observers, so should keep the element alive. And yes, this is a regression from bug 968637. Not sure whether I should add the dep....
Attached patch patch (obsolete) — Splinter Review
I can't reproduce this now. I think I did manage yesterday... But based on the stack and the current code the patch is certainly needed.
Attachment #8396556 - Flags: review?(khuey)
Comment on attachment 8396556 [details] [diff] [review] patch Review of attachment 8396556 [details] [diff] [review]: ----------------------------------------------------------------- r=me ::: content/base/src/nsDOMTokenList.h @@ +77,5 @@ > void RemoveInternal(const nsAttrValue* aAttr, > const nsTArray<nsString>& aTokens); > inline const nsAttrValue* GetParsedAttr(); > > + nsCOMPtr<Element> mElement; The tree seems to use both nsCOMPtr and nsRefPtr with Element. We should clean that up at some point.
Attachment #8396556 - Flags: review?(khuey) → review+
Comment on attachment 8396556 [details] [diff] [review] patch [Security approval request comment] How easily could an exploit be constructed based on the patch? The patch itself doesn't actually touch the problematic code, but if someone realizes why the patch is needed, then it is quite obvious. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Check-in comment will be: "DOMTokenList should have a strong reference to its owner so that the API doesn't suddenly start returning empty string." Which older supported branches are affected by this flaw? 30 (aurora) If not all supported branches, which bug introduced the flaw? bug 968637 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? The patch applies cleanly to Aurora How likely is this patch to cause regressions; how much testing does it need? Not likely to cause regressions.
Attachment #8396556 - Flags: sec-approval?
Attachment #8396556 - Flags: approval-mozilla-aurora?
Comment on attachment 8396556 [details] [diff] [review] patch sec-approval+ and approved for Aurora.
Attachment #8396556 - Flags: sec-approval?
Attachment #8396556 - Flags: sec-approval+
Attachment #8396556 - Flags: approval-mozilla-aurora?
Attachment #8396556 - Flags: approval-mozilla-aurora+
We're seeing new leaks on the push that included this and two other patches on inbound
Do we traverse/unlink the token lists created by nsGenericHTMLElement::GetTokenList? I bet we don't. :( So we could get leaks now that those are wrappercached, in fact...
That means we need this for FF29 too, since that sandbox stuff was added in Bug 845057.
(nsGenericHTMLElement::GetTokenList is too error prone)
Attachment #8397789 - Flags: review?(khuey)
(In reply to Olli Pettay [:smaug] from comment #16) > That means we need this for FF29 too, since that sandbox stuff was added in > Bug 845057. If you nominate a patch, I'll approve it.
(In reply to Olli Pettay [:smaug] from comment #17) > (nsGenericHTMLElement::GetTokenList is too error prone) Indeed.
Comment on attachment 8397789 [details] [diff] [review] hopefully less leaky Review of attachment 8397789 [details] [diff] [review]: ----------------------------------------------------------------- I don't review Foo*** very often.
Attachment #8397789 - Flags: review?(khuey) → review+
The previous patch got sec-a+, so I don't think it is worth to ask approval for the fixed patch.
Keywords: checkin-needed
Attachment #8396556 - Attachment is obsolete: true
(In reply to Olli Pettay [:smaug] from comment #22) > The previous patch got sec-a+, so I don't think it is worth to ask approval > for the fixed patch. ohai. Can we get a beta and aurora patch though?
Comment on attachment 8397789 [details] [diff] [review] hopefully less leaky This applies with fuzz [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 968637 and Bug 845057 User impact if declined: sec-crit crashes Testing completed (on m-c, etc.): just landed Risk to taking this patch (and alternatives if risky): Should be rather low risk. Leaks in the previous landing revealed another cases of this issue, and the current patch is now safer. String or IDL/UUID changes made by this patch: NA
Attachment #8397789 - Flags: approval-mozilla-beta?
Attachment #8397789 - Flags: approval-mozilla-aurora?
Attachment #8397789 - Flags: approval-mozilla-beta?
Attachment #8397789 - Flags: approval-mozilla-beta+
Attachment #8397789 - Flags: approval-mozilla-aurora?
Attachment #8397789 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/c9640661eddc
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox31: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
Thanks again Ryan!
Keywords: verifyme
I reproduced the crash on ASAN build from 2014-03-24 and verified that the issue is fixed on latest Aurora, latest Nightly and Firefox 29 beta 5 ASAN builds.
status-firefox29: fixedverified
status-firefox30: fixedverified
status-firefox31: fixedverified
Keywords: verifyme
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: