Closed Bug 647612 Opened 13 years ago Closed 13 years ago

xul!nsIsIndexFrame::RestoreState+0x39

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 639733

People

(Reporter: javg0x83, Unassigned)

References

Details

Attachments

(1 file)

Complete info (PoC, stackframes and readme file)
(deleted), application/rar
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16
Build Identifier: Firefox/4

-----------------from Readme.txt attached------------------------------


-----------
ADVISORY
-----------

- Title: xul!nsIsIndexFrame::RestoreState+0x39
- Tested on: Mozilla Firefox
- Affected version (tested): 4
- Unaffected version (tested): 3 (current stable release. 3.6.16)
- OS: Windows XP SP3


-----------
ANALYSIS
-----------


- First frame in stack frames shows:

[FRAME] xul!nsIsIndexFrame::RestoreState+0x39 [e:\builds\moz2_slave\rel-2.0-w32-bld\build\layout\forms\nsisindexframe.cpp @ 565]

- C++ code:

--------------snip---------------------

NS_IMETHODIMP
nsIsIndexFrame::RestoreState(nsPresState* aState)
{
  NS_ENSURE_ARG_POINTER(aState);

  // Set the value to the stored state.
  nsCOMPtr<nsISupportsString> stateString
    (do_QueryInterface(aState->GetStateProperty()));
  
  nsAutoString data; <-- (*) DATA IS NULL
  stateString->GetData(data); <-- (*) DANGEROUS ZONE
  SetInputValue(data);

  return NS_OK;
}

--------------snip---------------------


- Assembly code:


-------------------------------------snip---------------------------------------

xul!nsIsIndexFrame::RestoreState:
1062f36f 55              push    ebp
1062f370 8d6c2490        lea     ebp,[esp-70h]
1062f374 81ec9c000000    sub     esp,9Ch
1062f37a a170f2c810      mov     eax,dword ptr [xul!__security_cookie (10c8f270)]
1062f37f 33c5            xor     eax,ebp
1062f381 89456c          mov     dword ptr [ebp+6Ch],eax
1062f384 8b457c          mov     eax,dword ptr [ebp+7Ch]
1062f387 85c0            test    eax,eax
1062f389 7507            jne     xul!nsIsIndexFrame::RestoreState+0x23 (1062f392)
1062f38b b803400080      mov     eax,80004003h
1062f390 eb42            jmp     xul!nsIsIndexFrame::RestoreState+0x65 (1062f3d4)
1062f392 ff30            push    dword ptr [eax]
1062f394 8d45d4          lea     eax,[ebp-2Ch]
1062f397 50              push    eax
1062f398 e89720efff      call    xul!nsCOMPtr<nsISupportsString>::nsCOMPtr<nsISupportsString> (10521434)
1062f39d 8d4dd8          lea     ecx,[ebp-28h]
1062f3a0 e8cbe9a3ff      call    xul!nsAutoString::nsAutoString (1006dd70)
1062f3a5 8b45d4          mov     eax,dword ptr [ebp-2Ch]
1062f3a8 8b08            mov     ecx,dword ptr [eax]  ds:0023:00000000=???????? <-- (*) CRASH
1062f3aa 8d55d8          lea     edx,[ebp-28h]
1062f3ad 52              push    edx
1062f3ae 50              push    eax
1062f3af ff5110          call    dword ptr [ecx+10h] <-- (*) DANGEROUS ZONE
1062f3b2 8d45d8          lea     eax,[ebp-28h]
1062f3b5 50              push    eax
1062f3b6 8b4578          mov     eax,dword ptr [ebp+78h]
1062f3b9 83c08c          add     eax,0FFFFFF8Ch
1062f3bc 50              push    eax
1062f3bd e8a20bf3ff      call    xul!nsIsIndexFrame::SetInputValue (1055ff64)
1062f3c2 8d4dd8          lea     ecx,[ebp-28h]
1062f3c5 e816a5a6ff      call    xul!nsAString_internal::Finalize (100998e0)
1062f3ca 8d4dd4          lea     ecx,[ebp-2Ch]
1062f3cd e86ea4adff      call    xul!nsRefPtr<nsPresContext>::~nsRefPtr<nsPresContext> (10109840)
1062f3d2 33c0            xor     eax,eax
1062f3d4 8b4d6c          mov     ecx,dword ptr [ebp+6Ch]
1062f3d7 33cd            xor     ecx,ebp
1062f3d9 e822d8d2ff      call    xul!__security_check_cookie (1035cc00)
1062f3de 83c570          add     ebp,70h
1062f3e1 c9              leave
1062f3e2 c20800          ret     8

-------------------------------------snip---------------------------------------



- This seems a null pointer. Marked as security for caution and be in safe side.


------------------
PROOF OF CONCEPT
------------------


- PoC and stackframes/analyze/!exploitable analysis attached.


--------
STEPS
--------

1. Go to poc dir and launch poc.pl using IP and Port
2. Connect Firefox 4 to this IP:Port
3. Wait the crash

Note: In my tested systems, always it got crashed in first round. 


---------
CREDITS
---------


Jose A. Vazquez of {http://spa-s3c.blogspot.com}




Reproducible: Always

Steps to Reproduce:
1. Go to poc dir and launch poc.pl using IP and Port
2. Connect Firefox 4 to this IP:Port
3. Wait the crash
Actual Results:  
Crash

Expected Results:  
No crash

Complete info attached

    
    

    
  
I can reproduce the crash using the attached test on Linux.
The patch in bug 639733 fixes it for me, so I'm pretty sure this is the
same problem.  There are builds for testing that patch at:
http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/mpalmgren@mozilla.com-6c51ca33d503/
(Windows builds will be ready in an hour or so)
Depends on: 639733

    
    

    
  
Tested on build firefox-4.2a1pre.en-US.win32 and it got fixed (OS: Windows XP SP3)

Regards,
Jose.

    
    

    
  
Thanks for verifying that!
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: