Bugzilla@Mozilla – Bug 484320
XUL <tree> _moveToEdgeShift garbage-collection exploit (zdi-can-465)
Last modified: 2010-03-25 17:18:05 PDT
Summon comment box
Placeholder for Pwn2Own bug found in Firefox at CanSecWest 2009
http://crash-stats.mozilla.com/report/index/8891b794-7cbe-4ace-85b9-48d602090320
jst said to start with Neil. Since this is a high profile bug (Firefox cracked during a public hacking contest) we need to focus on it. If we had a fix I'd like to shoehorn it into 1.9.0.8 even though we're past codefreeze (April release) but May's 1.9.0.9 is more realistic. Needs to make 3.5b4.
Windows and OSX stacks look quite different :/ Does this crash on trunk/1.9.1? If not, my guess is that bug 430214 fixed this. Especially this https://bugzilla.mozilla.org/attachment.cgi?id=348637&action=edit It changed nsTreeSelection::FireOnSelectHandler to asynchronous.
(In reply to comment #4) > Does this crash on trunk/1.9.1? I was told it does crash, so something else then...
Here's yet a different Windows crash, in Shiretoko rather than 3.0.7 bp-bccadf08-a8f0-4a6f-8374-47c802090323 what does nsTextServicesDocument::InitWithEditor have to do with this testcase?
This sounds like memory stomping somewhere. valgrind might shed some light.
Created attachment 368965 [details] safer starting point Here's a safer starting point. The guts of the testcase are still in the poc.zip, but this copy of hold.html has the shellcode replaced with %u4141...
Yeah, need to fix this for the reasons stated above. Neil: are you the right dude to be looking at this?
Created attachment 368977 [details] [review] patch Could someone please test this on non-linux.
I haven't yet checked if timer code should be actually fixed.
I tested this on 1.9.1 / 64bit linux / debug build
(In reply to comment #11) > I haven't yet checked if timer code should be actually fixed. But for 1.9.0 the patch might be the safest fix - shouldn't cause regressions.
Note that I never got the PoC to crash in a debug build so the patch will have to be verified in an opt build.
Comment on attachment 368977 [details] [review] patch So, InitWithFuncCallback is used, passing this is unsafe *unless* timer is canceled before deleting this.
Comment on attachment 368977 [details] [review] patch This makes sense. Good catch!
Comment on attachment 368977 [details] [review] patch r=dveditz Tested in opt builds and this patch stops the mac crashes I was seeing (I never got a debug build to crash). Since I was seeing completely different stacks on windows I'd like to verify this there as well.
Comment on attachment 368977 [details] [review] patch Does this have to go in on trunk and branch at the same time, or can we bake it there a bit first? Either way, it's a blocker, so doesn't need a191.
http://hg.mozilla.org/mozilla-central/rev/6955c8360d08 http://hg.mozilla.org/releases/mozilla-1.9.1/rev/60caf43ff9c2 This does still need verification on windows.
The patch does fix the crash also on 1.9.0 (tested on linux).
The patch seems to fix the crash for me in my trunk debug build on windows XP.
Comment on attachment 368977 [details] [review] patch Approved for 1.9.0.8, a=dveditz for release-drivers Can you land this ASAP? we're well beyond code-freeze for 1.9.0.8
Checking in layout/xul/base/src/tree/src/nsTreeSelection.cpp; /cvsroot/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp,v <-- nsTreeSelection.cpp new revision: 1.59; previous revision: 1.58 done
Stops the crash on windows for me as well (tested shiretoko tinderbox build).
Olli: Does this bug affect 1.8? We're taking it in a firedrilled Firefox 3.0.8, so if so, we'll want to get a patch ready for the distros to take.
I can't reproduce the crash on 1.8.1, but I don't know why. The code is the same. The patch applies to 1.8.1 too (just need to use --fuzz=3)
Ah, 1.8.1 doesn't seem to have bug 362680. So reproducing would need some changes to the testcase.
1.8.0 is in the same boat as above. patch applies with fuzz=3, but testcase doesn't work
Should this have a crashtest?
Not yet, IMO. As far as I know the testcase is not public yet.
This is CVE-2009-1044
(In reply to comment #31) > This is CVE-2009-1044 But the testcase isn't public, right?
No, MITRE assigned this based only off of the announcement from CanSecWest. If you look at the CVE id information: