Crash when navigating to another page immediately after initializing unity integration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
WebApps: unity-firefox-extension |
Fix Committed
|
High
|
Maxim Ermilov | ||
unity-firefox-extension (Ubuntu) |
Fix Released
|
Critical
|
Ken VanDine | ||
Quantal |
Fix Released
|
Critical
|
Unassigned | ||
Raring |
Fix Released
|
Critical
|
Ken VanDine |
Bug Description
Seb pinged me about a Firefox crash a couple of days ago. After some investigation, I've figured out a fairly trivial reproducer.
With a local test page:
1) Navigate manually to "http://
...test1.html:
<html>
<head></head>
<script>
var unity = window.
unity.
window.location = "http://
</script>
</html>
...and test2.html:
<html>
<head></head>
<script>
var unity = window.
unity.
</script>
</html>
2) Accept the integration
3) Close the browser tab
(Note, you might need to try this again after allowing the integration)
What happens is the website icon still appears in the Unity launcher after the tab is closed. Clicking it to refocus the non-existant tab will eventually cause Firefox to crash, presumably because it is calling a JS callback across ctypes which has been garbage collected. The traces will look something like this, although the top few frames will vary depending on what's now in the memory where the callback used to be:
Program received signal SIGILL, Illegal instruction.
0x00007f8a9b0000b8 in ?? ()
(gdb) bt
#0 0x00007f8a9b0000b8 in ?? ()
#1 0x00007f8a98c57ecc in ffi_call_unix64 () from /usr/lib/
#2 0x00007f8a98c45e30 in ffi_call (cif=cif@
at /build/
#3 0x00007f8a96700a9b in g_cclosure_
at /build/
#4 0x00007f8a96700140 in g_closure_invoke (closure=
#5 0x00007f8a96711550 in signal_
instance_
#6 0x00007f8a967186ab in g_signal_emitv (instance_
at /build/
#7 0x00007f8a81ade833 in unity_webapps_
#8 0x00007f8a98c57ecc in ffi_call_unix64 () from /usr/lib/
#9 0x00007f8a98c45e30 in ffi_call (cif=cif@
at /build/
#10 0x00007f8a96700a9b in g_cclosure_
marshal_
#11 0x00007f8a96700140 in g_closure_invoke (closure=
#12 0x00007f8a967112d0 in signal_
instance_
#13 0x00007f8a967194af in g_signal_
#14 0x00007f8a96719642 in g_signal_emit (instance=
#15 0x00007f8a94577b74 in on_signal_received (connection=
parameters=
#16 0x00007f8a945677f5 in emit_signal_
#17 0x00007f8a96440ab5 in g_main_dispatch (context=
#18 g_main_
#19 0x00007f8a96440de8 in g_main_
#20 0x00007f8a96440ea4 in g_main_
#21 0x00007f8a9845a226 in nsAppShell:
#22 0x00007f8a984701e1 in nsBaseAppShell:
at /build/
#23 0x00007f8a984702fa in nsBaseAppShell:
#24 0x00007f8a985f7631 in nsThread:
#25 0x00007f8a985cd666 in NS_ProcessNextE
#26 0x00007f8a98515581 in mozilla:
#27 0x00007f8a98615fef in RunHandler (this=0x7f8a9af
#28 MessageLoop::Run (this=0x7f8a9af
#29 0x00007f8a9846fbd1 in nsBaseAppShell::Run (this=0x7f8a88a
#30 0x00007f8a9834e063 in nsAppStartup::Run (this=0x7f8a88a
#31 0x00007f8a97b780cc in XREMain:
#32 0x00007f8a97b782be in XREMain::XRE_main (this=this@
at /build/
#33 0x00007f8a97b784fa in XRE_main (argc=1, argv=0x7fff6730
#34 0x00007f8a9c23c8f1 in do_main (argv=0x7fff673
#35 main (argc=<optimised out>, argv=<optimised out>) at /build/
I've seen it crash sometimes with SIGSEGV and sometimes with SIGILL. The SIGILL is probably enough to assume that this is potentially exploitable.
Related branches
- PS Jenkins bot (community): Approve (continuous-integration)
- Alexandre Abreu (community): Approve
-
Diff: 25 lines (+13/-0)1 file modifiedunity-firefox-extension/content/observer.js (+13/-0)
- PS Jenkins bot (community): Approve (continuous-integration)
- WebApps: Pending requested
-
Diff: 34 lines (+21/-1)1 file modifieddebian/changelog (+21/-1)
CVE References
Changed in unity-firefox-extension: | |
assignee: | nobody → Maxim Ermilov (zaspire) |
milestone: | none → 2.4.2 |
Changed in unity-firefox-extension: | |
assignee: | Maxim Ermilov (zaspire) → nobody |
milestone: | 2.4.2 → none |
Changed in unity-firefox-extension: | |
status: | Incomplete → Confirmed |
Changed in unity-firefox-extension (Ubuntu Quantal): | |
importance: | Undecided → High |
Changed in unity-firefox-extension (Ubuntu Raring): | |
importance: | Undecided → High |
Changed in unity-firefox-extension (Ubuntu Quantal): | |
importance: | High → Critical |
Changed in unity-firefox-extension (Ubuntu Raring): | |
importance: | High → Critical |
Changed in unity-firefox-extension: | |
assignee: | nobody → Maxim Ermilov (zaspire) |
Changed in unity-firefox-extension: | |
status: | Confirmed → Fix Committed |
information type: | Private Security → Public Security |
Changed in unity-firefox-extension: | |
importance: | Undecided → High |
This is CVE-2012-0960