Firefox 16.0.1 Crash Report [@ unity_webapps_available_application_get_application_domain ]

Bug #1068495 reported by Chris Coulson
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Won't Fix
Critical
WebApps: libunity-webapps
Fix Released
High
Alex Launi
libunity-webapps (Ubuntu)
Fix Released
High
Unassigned
Quantal
Fix Released
High
Marc Deslauriers
Raring
Fix Released
High
Unassigned

Bug Description

This has increased in frequency a lot since yesterday:

https://crash-stats.mozilla.com/report/index/ea964fd9-9aca-41f8-a1b1-f9ca12121018

Some comments:

"Tried to use gmail integration with ubuntu 12.10 and firefox crashed"

"opening a google calendar invite link from thunderbird"

"I just opened facebook"

"I click on view document in the gmail. What different: may be because I installed gmail plugin."

Crashing thread:

0 libunity-webapps-repository.so.0.0.0 unity_webapps_available_application_get_application_domain unity-webapps-available-application.c:65
1 libxul.so libxul.so@0x15cc717
2 libxul.so ffi_call ffi64.c:485
3 libxul.so js::ctypes::FunctionType::Call CTypes.cpp:5576
4 libxul.so js::InvokeKernel jscntxtinlines.h:382
5 libxul.so js::Invoke jsinterp.h:119
6 libxul.so js::IndirectProxyHandler::call jsproxy.cpp:442
7 libxul.so js::DirectWrapper::call jswrapper.cpp:383
8 libxul.so js::CrossCompartmentWrapper::call jswrapper.cpp:777
9 libxul.so proxy_Call jsproxy.cpp:1143
10 libxul.so js::InvokeKernel jscntxtinlines.h:382
11 libxul.so js::Interpret jsinterp.cpp:2442
12 libxul.so js::RunScript jsinterp.cpp:301
13 libxul.so js::InvokeKernel jsinterp.cpp:355
14 libxul.so js::Invoke jsinterp.h:119
15 libxul.so js::IndirectProxyHandler::call jsproxy.cpp:442
16 libxul.so js::DirectWrapper::call jswrapper.cpp:383
17 libxul.so js::CrossCompartmentWrapper::call jswrapper.cpp:777
18 libxul.so proxy_Call jsproxy.cpp:1143
19 libxul.so js::InvokeKernel jscntxtinlines.h:382
20 libxul.so js::Interpret jsinterp.cpp:2442
21 libxul.so js::RunScript jsinterp.cpp:301
22 libxul.so js::InvokeKernel jsinterp.cpp:355
23 libxul.so js_fun_apply jsinterp.h:119
24 libxul.so js::InvokeKernel jscntxtinlines.h:382
25 libxul.so js::Interpret jsinterp.cpp:2442
26 libxul.so js::RunScript jsinterp.cpp:301
27 libxul.so js::InvokeKernel jsinterp.cpp:355
28 libxul.so array_forEach jsinterp.h:119
29 libxul.so js::InvokeKernel jscntxtinlines.h:382
30 libxul.so js::Interpret jsinterp.cpp:2442
31 libxul.so js::RunScript jsinterp.cpp:301
32 libxul.so js::InvokeKernel jsinterp.cpp:355
33 libxul.so js_fun_apply jsinterp.h:119
34 libxul.so js::InvokeKernel jscntxtinlines.h:382
35 libxul.so js::Interpret jsinterp.cpp:2442
36 libxul.so js::RunScript jsinterp.cpp:301
37 libxul.so js::InvokeKernel jsinterp.cpp:355
38 libxul.so js::Invoke jsinterp.h:119
39 libxul.so JS_CallFunctionValue jsapi.cpp:5604
40 libxul.so nsXPCWrappedJSClass::CallMethod XPCWrappedJSClass.cpp:1436
41 libxul.so nsXPCWrappedJS::CallMethod XPCWrappedJS.cpp:580
42 libxul.so PrepareAndDispatch xptcstubs_x86_64_linux.cpp:121
43 libxul.so libxul.so@0x10c1d02
44 libxul.so nsDocLoader::FireOnLocationChange nsDocLoader.cpp:1391
45 libxul.so nsDocShell::CreateContentViewer nsDocShell.cpp:7698
46 libxul.so nsDSURIContentListener::DoContent nsDSURIContentListener.cpp:119
47 libxul.so nsDocumentOpenInfo::TryContentListener nsURILoader.cpp:678
48 libxul.so nsDocumentOpenInfo::DispatchContent nsURILoader.cpp:375
49 libxul.so nsDocumentOpenInfo::OnStartRequest nsURILoader.cpp:263
50 libxul.so mozilla::net::nsHttpChannel::CallOnStartRequest nsHttpChannel.cpp:964
51 libxul.so mozilla::net::nsHttpChannel::ContinueProcessNormal nsHttpChannel.cpp:1462
52 libxul.so mozilla::net::nsHttpChannel::ProcessNormal nsHttpChannel.cpp:1397
53 libxul.so mozilla::net::nsHttpChannel::ProcessResponse nsHttpChannel.cpp:1310
54 libxul.so mozilla::net::nsHttpChannel::OnStartRequest nsHttpChannel.cpp:4787
55 libxul.so nsInputStreamPump::OnStateStart nsInputStreamPump.cpp:416
56 libxul.so nsInputStreamPump::OnInputStreamReady nsInputStreamPump.cpp:367
57 libxul.so nsInputStreamReadyEvent::Run nsStreamUtils.cpp:82
58 libxul.so nsThread::ProcessNextEvent nsThread.cpp:624
59 libxul.so NS_ProcessNextEvent_P nsThreadUtils.cpp:217
60 libxul.so mozilla::ipc::MessagePump::Run MessagePump.cpp:116
61 libxul.so MessageLoop::Run message_loop.cc:201
62 libxul.so nsBaseAppShell::Run nsBaseAppShell.cpp:163
63 libxul.so nsAppStartup::Run nsAppStartup.cpp:257
64 libxul.so XREMain::XRE_mainRun nsAppRunner.cpp:3794
65 libxul.so XREMain::XRE_main nsAppRunner.cpp:3871
66 libxul.so XRE_main nsAppRunner.cpp:3947
67 firefox main nsBrowserApp.cpp:160
68 libc-2.15.so libc-2.15.so@0x2176c
69 libstdc++.so.6.0.17 libstdc++.so.6.0.17@0x2ed5df
70 firefox firefox@0x25ef
71 firefox firefox@0x294f
72 icon-theme.cache icon-theme.cache@0x2c65fff
73 ld-2.15.so ld-2.15.so@0xf3ee

Related branches

CVE References

Changed in libunity-webapps (Ubuntu):
importance: Undecided → High
Revision history for this message
In , Scoobidiver (scoobidiver) wrote :

It's #5 top browser crasher in 16.0.1 on Linux.

It's correlated to 4 extensions in Ubuntu but most likely Webapps-team:
  unity_webapps_available_application_get_application_domain|SIGSEGV (31 crashes)
    100% (31/31) vs. 10% (123/1224) {2e1445b0-2682-11e1-bfc2-0800200c9a66}
    100% (31/31) vs. 10% (125/1224) <email address hidden>
    100% (31/31) vs. 69% (844/1224) <email address hidden>
    100% (31/31) vs. 80% (984/1224) <email address hidden>

Signature unity_webapps_available_application_get_application_domain More Reports Search
UUID 184d0775-ae00-43b9-998f-29c472121021
Date Processed 2012-10-21 12:01:32
Uptime 875
Last Crash 50.4 minutes before submission
Install Age 1.3 hours since version was first installed.
Install Time 2012-10-21 10:46:03
Product Firefox
Version 16.0.1
Build ID 20121010223852
Release Channel release
OS Linux
OS Version 0.0.0 Linux 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686
Build Architecture x86
Build Architecture Info GenuineIntel family 6 model 42 stepping 7
Crash Reason SIGSEGV
Crash Address 0x4c
App Notes
OpenGL: Intel Open Source Technology Center -- Mesa DRI Intel(R) Sandybridge Desktop x86/MMX/SSE2 -- 3.0 Mesa 9.0 -- texture_from_pixmap
EMCheckCompatibility True

Frame Module Signature Source
0 libunity-webapps-repository.so.0.0.0 unity_webapps_available_application_get_application_domain unity-webapps-available-application.c:65
1 libunity-webapps-repository.so.0.0.0 unity_webapps_application_repository_get_resolved_application_domain unity-webapps-application-repository.c:446
2 libxul.so libxul.so@0x1390bb9
3 libxul.so ffi_call ffi.c:303
4 libxul.so js::ctypes::FunctionType::Call CTypes.cpp:5576
5 libxul.so js::InvokeKernel jscntxtinlines.h:382
6 libxul.so js::Invoke jsinterp.h:119
7 libxul.so js::IndirectProxyHandler::call jsproxy.cpp:442
8 libxul.so js::DirectWrapper::call jswrapper.cpp:383
9 libxul.so js::CrossCompartmentWrapper::call jswrapper.cpp:777
10 libxul.so proxy_Call jsproxy.cpp:1143
11 libxul.so js::InvokeKernel jscntxtinlines.h:382
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=unity_webapps_available_application_get_application_domain

Revision history for this message
In , Chris Coulson (chrisccoulson) wrote :

FWIW, I reported this to Ubuntu's bug tracker on Friday (19th). No response yet though

Changed in firefox:
importance: Unknown → Critical
status: Unknown → Confirmed
Changed in libunity-webapps:
importance: Undecided → High
assignee: nobody → Alexandre Abreu (abreu-alexandre)
Alex Launi (alexlauni)
Changed in libunity-webapps:
assignee: Alexandre Abreu (abreu-alexandre) → Alex Launi (alexlauni)
Revision history for this message
Alex Launi (alexlauni) wrote :

As best I can tell without being able to reproduce the bug and get a better trace, this is being caused by a bad cast. I've added a series of checks to ensure we don't try and access members of a null pointer.

Changed in libunity-webapps:
status: New → In Progress
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

I commented on the MP, but I'll copy that here too:

"I'm not sure this is going to fix it. From looking at the crash reports, the issue just looks like a classic use-after-free rather than an issue with gobject type casts. In unity_webapps_available_application_get_application_domain, it's most likely the dereferencing of |app| which triggers it ( ((UnityWebappsAvailableApplicationClass *)(((GTypeInstance *)app)->g_class))->get_application_domain(app) )"

In fact, it looks like the bug is here:

http://bazaar.launchpad.net/~webapps/libunity-webapps/trunk/view/head:/src/libunity-webapps-repository/unity-webapps-application-repository.c#L347

      unity_webapps_local_url_index_load_applications (index);
      app = unity_webapps_local_url_index_get_application_by_name (index, name);
      g_hash_table_replace (data->repository->priv->applications_by_name, g_strdup (name), app); <---
    }

... |app| is stored without a reference, so next time a webapp is installed, this app is destroyed when it is replaced here:

http://bazaar.launchpad.net/~webapps/libunity-webapps/trunk/view/head:/src/libunity-webapps-repository/unity-webapps-application-collector.c#L217

  app_name = unity_webapps_application_manifest_get_package_name (manifest);
  app = (UnityWebappsLocalAvailableApplication *) unity_webapps_local_available_application_new (manifest);
  g_hash_table_replace (collector->priv->found_applications, g_strdup (app_name),
   g_object_ref (app));

 out:
  if (manifest != NULL)
    {
      g_object_unref (G_OBJECT (manifest));
    }
  if (app != NULL)
    {
      g_object_unref (G_OBJECT (app));
    }
  return ret;

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This issue may have a security impact. Subscribing the security team.

information type: Public → Public Security
Alex Launi (alexlauni)
Changed in libunity-webapps:
status: In Progress → Fix Committed
milestone: none → 2.3.3
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

This is CVE-2012-4551

Changed in libunity-webapps (Ubuntu Quantal):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Changed in libunity-webapps (Ubuntu Raring):
status: New → Confirmed
Changed in libunity-webapps (Ubuntu Quantal):
importance: Undecided → High
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Unless someone objects, I intend on pushing the fix out as a security update for Quantal this week.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libunity-webapps - 2.4.1-0ubuntu3.2

---------------
libunity-webapps (2.4.1-0ubuntu3.2) quantal-security; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution via
    use after free (LP: #1068495)
    - debian/patches/CVE-2012-4551.patch: properly store with reference in
      src/libunity-webapps-repository/unity-webapps-application-repository.c.
    - CVE-2012-4551
 -- Marc Deslauriers <email address hidden> Tue, 13 Nov 2012 13:28:10 -0500

Changed in libunity-webapps (Ubuntu Quantal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libunity-webapps - 2.4.3daily12.11.28-0ubuntu1

---------------
libunity-webapps (2.4.3daily12.11.28-0ubuntu1) raring; urgency=low

  [ Robert Bruce Park ]
  * -debian/patches/lp_1065556.patch
  * Inline packaging.

  [ Ken VanDine ]
  * Automatic snapshot from revision 795 (bootstrap)

  [ Didier Roche ]
  * debian/*symbols:
    - remove now unexported private symbols

  [ Alex Launi ]
  * Firefox 16.0.1 Crash Report [@
    unity_webapps_available_application_get_application_domain ] (LP:
    #1068495)

  [ Chris Coulson ]
  * Firefox 16.0.1 Crash Report [@
    unity_webapps_available_application_get_application_domain ] (LP:
    #1068495)

  [ Maxim Ermilov ]
  * ubuntu-webapps-update-index crashed with SIGSEGV in
    unity_webapps_url_db_insert_url_prepare_statement() (LP: #1061677)
  * Youtube sound menu integration doesn't behave correctly (LP:
    #1038491)

  [ Automatic PS uploader ]
  * Automatic snapshot from revision 862
 -- Automatic PS uploader <email address hidden> Wed, 28 Nov 2012 05:01:36 +0000

Changed in libunity-webapps (Ubuntu Raring):
status: Confirmed → Fix Released
Revision history for this message
In , Scoobidiver (scoobidiver) wrote :

It's no longer a top crasher on Linux in 17.0.

Changed in libunity-webapps:
status: Fix Committed → Fix Released
Changed in firefox:
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.