Closed
Bug 750109
(CVE-2012-1946)
Opened 13 years ago
Closed 13 years ago
Use-after-free in nsINode::ReplaceOrInsertBefore
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: ax330d, Assigned: smaug)
References
Details
(Keywords: csectype-uaf, regression, sec-critical, Whiteboard: [asan][sg:critical][advisory-tracking+])
Attachments
(3 files)
(deleted),
text/html
|
Details | |
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
hsivonen
:
review+
sicking
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
Use-after-free is triggered during replacing/inserting node in document.
Crashes on:
- 14.0a1 (Ubuntu 11.11, Linux x86-64),
- 15.0a1 (Windows 7, x86-64),
- 12.0 (Windows XP SP3).
Does not crash on 10.0.2.
Attached test-case is a bit flaky, but it will crash browser after 2-5 reloads. ASan log is from version 14.0a1.
Reporter | ||
Comment 1•13 years ago
|
||
Updated•13 years ago
|
Component: General → DOM
Product: Firefox → Core
QA Contact: general → general
Comment 2•13 years ago
|
||
Confirmed with this try build: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/decoder@own-hero.net-37896b6df18d/try-linux64-debug/firefox-15.0a1.en-US.linux-x86_64.tar.bz2
Had to reload the test twice as described, but then it reproduced.
Updated•13 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Updated•13 years ago
|
Assignee: nobody → bugs
Assignee | ||
Comment 3•13 years ago
|
||
Attachment #619439 -
Flags: review?
Assignee | ||
Updated•13 years ago
|
Attachment #619439 -
Flags: review? → review?(hsivonen)
Assignee | ||
Updated•13 years ago
|
tracking-firefox12:
--- → ?
tracking-firefox13:
--- → ?
tracking-firefox14:
--- → ?
tracking-firefox15:
--- → ?
Updated•13 years ago
|
Whiteboard: [asan]
Comment 4•13 years ago
|
||
Does not crash on 10.0.x because outerHTML wasn't implemented until Firefox 11.
Blocks: 92264
status-firefox-esr10:
--- → unaffected
status-firefox12:
--- → wontfix
status-firefox13:
--- → affected
status-firefox14:
--- → affected
status-firefox15:
--- → affected
tracking-firefox12:
? → ---
Keywords: regression
Attachment #619439 -
Flags: review+
Attachment #619439 -
Flags: review?(hsivonen) → review+
Comment 5•13 years ago
|
||
Is this an exploitable crash?
Assignee | ||
Comment 6•13 years ago
|
||
I believe so
Updated•13 years ago
|
Attachment #619433 -
Attachment mime type: text/plain → text/html
Updated•13 years ago
|
Keywords: sec-critical
Whiteboard: [asan] → [asan][sg:critical]
Updated•13 years ago
|
Attachment #619481 -
Attachment description: Bug Bounty Nomination → Bug Bounty Awarded $3000
Anything preventing this from being checked in?
The patch is very safe so I guess we might want to wait with pushing to all branches until the late in the cycle?
Assignee | ||
Comment 8•13 years ago
|
||
Uh, I thought I had pushed this.
Assignee | ||
Comment 9•13 years ago
|
||
Assignee | ||
Comment 10•13 years ago
|
||
Comment on attachment 619439 [details] [diff] [review]
patch
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 92264
User impact if declined: crash
Testing completed (on m-c, etc.): just landed
Risk to taking this patch (and alternatives if risky): Should be super-safe
String or UUID changes made by this patch: NA
Attachment #619439 -
Flags: approval-mozilla-beta?
Attachment #619439 -
Flags: approval-mozilla-aurora?
Comment 11•13 years ago
|
||
Comment on attachment 619439 [details] [diff] [review]
patch
[Triage Comment]
Please land as soon as possible to make the 5/22 beta 5 go to build. Thanks!
Attachment #619439 -
Flags: approval-mozilla-beta?
Attachment #619439 -
Flags: approval-mozilla-beta+
Attachment #619439 -
Flags: approval-mozilla-aurora?
Attachment #619439 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 12•13 years ago
|
||
Updated•13 years ago
|
Whiteboard: [asan][sg:critical] → [asan][sg:critical][advisory-tracking+]
Comment 13•13 years ago
|
||
I just did an ASAN build on OS X 10.7 and had one from three days ago as well. Pre-fix, I see the bug. With the current builds, I do not. Marking verified for trunk.
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Alias: CVE-2012-1946
Updated•12 years ago
|
Group: core-security
Updated•12 years ago
|
Attachment #619481 -
Attachment description: Bug Bounty Awarded $3000 → Bug Bounty Awarded $3000 [paid] 20120516
Updated•10 years ago
|
Attachment #619481 -
Attachment description: Bug Bounty Awarded $3000 [paid] 20120516 → ax330d@gmail.com,3000,2012-04-29,2012-05-14,2012-05-20,true
Attachment #619481 -
Attachment filename: bugbountynom.txt → bugbounty.data
Updated•8 years ago
|
Keywords: csectype-uaf
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•