Bugzilla@Mozilla – Bug 505305
Probably Exploitable - Read Access Violation on Block Data Move starting at MSVCR80D!memcpy+0x000000000000005a
Last modified: 2010-02-19 15:56:33 PST
Summon comment box
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090716 Shiretoko/3.5.1pre Steps to reproduce: -Load : http://www.donorschoose.org/donors/ search.html?page=9&keywords=music&max=50 -> Crash (eb4.ac0): Access violation - code c0000005 (!!! second chance !!!) eax=04b4d0da ebx=7ffd4000 ecx=3f6fdc36 edx=00000002 esi=06f56000 edi=06f47208 eip=1023d53a esp=0012e240 ebp=0012e248 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 - MSVCR80D!memcpy+0x5a: 1023d53a f3a5 rep movs dword ptr es:[edi],dword ptr [esi] es:0023:06f47208=dddddddd ds:0023:06f56000=???????? 0:000> cdb: Reading initial command '!load winext\msec.dll;.logappend;!exploitable;k;q' Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at MSVCR80D!memcpy+0x000000000000005a (Hash=0x6e021839.0x70393e49) This is a read access violation in a block data move, and is therefore classified as probably exploitable. ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0012e248 005ad1a4 MSVCR80D!memcpy+0x5a 0012e28c 005ac540 js3250!do_replace+0x134 0012e310 005ac1a2 js3250!js_StringReplaceHelper+0x370 0012e334 0051aeba js3250!str_replace+0x82 0012ea64 0050709c js3250!js_Interpret+0x1179a 0012eb40 00507962 js3250!js_Invoke+0x95c 0012eb64 004b30ed js3250!js_InternalInvoke+0x82 0012eb8c 03016620 js3250!JS_CallFunctionValue+0x5d 0012ec3c 0307a2d9 gklayout!nsJSContext::CallEventHandler+0x2a0 0012eeb0 02ecee75 gklayout!nsJSEventListener::HandleEvent+0x10d9 0012ef9c 02ecf288 gklayout!nsEventListenerManager::HandleEventSubType+0x195 0012f010 02ed2ec0 gklayout!nsEventListenerManager::HandleEvent+0x398 0012f050 02ed3104 gklayout!nsEventTargetChainItem::HandleEvent+0x130 0012f08c 02ed381e gklayout!nsEventTargetChainItem::HandleEventTargetChain+0x194 0012f158 02bf0595 gklayout!nsEventDispatcher::Dispatch+0x51e 0012f1e0 03a1788c gklayout!DocumentViewerImpl::LoadComplete+0x1c5 0012f21c 039fa127 docshell!nsDocShell::EndPageLoad+0x8c 0012f5f0 03a1752a docshell!nsWebShell::EndPageLoad+0x127 0012f640 03a41149 docshell!nsDocShell::OnStateChange+0x2ea 0012f6ec 03a402eb docshell!nsDocLoader::FireOnStateChange+0x1f9 quit:
MSVCR80D ? not MOZCRT19 ? Why isn't this using Moz's CRT?
because jemalloc won't build on debug windows.
*** Bug 505360 has been marked as a duplicate of this bug. ***
Created attachment 389595 [details] [review] Proposed fix
Comment on attachment 389595 [details] [review] Proposed fix This is probably exploitable on a wide range of product builds.
Comment on attachment 389595 [details] [review] Proposed fix Approved for 1.9.1.2. a=ss for release-drivers
Oh, and can we get a testcase attached to this bug before we lose the live one?
Created attachment 390349 [details] reduced testcase
http://hg.mozilla.org/mozilla-central/rev/7038ffdb23cb
Is this needed on the 1.8 branch?
The reduced testcase does crash Firefox 2.0.0.20.
Comment on attachment 389595 [details] [review] Proposed fix Please remove the "hack me here" comment when you check in on branches. Hopefully people won't notice on trunk? Approved for 1.9.0.13, a=dveditz for release-drivers
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/42dd0d5eb6ca
Created attachment 391019 [details] [review] 1.8 version
Verified using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) 3.5 crashes using test case in comment #8, but 3.5.2 it does not crash. Instead it brings up a printing dialog.
Checking in js/src/jsstr.c; /cvsroot/mozilla/js/src/jsstr.c,v <-- jsstr.c new revision: 3.209; previous revision: 3.208 done
Verified fixed for 1.9.0.14 using the originally reported site and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14pre) Gecko/2009081305 GranParadiso/3.0.14pre (.NET CLR 3.5.30729). It still crashes 1.9.0.13.
Comment on attachment 391019 [details] [review] 1.8 version Approved for 1.8.1.24, a=dveditz for release-drivers
(In reply to comment #18) > (From update of attachment 391019 [details] [review]) > Approved for 1.8.1.24, a=dveditz for release-drivers Checked in: Checking in js/src/jsstr.c; /cvsroot/mozilla/js/src/jsstr.c,v <-- jsstr.c new revision: 3.108.2.14; previous revision: 3.108.2.13 done
Verified for 1.8.1.24 using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24pre) Gecko/2010021903 Thunderbird/2.0.0.24pre ThunderBrowse/3.2.8.1 with Thunderbrowse and testcase in comment 8. 2.0.0.23 crashes on the testcase and 2.0.0.24pre brings up the print dialog and does not crash.