Closed
Bug 306939
(randomstyles)
Opened 19 years ago
Closed 3 years ago
[meta] Bugs found by Random Styles (adding random style properties to DOM elements)
Categories
(Core :: Fuzzing, defect)
Core
Fuzzing
Tracking
()
RESOLVED
INACTIVE
People
(Reporter: jruderman, Unassigned)
References
(Depends on 127 open bugs)
Details
(Keywords: meta, sec-other, Whiteboard: [sg:nse] meta)
Attachments
(1 file, 7 obsolete files)
|
(deleted),
application/zip
|
Details |
This bookmarklet gives random inline styles to random elements in the page.
Like the bookmarklet in bug 306663, "Random styles" is fairly effective at
finding crash bugs in Gecko.
I'm filing this bug as security-sensitive and keeping the bookmarklet secret for
now.
I've seen this bookmarklet give me three unique stack signatures so far, but
I've only been able to reproduce one somewhat reliably. Testcase coming up in a
bug that will block this one.
|
Reporter | |
Updated•19 years ago
|
|
|
Reporter | |
Comment 1•19 years ago
|
||
Bug 306940 happens often enough that it makes it difficult to tell whether there
are other crashes. I'll do another round of testing once it is fixed.
|
|
Reporter | |
Updated•19 years ago
|
Flags: blocking1.8b5?
|
|
Reporter | |
Comment 2•19 years ago
|
||
|
|
Reporter | |
Updated•19 years ago
|
|
|
Reporter | |
Comment 3•19 years ago
|
||
Bug fix: add a check that n.style exists before trying to change a node's
style.
Attachment #195383 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•19 years ago
|
|
||
Updated•19 years ago
|
Flags: blocking1.8b5? → blocking1.8b5+
|
|
||
Comment 5•19 years ago
|
||
If you come up with a very safe fix in the next couple of days, please request
approval for the patch and we'll evaluate.
Flags: blocking1.8b5+ → blocking1.8b5-
|
|
Reporter | |
Comment 6•19 years ago
|
||
This is one of the tools I use when I want to reduce a Random Styles testcase.
Its output is meant to be pasted back into the script, replacing the first two
lines.
|
||
Updated•19 years ago
|
Whiteboard: [sg:investigate]
|
|
Reporter | |
Updated•19 years ago
|
Alias: randomstyles
|
||
Comment 7•19 years ago
|
||
The crash points of bug 316599 and bug 316608 appear in many of the others random styles and stir dom crashers. I didn't report each individually, but bug 316599 and bug 316608 look like good candidates to fix first so that we find other crashers which are hiding behind them.
|
||
Comment 8•19 years ago
|
||
i don't have enough permissions to see the individual bugs, so commenting here:
on 1.5 i crash in XmlInitUnknownEncodingNS
probably due to null dereference.
on latest trunk jesse's programs stops generating new styles after several seconds.
on trunk on linux from several days before there is potential stack overflow from this starting values:
808080, 3, 100, 400
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1222022944 (LWP 2717)]
0xdddddddd in ?? ()
(gdb) info stack
#0 0xdddddddd in ?? ()
#1 0x082ce69c in nsIFrame::GetStyleData (this=0x954a4d8,
aSID=eStyleStruct_Display) at nsIFrame.h:610
|
||
Comment 9•19 years ago
|
||
(In reply to comment #8)
Bug 316608 seems to have a similar stacktrace as the GetStyleData crash.
It's also important to mention on which page you crash and with what parameters.
|
|
||
Comment 10•19 years ago
|
||
(In reply to comment #9)
> (In reply to comment #8)
> Bug 316608 seems to have a similar stacktrace as the GetStyleData crash.
>
this bug gives me "access denied".
> It's also important to mention on which page you crash and with what
> parameters.
as mentioned in my previous post, the starting parameters in the confirm dialog are:
808080, 3, 100, 400
waiting is several seconds.
tested on linux.
don't know how to find the exact page.
|
|
||
Comment 11•19 years ago
|
||
if someone cc's me on Bug 316608 i will try the testcase.
|
|
||
Comment 12•19 years ago
|
||
The problem is, I'm not really sure I'm allowed to cc you on that bug.
|
|
||
Comment 13•19 years ago
|
||
running jesse's fuzzer on linux:
ff 1.5: crashes only in XmlInitUnknownEncodingNS for me.
on latest trunk: stops generating new pages after several seconds.
am i doing something wrong?
|
|
||
Comment 14•19 years ago
|
||
starting values in the confirm dialog:
161616, 4, 100, 400
all linux:
1.5 - innocent crash in XmlInitUnknownEncodingNS
latest trunk on x86_64 (64 bit) - smashed |this| in nsCachedStyleData::GetStyleData
latest trunk on i386: the stack seems smashed
|
||
Comment 15•19 years ago
|
||
Without knowing what page you're starting on (and the parameters, which you did give), we can't reproduce the crashes you're seeing.
|
|
||
Comment 16•19 years ago
|
||
(In reply to comment #15)
> Without knowing what page you're starting on (and the parameters, which you did
> give), we can't reproduce the crashes you're seeing.
>
starting local copy of "Random Styles 1.5.1 (for pasting into testcases)"
the paramaters are described in comment #14:
starting values in the confirm dialog:
161616, 4, 100, 400
|
|
||
Comment 17•19 years ago
|
||
jesse: what about adding window.dump(CURRENTVALUES)
in debug builds started from terminal, this will print the current values in the terminal, so the exact page will be easily found?
|
|
||
Comment 18•19 years ago
|
||
crashes or timeouts found in this run appear as
randomstyles: url?fuzz=parms...
The test loads the page (with the querystring), then runs the randomstyles bookmarklet with the specified parameters. You can copy/paste the parameters from the query string directly into the randomstyles input prompt.
The end of each line identifies the machine, the date the test run began and
the build which was tested. For example,
prunessh/2005-12-17-02-34-33-firefox-1.5-build-dbg-1.8_2005121411.log
was run on prune (a windows machine), on Dec 17, using a 1.8 debug build built
on 2005-12-14-11.
You can reproduce each test case by loading the url including the query string, then running randomstyles with the appropriate parameter.
|
|
||
Comment 19•19 years ago
|
||
latest ff trunk build from source stops the crashes in comment 8 and comment 14, but the generator stops generating new pages. there are assertions in the terminal.
|
|
Reporter | |
Comment 20•19 years ago
|
||
Changes made to both Stir DOM and Random Styles recorders:
1. Make it record information about chunks/intervals so that
(a) it can record the equivalent of a nonzero "number of changes to do immediately" in the bookmarklet.
(b) while reducing, the chunk boundaries don't move.
2. Make it work with both XML and HTML without requiring separate versions.
3. Improve the instructions.
Changes made only to Random Styles recorder:
1. Add "if(n.style)" check in addElements to match bookmarklet.
Attachment #198554 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•19 years ago
|
Whiteboard: [sg:investigate] → [sg:nse] meta
|
|
||
Updated•19 years ago
|
Assignee: dbaron → nobody
|
|
Reporter | |
Comment 21•19 years ago
|
||
See also bug 331889. The "Random Classes" bookmarklet there does most of what this one does, and more.
|
|
Reporter | |
Updated•19 years ago
|
OS: Mac OS X 10.2 → All
Hardware: Macintosh → All
|
|
Reporter | |
Comment 22•18 years ago
|
||
* Converted it to use fuzz.js (see bug 339948).
* No longer uses separate versions for bookmarklet-source and recording.
* Changed "float" to "cssFloat" (???).
Attachment #195488 -
Attachment is obsolete: true
Attachment #207403 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•18 years ago
|
|
|
Reporter | |
Comment 23•18 years ago
|
||
Attachment #224050 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 24•18 years ago
|
||
Attachment #226745 -
Attachment is obsolete: true
|
|
||
Comment 25•18 years ago
|
||
Shouldn't have security bugs assigned to nobody. Jesse can own his test bugs
Assignee: nobody → jruderman
|
|
Reporter | |
Updated•18 years ago
|
Summary: Crashes found by Jesse's "Random styles" bookmarklet → Bugs found by Jesse's "Random styles" bookmarklet
|
|
Reporter | |
Updated•18 years ago
|
|
|
Reporter | |
Comment 26•18 years ago
|
||
Comment on attachment 242968 [details]
Random Styles 3.0
New version in bug 339948.
Attachment #242968 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•18 years ago
|
Severity: critical → normal
|
|
Reporter | |
Updated•16 years ago
|
|
|
Reporter | |
Updated•16 years ago
|
Depends on: CVE-2010-3174
|
|
Reporter | |
Updated•15 years ago
|
|
|
Reporter | |
Comment 27•9 years ago
|
||
Now public:
https://github.com/MozillaSecurity/funfuzz/blob/master/dom/fuzzer/modules/style-properties.js
Group: core-security
Summary: Bugs found by Jesse's "Random styles" bookmarklet → Bugs found by Random Styles (adding random style properties to DOM elements)
|
||
Updated•8 years ago
|
Component: Tracking → Platform Fuzzing Team
|
||
Updated•3 years ago
|
Summary: Bugs found by Random Styles (adding random style properties to DOM elements) → [meta] Bugs found by Random Styles (adding random style properties to DOM elements)
|
|
||
Comment 28•3 years ago
|
||
The bug assignee didn't login in Bugzilla in the last 7 months.
:decoder, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee: jruderman → nobody
Flags: needinfo?(choller)
|
||
Updated•3 years ago
|
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(choller)
Resolution: --- → INACTIVE
You need to log in
before you can comment on or make changes to this bug.
Description
•