Closed
Bug 439735
(CVE-2008-2811)
Opened 16 years ago
Closed 16 years ago
exploitable crash at nsBlockFrame::DrainOverflowLines
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: bsterne, Assigned: dbaron)
References
Details
(Keywords: crash, verified1.8.1.15, verified1.8.1.16, Whiteboard: [sg:critical] trunk fixed by 372237)
Attachments
(2 files, 1 obsolete file)
(deleted),
text/html
|
Details | |
(deleted),
patch
|
roc
:
review+
roc
:
superreview+
dveditz
:
approval1.8.1.15+
dveditz
:
approval1.8.1.16+
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
This was reported to Mozilla today by iSight Partners. I can confirm that the PoC page (which I'll attach shortly) crashes Firefox 2.0.0.14 on all three platforms. On Mac, I crash with the stack pasted below. Note that address space that we crash on is identical to that mentioned in the advisory. The full report is attached.
Process: firefox-bin [28540]
Path: /Applications/Firefox 2.app/Contents/MacOS/firefox-bin
Identifier: org.mozilla.firefox
Version: 2.0.0.14 (2.0.0.14)
Code Type: X86 (Native)
Parent Process: launchd [1]
Date/Time: 2008-06-17 15:03:57.922 -0700
OS Version: Mac OS X 10.5.3 (9D34)
Report Version: 6
Exception Type: EXC_BAD_INSTRUCTION (SIGILL)
Exception Codes: 0x0000000000000001, 0x0000000000000000
Crashed Thread: 0
Thread 0 Crashed:
0 ??? 0x02020202 0 + 33686018
1 org.mozilla.firefox 0x005f2769 nsBlockFrame::DrainOverflowLines(nsBlockReflowState&) + 959
2 org.mozilla.firefox 0x005f6b48 nsBlockFrame::ComputeFinalSize(nsHTMLReflowState const&, nsBlockReflowState&, nsHTMLReflowMetrics&) + 2498
3 org.mozilla.firefox 0x0042afbc nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&) + 94
4 org.mozilla.firefox 0x0061ecf4 CanvasFrame::GetType() const + 1358
5 org.mozilla.firefox 0x0042afbc nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&) + 94
Reporter | ||
Comment 1•16 years ago
|
||
Reporter | ||
Updated•16 years ago
|
Attachment #325456 -
Attachment is private: true
Updated•16 years ago
|
Attachment #325458 -
Attachment is private: false
Updated•16 years ago
|
Attachment #325456 -
Attachment is private: false
Comment 2•16 years ago
|
||
un-privatizing the PoC for now: it's unnecessary while the bug itself is private and prevents us from including people (via CC:) to help with the bug who aren't already on the security-group.
The advisory date was May 10, but this was just received by the security alias when Brandon filed the bug. If we'd received it then we might have been able to get a fix into the all-but-shipped 2.0.0.15 release.
Didn't crash in Minefield but hung, possibly because I was out of memory. Need to investigate trunk further. If it is fixed on trunk would be nice to find a "fix" range (and hope it wasn't the reflow-branch landing).
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.16?
Keywords: crash
Summary: Investigate crash at nsBlockFrame::DrainOverflowLines → exploitable crash at nsBlockFrame::DrainOverflowLines
Whiteboard: [sg:critical]
Comment 3•16 years ago
|
||
This is without the memory-filling code, which is really annoying if you want to find a regression range for the crash. This still crashes branch, but not trunk.
Comment 4•16 years ago
|
||
On trunk the fix range seems to be between 2007-02-06 and 2007-02-07:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-02-06+04&maxdate=2007-02-07+07&cvsroot=%2Fcvsroot
Somehow fixed by bug 177805, I guess.
Comment 5•16 years ago
|
||
bug 177805 is a big change, hopefully there's a simpler band-aid we can take.
Damon: please assign to the appropriate person on your team.
Assignee: nobody → dsicore
Flags: blocking1.8.1.16? → blocking1.8.1.16+
Summary: exploitable crash at nsBlockFrame::DrainOverflowLines → exploitable crash at nsBlockFrame::DrainOverflowLines (iSight)
Whiteboard: [sg:critical] → [sg:critical] trunk maybe fixed by 177805
Version: unspecified → 1.8 Branch
Assignee | ||
Comment 6•16 years ago
|
||
I suspect being "fixed" bug bug 177805 means the bug would probably still show up after bug 177805 with a different number in the border attribute.
Assignee | ||
Comment 7•16 years ago
|
||
It might be useful to:
* find a different number for border that would still crash the 2007-02-07 build
* see if that testcase still crashes trunk
+ if so, it's useful for testing
+ if not, find a new fix date
Note that bug 177805 changed our internal units from being 20 per point (which, at 96dpi, means 15 per pixel) to being 60 per pixel. If the range of values causing the crash is very specific, you may also need to adjust the body margins and/or the image size.
Assignee | ||
Comment 8•16 years ago
|
||
I'd note that to get attachment 325557 [details] to crash for me on Linux on a 2007-02-06-04-trunk build, I need to set the layout.css.dpi pref to 96 (which is effectively what it will default to for most Windows users and all Mac users, I think).
Assignee | ||
Comment 9•16 years ago
|
||
For what it's worth 35791400 pixels, at 15 twips per pixel (96dpi), is 0x20000058. That's just above nscoord_MAX.
I tried a testcase with 8947850 in the 2007-02-07-04-trunk build and that didn't crash for me, though.
Assignee | ||
Comment 10•16 years ago
|
||
In 2007-02-06-04-trunk, 96dpi, on Linux, I see white with values 35791337 and less, see black with 35791338, and crash with 35791339 and higher (I couldn't find an upper limit).
Assignee | ||
Comment 11•16 years ago
|
||
This crashes 2007-02-07-04-trunk on Linux. The crash turned to a hang (still haven't isolated that change), and then the hang turned into loading fine between 2008-03-07-04-trunk and 2008-03-08-04-trunk.
Assignee | ||
Comment 12•16 years ago
|
||
The hang on attachment 325683 [details] started between 2007-07-01-04-trunk and 2007-07-02-04-trunk, but the crash was actually fixed (so there was an interval between when it worked fine) between 2007-06-01-04-trunk and 2007-06-02-04-trunk, which may be the range where we really want to look for a fix.
Assignee | ||
Comment 13•16 years ago
|
||
Actually, that 06-01 to 06-02 crash fix was a fix for crashing on startup, not crashing on this testcase, so it's the wrong range.
Assignee | ||
Comment 14•16 years ago
|
||
Comment on attachment 325683 [details]
testcase that crashes after units landing
OK, when I said this crashes after the units landing, I must have been testing the wrong build. It doesn't crash for me anymore, so I have nothing useful.
Attachment #325683 -
Attachment is obsolete: true
Assignee | ||
Comment 15•16 years ago
|
||
Actually, it does crash after the units landing if I create a fresh profile with the build in question, and the crash went away between 2007-03-11-04-trunk and 2007-03-12-04-trunk.
Assignee | ||
Comment 16•16 years ago
|
||
I'd guess it was probably fixed by attachment 257911 [details] [diff] [review] on bug 372237. Could somebody with a branch tree handy try that?
Comment 17•16 years ago
|
||
Yeah, the patch from bug 372237 seems to fix this.
I had to alter the patch for branch into this, otherwise it wouldn't compile.
Assignee | ||
Comment 18•16 years ago
|
||
Looks ok to me, but you probably want to ask roc to review the merged version.
Assignee | ||
Updated•16 years ago
|
Whiteboard: [sg:critical] trunk maybe fixed by 177805 → [sg:critical] trunk fixed by 372237
Updated•16 years ago
|
Attachment #325743 -
Flags: superreview?(roc)
Attachment #325743 -
Flags: review?(roc)
Attachment #325743 -
Flags: superreview?(roc)
Attachment #325743 -
Flags: superreview+
Attachment #325743 -
Flags: review?(roc)
Attachment #325743 -
Flags: review+
Updated•16 years ago
|
Attachment #325743 -
Flags: approval1.8.1.15?
Attachment #325743 -
Flags: approval1.8.0.15?
Updated•16 years ago
|
Assignee: dsicore → martijn.martijn
Updated•16 years ago
|
Flags: blocking1.8.1.15+
Flags: blocking1.8.0.15?
Comment 19•16 years ago
|
||
Comment on attachment 325743 [details] [diff] [review]
branch patch
Approved for 1.8.1.15 and 1.8.1.16, a=dveditz for release-drivers
Please land on both the MOZILLA_1_8_BRANCH and the GECKO181_20080612_RELBRANCH, and give it both fixed1.8.1.15 and fixed1.8.1.16 keywords.
Attachment #325743 -
Flags: approval1.8.1.16+
Attachment #325743 -
Flags: approval1.8.1.15?
Attachment #325743 -
Flags: approval1.8.1.15+
Updated•16 years ago
|
Attachment #325743 -
Flags: approval1.8.0.15?
Comment 20•16 years ago
|
||
Checking in nsIFrame.h;
/cvsroot/mozilla/layout/generic/nsIFrame.h,v <-- nsIFrame.h
new revision: 3.291.6.4; previous revision: 3.291.6.3
done
Checked into the MOZILLA_1_8_BRANCH tree.
Checking in nsIFrame.h;
/cvsroot/mozilla/layout/generic/nsIFrame.h,v <-- nsIFrame.h
new revision: 3.291.6.3.28.1; previous revision: 3.291.6.3
done
Checked into the GECKO181_20080612_RELBRANCH tree.
Assignee: martijn.martijn → dbaron
Keywords: fixed1.8.1.15,
fixed1.8.1.16
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 21•16 years ago
|
||
Verified crash in Firefox 2.0.0.14. Using build 3 of 2.0.0.15, there is no crash.
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.15) Gecko/2008062305 Firefox/2.0.0.15
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.15 → verified1.8.1.15
Updated•16 years ago
|
Keywords: fixed1.8.1.17 → fixed1.8.1.16
Updated•16 years ago
|
Alias: CVE-2008-2811
Summary: exploitable crash at nsBlockFrame::DrainOverflowLines (iSight) → exploitable crash at nsBlockFrame::DrainOverflowLines
Updated•16 years ago
|
Attachment #325456 -
Attachment is private: true
Updated•16 years ago
|
Attachment #325743 -
Flags: approval1.8.1.17+ → approval1.8.1.16+
Updated•16 years ago
|
Attachment #325458 -
Attachment is private: true
Updated•16 years ago
|
Group: security
Comment 22•16 years ago
|
||
Verified in 2.0.0.16 as well: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.16) Gecko/2008070205 Firefox/2.0.0.16.
Keywords: fixed1.8.1.16 → verified1.8.1.16
Updated•16 years ago
|
Flags: blocking1.8.1.17+
Comment 23•16 years ago
|
||
Comment on attachment 325743 [details] [diff] [review]
branch patch
a=asac for 1.8.0
Attachment #325743 -
Flags: approval1.8.0.next+
Updated•16 years ago
|
Flags: blocking1.8.0.next? → blocking1.8.0.next+
You need to log in
before you can comment on or make changes to this bug.
Description
•