Possible remote DOS when spinning the event loop during webapps initialization callback

Bug #1175661 reported by Chris Coulson on 2013-05-02
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
WebApps: unity-firefox-extension
Undecided
Alexandre Abreu
unity-firefox-extension (Ubuntu)
Undecided
Unassigned

Bug Description

See the PoC.

Open it and click on the button. Note, you'll need to enable integration. What this does is:

1) Initialize the Unity webapps context.
2) In the onInit callback, add an entry to the messaging menu (which turns it blue). The callback for this just reloads the page.
3) Opens a tab-modal alert, which spins the event loop inside the webapps onInit callback.

Now click the entry in the messaging indicator. This will make Firefox crash. What happens is:

4) The pagehide event fires, causing the webapps addon to destroy the context
5) The page reloads, causing the stack to unwind and return from the onInit callback
6) Webapps crashes now because the context has been destroyed.

Here's the stacktrace:

#0 unity_webapps_context_set_view_location (context=0x0, location=0x1bd2dd0 "http://localhost/~chr1s/test.html") at unity-webapps-context.c:1243
#1 0x00007ffff402115c in ffi_call_unix64 () at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/unix64.S:75
#2 0x00007ffff402084e in ffi_call (cif=0x1406520, fn=0x7fff8c1dba10 <unity_webapps_context_set_view_location>, rvalue=0x0, avalue=0x7fffffffa700)
    at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/ffi64.c:485
#3 0x00007ffff4011c25 in js::ctypes::FunctionType::Call (cx=0x273d880, argc=2, vp=0x7fffe14c4148) at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/CTypes.cpp:5817
#4 0x00007ffff3bbf3f2 in js::CallJSNative (cx=0x273d880, native=0x7ffff40116d0 <js::ctypes::FunctionType::Call(JSContext*, unsigned int, jsval*)>, args=...)
    at /home/chr1s/src/firefox/mozilla-central/js/src/jscntxtinlines.h:337
#5 0x00007ffff3bcd829 in js::InvokeKernel (cx=cx@entry=0x273d880, args=..., construct=construct@entry=js::NO_CONSTRUCT)
    at /home/chr1s/src/firefox/mozilla-central/js/src/jsinterp.cpp:428
#6 0x00007ffff3bce1fd in Invoke (construct=js::NO_CONSTRUCT, args=..., cx=0x273d880) at /home/chr1s/src/firefox/mozilla-central/js/src/jsinterp.h:134
#7 js::Invoke (cx=cx@entry=0x273d880, thisv=..., fval=..., argc=2, argv=0x7fffe14c4138, rval=0x7fffe14c4128) at /home/chr1s/src/firefox/mozilla-central/js/src/jsinterp.cpp:475
#8 0x00007ffff3c1a6ad in js::DirectProxyHandler::call (this=this@entry=0x7ffff558fc60 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x273d880,
    proxy=proxy@entry=(JSObject * const) 0x7fffc8a2ce80 [object Proxy], args=...) at /home/chr1s/src/firefox/mozilla-central/js/src/jsproxy.cpp:481
#9 0x00007ffff3cb4762 in js::CrossCompartmentWrapper::call (this=0x7ffff558fc60 <js::CrossCompartmentWrapper::singleton>, cx=0x273d880,
    wrapper=(JSObject * const) 0x7fffc8a2ce80 [object Proxy], args=...) at /home/chr1s/src/firefox/mozilla-central/js/src/jswrapper.cpp:445
#10 0x00007ffff3c1ce54 in js::Proxy::call (cx=0x273d880, proxy=proxy@entry=(JSObject * const) 0x7fffc8a2ce80 [object Proxy], args=...)
    at /home/chr1s/src/firefox/mozilla-central/js/src/jsproxy.cpp:2613
#11 0x00007ffff3c1cf85 in proxy_Call (cx=<optimised out>, argc=<optimised out>, vp=<optimised out>) at /home/chr1s/src/firefox/mozilla-central/js/src/jsproxy.cpp:3177
#12 0x00007ffff3bbf3f2 in js::CallJSNative (cx=0x273d880, native=0x7ffff3c1cee0 <proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/chr1s/src/firefox/mozilla-central/js/src/jscntxtinlines.h:337
#13 0x00007ffff3bcd829 in js::InvokeKernel (cx=cx@entry=0x273d880, args=..., construct=construct@entry=js::NO_CONSTRUCT)
    at /home/chr1s/src/firefox/mozilla-central/js/src/jsinterp.cpp:428
#14 0x00007ffff3bcaf23 in js::Interpret (cx=cx@entry=0x273d880, entryFrame=entryFrame@entry=0x7fffe14c40a0, interpMode=js::JSINTERP_NORMAL, useNewType=<optimised out>)
    at /home/chr1s/src/firefox/mozilla-central/js/src/jsinterp.cpp:2404
#15 0x00007ffff3bccc0f in js::RunScript (cx=cx@entry=0x273d880, fp=0x7fffe14c40a0) at /home/chr1s/src/firefox/mozilla-central/js/src/jsinterp.cpp:385
#16 0x00007ffff3bcd876 in js::InvokeKernel (cx=cx@entry=0x273d880, args=..., construct=construct@entry=js::NO_CONSTRUCT)
    at /home/chr1s/src/firefox/mozilla-central/js/src/jsinterp.cpp:442
#17 0x00007ffff3b696d3 in Invoke (construct=js::NO_CONSTRUCT, args=..., cx=0x273d880) at /home/chr1s/src/firefox/mozilla-central/js/src/jsinterp.h:134
#18 js::CallOrConstructBoundFunction (cx=0x273d880, argc=2, vp=0x7fffe14c4048) at /home/chr1s/src/firefox/mozilla-central/js/src/jsfun.cpp:1148
#19 0x00007ffff3bbf3f2 in js::CallJSNative (cx=0x273d880, native=0x7ffff3b69430 <js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/chr1s/src/firefox/mozilla-central/js/src/jscntxtinlines.h:337
#20 0x00007ffff3bcd829 in js::InvokeKernel (cx=cx@entry=0x273d880, args=..., construct=construct@entry=js::NO_CONSTRUCT)
    at /home/chr1s/src/firefox/mozilla-central/js/src/jsinterp.cpp:428
#21 0x00007ffff3bce1fd in Invoke (construct=js::NO_CONSTRUCT, args=..., cx=0x273d880) at /home/chr1s/src/firefox/mozilla-central/js/src/jsinterp.h:134
#22 js::Invoke (cx=cx@entry=0x273d880, thisv=..., fval=..., argc=2, argv=0x7fffe14c4038, rval=0x7fffe14c4028) at /home/chr1s/src/firefox/mozilla-central/js/src/jsinterp.cpp:475
#23 0x00007ffff3c1a6ad in js::DirectProxyHandler::call (this=this@entry=0x7ffff558fc60 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x273d880,
    proxy=proxy@entry=(JSObject * const) 0x7fff6cb22280 [object Proxy], args=...) at /home/chr1s/src/firefox/mozilla-central/js/src/jsproxy.cpp:481
#24 0x00007ffff3cb4762 in js::CrossCompartmentWrapper::call (this=0x7ffff558fc60 <js::CrossCompartmentWrapper::singleton>, cx=0x273d880,
    wrapper=(JSObject * const) 0x7fff6cb22280 [object Proxy], args=...) at /home/chr1s/src/firefox/mozilla-central/js/src/jswrapper.cpp:445
#25 0x00007ffff3c1ce54 in js::Proxy::call (cx=0x273d880, proxy=proxy@entry=(JSObject * const) 0x7fff6cb22280 [object Proxy], args=...)
    at /home/chr1s/src/firefox/mozilla-central/js/src/jsproxy.cpp:2613
#26 0x00007ffff3c1cf85 in proxy_Call (cx=<optimised out>, argc=<optimised out>, vp=<optimised out>) at /home/chr1s/src/firefox/mozilla-central/js/src/jsproxy.cpp:3177
#27 0x00007ffff3bbf3f2 in js::CallJSNative (cx=0x273d880, native=0x7ffff3c1cee0 <proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/chr1s/src/firefox/mozilla-central/js/src/jscntxtinlines.h:337
#28 0x00007ffff3bcd829 in js::InvokeKernel (cx=cx@entry=0x273d880, args=..., construct=construct@entry=js::NO_CONSTRUCT)
    at /home/chr1s/src/firefox/mozilla-central/js/src/jsinterp.cpp:428
#29 0x00007ffff3bce1fd in Invoke (construct=js::NO_CONSTRUCT, args=..., cx=0x273d880) at /home/chr1s/src/firefox/mozilla-central/js/src/jsinterp.h:134
#30 js::Invoke (cx=cx@entry=0x273d880, thisv=..., fval=..., argc=argc@entry=2, argv=argv@entry=0x7fffffffc120, rval=0x7fffffffc070)
    at /home/chr1s/src/firefox/mozilla-central/js/src/jsinterp.cpp:475
#31 0x00007ffff3af39c7 in JS_CallFunctionValue (cx=cx@entry=0x273d880, objArg=objArg@entry=0x0, fval=$jsval((JSObject *) 0x7fff6cb22280 [object Proxy]), argc=2,
    argv=argv@entry=0x7fffffffc120, rval=rval@entry=0x7fffffffc070) at /home/chr1s/src/firefox/mozilla-central/js/src/jsapi.cpp:5842
#32 0x00007ffff400c8af in js::ctypes::CClosure::ClosureStub (cif=0x1239410, result=0x7fffffffc380, args=0x7fffffffc1f0, userData=<optimised out>)
    at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/CTypes.cpp:6183
#33 0x00007ffff4020dab in ffi_closure_unix64_inner (closure=0x7fffe04010f0, rvalue=0x7fffffffc380, reg_args=0x7fffffffc2d0, argp=0x7fffffffc3a0 "")
    at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/ffi64.c:621
#34 0x00007ffff40212c4 in ffi_closure_unix64 () at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/unix64.S:228
#35 0x00007fff8c1da57a in complete_in_idle_cb (user_data=0x17398a0) at unity-webapps-context.c:575
#36 0x00007ffff0d02f05 in g_main_dispatch (context=0x688b40) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3054
#37 g_main_context_dispatch (context=context@entry=0x688b40) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3630
#38 0x00007ffff0d03248 in g_main_context_iterate (context=context@entry=0x688b40, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimised out>)
    at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3701
#39 0x00007ffff0d03304 in g_main_context_iteration (context=0x688b40, may_block=1) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3762
#40 0x00007ffff3124473 in nsAppShell::ProcessNextNativeEvent (this=<optimised out>, mayWait=<optimised out>)
    at /home/chr1s/src/firefox/mozilla-central/widget/gtk2/nsAppShell.cpp:135
#41 0x00007ffff314a4da in nsBaseAppShell::DoProcessNextNativeEvent (this=this@entry=0x708cd0, mayWait=<optimised out>, recursionDepth=recursionDepth@entry=0)
    at /home/chr1s/src/firefox/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:139
#42 0x00007ffff314a5f5 in nsBaseAppShell::OnProcessNextEvent (this=0x708cd0, thr=0x70cf00, mayWait=<optimised out>, recursionDepth=0)
    at /home/chr1s/src/firefox/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:298
#43 0x00007ffff356aac2 in nsThread::ProcessNextEvent (this=0x70cf00, mayWait=true, result=0x7fffffffc5cf)
    at /home/chr1s/src/firefox/mozilla-central/xpcom/threads/nsThread.cpp:600
#44 0x00007ffff352909a in NS_ProcessNextEvent (thread=<optimised out>, mayWait=mayWait@entry=true)
    at /home/chr1s/src/firefox/mozilla-central/obj-x86_64-unknown-linux-gnu/xpcom/build/nsThreadUtils.cpp:238
#45 0x00007ffff323f9ea in mozilla::ipc::MessagePump::Run (this=0x70be80, aDelegate=0x70c150) at /home/chr1s/src/firefox/mozilla-central/ipc/glue/MessagePump.cpp:117
#46 0x00007ffff359c698 in MessageLoop::RunInternal (this=this@entry=0x70c150) at /home/chr1s/src/firefox/mozilla-central/ipc/chromium/src/base/message_loop.cc:219
#47 0x00007ffff359c6c0 in RunHandler (this=0x70c150) at /home/chr1s/src/firefox/mozilla-central/ipc/chromium/src/base/message_loop.cc:212
#48 MessageLoop::Run (this=0x70c150) at /home/chr1s/src/firefox/mozilla-central/ipc/chromium/src/base/message_loop.cc:186
#49 0x00007ffff3149af3 in nsBaseAppShell::Run (this=0x708cd0) at /home/chr1s/src/firefox/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:163
#50 0x00007ffff2f9395b in nsAppStartup::Run (this=0xa2f7b0) at /home/chr1s/src/firefox/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:289
#51 0x00007ffff2337624 in XREMain::XRE_mainRun (this=this@entry=0x7fffffffc8a0) at /home/chr1s/src/firefox/mozilla-central/toolkit/xre/nsAppRunner.cpp:3879
#52 0x00007ffff233a02b in XREMain::XRE_main (this=this@entry=0x7fffffffc8a0, argc=argc@entry=1, argv=argv@entry=0x7fffffffdd98, aAppData=aAppData@entry=0x7fffffffca90)
    at /home/chr1s/src/firefox/mozilla-central/toolkit/xre/nsAppRunner.cpp:3946
#53 0x00007ffff233a299 in XRE_main (argc=1, argv=0x7fffffffdd98, aAppData=0x7fffffffca90, aFlags=<optimised out>)
    at /home/chr1s/src/firefox/mozilla-central/toolkit/xre/nsAppRunner.cpp:4147
#54 0x000000000040252e in do_main (argc=argc@entry=1, argv=argv@entry=0x7fffffffdd98, xreDirectory=0x614010)
    at /home/chr1s/src/firefox/mozilla-central/browser/app/nsBrowserApp.cpp:271
#55 0x0000000000401aca in main (argc=1, argv=0x7fffffffdd98) at /home/chr1s/src/firefox/mozilla-central/browser/app/nsBrowserApp.cpp:576

CVE References

Chris Coulson (chrisccoulson) wrote :
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2013-1054

Changed in unity-firefox-extension:
assignee: nobody → Alexandre Abreu (abreu-alexandre)
Marc Deslauriers (mdeslaur) wrote :

Is there any progress on this?

@mdeslaur: not so far,

Marc Deslauriers (mdeslaur) wrote :

Has there been any progress on this?

Marc Deslauriers (mdeslaur) wrote :

Has there been any progress on resolving this issue for our stable releases?

Marc Deslauriers (mdeslaur) wrote :

Has there been any progress on this?

Marc Deslauriers (mdeslaur) wrote :

What the status on this issue?

Marc Deslauriers (mdeslaur) wrote :

We no longer ship this package:

http://www.ubuntu.com/usn/usn-2743-3/

information type: Private Security → Public Security
Changed in unity-firefox-extension (Ubuntu):
status: New → Fix Released
Changed in unity-firefox-extension:
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments