Closed Bug 750109 (CVE-2012-1946) Opened 13 years ago Closed 13 years ago

Use-after-free in nsINode::ReplaceOrInsertBefore

Categories

(Core :: DOM: Core & HTML, defect)

12 Branch
defect
Not set
normal

Tracking

()

VERIFIED FIXED
Tracking Status
firefox12 --- wontfix
firefox13 + fixed
firefox14 + fixed
firefox15 + fixed
firefox-esr10 --- unaffected

People

(Reporter: ax330d, Assigned: smaug)

References

Details

(Keywords: csectype-uaf, regression, sec-critical, Whiteboard: [asan][sg:critical][advisory-tracking+])

Attachments

(3 files)

Attached file PoC triggering the crash. (deleted) —
Use-after-free is triggered during replacing/inserting node in document. Crashes on: - 14.0a1 (Ubuntu 11.11, Linux x86-64), - 15.0a1 (Windows 7, x86-64), - 12.0 (Windows XP SP3). Does not crash on 10.0.2. Attached test-case is a bit flaky, but it will crash browser after 2-5 reloads. ASan log is from version 14.0a1.
Attached file ASan log (deleted) —
Component: General → DOM
Product: Firefox → Core
QA Contact: general → general
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: nobody → bugs
Attached patch patch (deleted) — Splinter Review
Attachment #619439 - Flags: review?
Attachment #619439 - Flags: review? → review?(hsivonen)
Whiteboard: [asan]
Does not crash on 10.0.x because outerHTML wasn't implemented until Firefox 11.
Is this an exploitable crash?
I believe so
Attachment #619433 - Attachment mime type: text/plain → text/html
Keywords: sec-critical
Whiteboard: [asan] → [asan][sg:critical]
Attachment #619481 - Attachment description: Bug Bounty Nomination → Bug Bounty Awarded $3000
Anything preventing this from being checked in? The patch is very safe so I guess we might want to wait with pushing to all branches until the late in the cycle?
Uh, I thought I had pushed this.
No longer blocks: 92264
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 619439 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 92264 User impact if declined: crash Testing completed (on m-c, etc.): just landed Risk to taking this patch (and alternatives if risky): Should be super-safe String or UUID changes made by this patch: NA
Attachment #619439 - Flags: approval-mozilla-beta?
Attachment #619439 - Flags: approval-mozilla-aurora?
Comment on attachment 619439 [details] [diff] [review] patch [Triage Comment] Please land as soon as possible to make the 5/22 beta 5 go to build. Thanks!
Attachment #619439 - Flags: approval-mozilla-beta?
Attachment #619439 - Flags: approval-mozilla-beta+
Attachment #619439 - Flags: approval-mozilla-aurora?
Attachment #619439 - Flags: approval-mozilla-aurora+
Whiteboard: [asan][sg:critical] → [asan][sg:critical][advisory-tracking+]
I just did an ASAN build on OS X 10.7 and had one from three days ago as well. Pre-fix, I see the bug. With the current builds, I do not. Marking verified for trunk.
Status: RESOLVED → VERIFIED
Alias: CVE-2012-1946
Group: core-security
Attachment #619481 - Attachment description: Bug Bounty Awarded $3000 → Bug Bounty Awarded $3000 [paid] 20120516
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
Attachment #619481 - Attachment description: Bug Bounty Awarded $3000 [paid] 20120516 → ax330d@gmail.com,3000,2012-04-29,2012-05-14,2012-05-20,true
Attachment #619481 - Attachment filename: bugbountynom.txt → bugbounty.data
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: