← Back to team overview

dx-packages team mailing list archive

[Bug 1175691] Re: Rate limit in libunity-webapps can be abused to make Firefox collect C callbacks that are still in use

 

We no longer ship this package:

http://www.ubuntu.com/usn/usn-2743-3/


** Changed in: unity-firefox-extension (Ubuntu)
       Status: Confirmed => Fix Released

** Changed in: libunity-webapps (Ubuntu)
       Status: Confirmed => Invalid

** Changed in: unity-firefox-extension
       Status: New => Confirmed

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to libunity-webapps in Ubuntu.
https://bugs.launchpad.net/bugs/1175691

Title:
  Rate limit in libunity-webapps can be abused to make Firefox collect C
  callbacks that are still in use

Status in WebApps: unity-firefox-extension:
  Confirmed
Status in libunity-webapps package in Ubuntu:
  Invalid
Status in unity-firefox-extension package in Ubuntu:
  Fix Released

Bug description:
  PoC is attached.

  What happens when you click the button (and accept integration) is
  that it adds an action to the launcher and then repeatedly updates it
  with a new callback. However, at some point it will hit the rate limit
  inside libunity-webapps (in unity_webapps_launcher_add_action), at
  which point it no longer updates the actual C callback. Because this
  failure is not propagated out of libunity-webapps, unity-firefox-
  extension stores a reference to the new (and unused) callback thus
  dropping its reference to the old (and still in use) callback, which
  will now be collected by the garbage collector.

  Give it a few seconds for the garbage collector to free the old
  callback and then click on the action in the launcher icon. Firefox
  will crash with a trace that looks a bit like this:

  #0  js::ctypes::CClosure::ClosureStub (cif=0x617320, result=0x7fffffffb5d0, args=0x7fffffffb440, userData=0x6c8)
      at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/CTypes.cpp:6116
  #1  0x00007ffff4020dab in ffi_closure_unix64_inner (closure=0x7fffe040b940, rvalue=0x7fffffffb5d0, reg_args=0x7fffffffb520, argp=0x7fffffffb5f0 "")
      at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/ffi64.c:621
  #2  0x00007ffff40212c4 in ffi_closure_unix64 () at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/unix64.S:228
  #3  0x00007ffff402115c in ffi_call_unix64 () at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/unix64.S:75
  #4  0x00007ffff402084e in ffi_call (cif=0x7fffffffb7f0, fn=0x7fffc84eccf0 <_launcher_context_action_invoked>, rvalue=0x7fffffffb750, avalue=0x7fffffffb6f0)
      at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/ffi64.c:485
  #5  0x00007ffff0fc6f7b in g_cclosure_marshal_generic (closure=0x7fff54009a00, return_gvalue=0x0, n_param_values=<optimised out>, param_values=<optimised out>, 
      invocation_hint=<optimised out>, marshal_data=0x7fffc84eccf0 <_launcher_context_action_invoked>) at /build/buildd/glib2.0-2.36.0/./gobject/gclosure.c:1454
  #6  0x00007ffff0fc6620 in g_closure_invoke (closure=0x7fff54009a00, return_value=0x0, n_param_values=3, param_values=0x32fc920, invocation_hint=0x7fffffffb9d0)
      at /build/buildd/glib2.0-2.36.0/./gobject/gclosure.c:777
  #7  0x00007ffff0fd7f00 in signal_emit_unlocked_R (node=node@entry=0x7fff5400d050, detail=detail@entry=0, instance=instance@entry=0x7fff5400f8e0, 
      emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x32fc920) at /build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:3584
  #8  0x00007ffff0fdee3b in g_signal_emitv (instance_and_params=instance_and_params@entry=0x32fc920, signal_id=<optimised out>, detail=detail@entry=0, 
      return_value=return_value@entry=0x0) at /build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:3059
  #9  0x00007fffc84e61c3 in unity_webapps_gen_launcher_proxy_g_signal (proxy=<optimised out>, sender_name=<optimised out>, signal_name=<optimised out>, 
      parameters=<optimised out>) at ../unity-webapps-gen-launcher.c:2079
  #10 0x00007ffff402115c in ffi_call_unix64 () at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/unix64.S:75
  #11 0x00007ffff402084e in ffi_call (cif=0x7fffffffbdb0, fn=0x7fffc84e60b0 <unity_webapps_gen_launcher_proxy_g_signal>, rvalue=0x7fffffffbd10, avalue=0x7fffffffbc90)
      at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/ffi64.c:485
  #12 0x00007ffff0fc6f7b in g_cclosure_marshal_generic (closure=0x6bf720, return_gvalue=0x0, n_param_values=<optimised out>, param_values=<optimised out>, 
      invocation_hint=<optimised out>, marshal_data=0x7fffc84e60b0 <unity_webapps_gen_launcher_proxy_g_signal>) at /build/buildd/glib2.0-2.36.0/./gobject/gclosure.c:1454
  #13 0x00007ffff0fc6620 in g_closure_invoke (closure=0x6bf720, return_value=0x0, n_param_values=4, param_values=0x7fffffffbff0, invocation_hint=0x7fffffffbf90)
      at /build/buildd/glib2.0-2.36.0/./gobject/gclosure.c:777
  #14 0x00007ffff0fd7af8 in signal_emit_unlocked_R (node=node@entry=0x6bf780, detail=detail@entry=0, instance=instance@entry=0x7fff5400f8e0, 
      emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffffbff0) at /build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:3622
  #15 0x00007ffff0fdfd11 in g_signal_emit_valist (instance=0x7fff5400f8e0, signal_id=<optimised out>, detail=0, var_args=var_args@entry=0x7fffffffc278)
      at /build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:3328
  #16 0x00007ffff0fdff92 in g_signal_emit (instance=instance@entry=0x7fff5400f8e0, signal_id=<optimised out>, detail=detail@entry=0)
      at /build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:3384
  #17 0x00007fffeee3ebd4 in on_signal_received (connection=<optimised out>, sender_name=0x7fffc00079c0 ":1.218", object_path=<optimised out>, interface_name=<optimised out>, 
      signal_name=0x7fffc000f0e0 "ActionInvoked", parameters=0x214eb50, user_data=0x14d8360) at /build/buildd/glib2.0-2.36.0/./gio/gdbusproxy.c:927
  #18 0x00007fffeee2e835 in emit_signal_instance_in_idle_cb (data=0x7fffc0002f70) at /build/buildd/glib2.0-2.36.0/./gio/gdbusconnection.c:3715
  #19 0x00007ffff0d02f05 in g_main_dispatch (context=0x688b40) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3054
  #20 g_main_context_dispatch (context=context@entry=0x688b40) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3630
  #21 0x00007ffff0d03248 in g_main_context_iterate (context=context@entry=0x688b40, block=block@entry=0, dispatch=dispatch@entry=1, self=<optimised out>)
      at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3701
  #22 0x00007ffff0d03304 in g_main_context_iteration (context=0x688b40, may_block=0) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3762
  #23 0x00007ffff3124473 in nsAppShell::ProcessNextNativeEvent (this=<optimised out>, mayWait=<optimised out>)
      at /home/chr1s/src/firefox/mozilla-central/widget/gtk2/nsAppShell.cpp:135
  #24 0x00007ffff314a4da in nsBaseAppShell::DoProcessNextNativeEvent (this=this@entry=0xa85580, mayWait=mayWait@entry=false, recursionDepth=recursionDepth@entry=0)
      at /home/chr1s/src/firefox/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:139
  #25 0x00007ffff314a5a5 in nsBaseAppShell::OnProcessNextEvent (this=0xa85580, thr=0x70cec0, mayWait=false, recursionDepth=0)
      at /home/chr1s/src/firefox/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:280
  #26 0x00007ffff356aac2 in nsThread::ProcessNextEvent (this=0x70cec0, mayWait=false, result=0x7fffffffc5cf)
  #27 0x00007ffff352909a in NS_ProcessNextEvent (thread=<optimised out>, mayWait=mayWait@entry=false)
      at /home/chr1s/src/firefox/mozilla-central/obj-x86_64-unknown-linux-gnu/xpcom/build/nsThreadUtils.cpp:238
  #28 0x00007ffff323f99b in mozilla::ipc::MessagePump::Run (this=0x70be80, aDelegate=0x70b600) at /home/chr1s/src/firefox/mozilla-central/ipc/glue/MessagePump.cpp:82
  #29 0x00007ffff359c698 in MessageLoop::RunInternal (this=this@entry=0x70b600) at /home/chr1s/src/firefox/mozilla-central/ipc/chromium/src/base/message_loop.cc:219
  #30 0x00007ffff359c6c0 in RunHandler (this=0x70b600) at /home/chr1s/src/firefox/mozilla-central/ipc/chromium/src/base/message_loop.cc:212
  #31 MessageLoop::Run (this=0x70b600) at /home/chr1s/src/firefox/mozilla-central/ipc/chromium/src/base/message_loop.cc:186
  #32 0x00007ffff3149af3 in nsBaseAppShell::Run (this=0xa85580) at /home/chr1s/src/firefox/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:163
  #33 0x00007ffff2f9395b in nsAppStartup::Run (this=0xa2d310) at /home/chr1s/src/firefox/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:289
  #34 0x00007ffff2337624 in XREMain::XRE_mainRun (this=this@entry=0x7fffffffc8a0) at /home/chr1s/src/firefox/mozilla-central/toolkit/xre/nsAppRunner.cpp:3879
  #35 0x00007ffff233a02b in XREMain::XRE_main (this=this@entry=0x7fffffffc8a0, argc=argc@entry=1, argv=argv@entry=0x7fffffffdd98, aAppData=aAppData@entry=0x7fffffffca90)
      at /home/chr1s/src/firefox/mozilla-central/toolkit/xre/nsAppRunner.cpp:3946
  #36 0x00007ffff233a299 in XRE_main (argc=1, argv=0x7fffffffdd98, aAppData=0x7fffffffca90, aFlags=<optimised out>)
      at /home/chr1s/src/firefox/mozilla-central/toolkit/xre/nsAppRunner.cpp:4147
  #37 0x000000000040252e in do_main (argc=argc@entry=1, argv=argv@entry=0x7fffffffdd98, xreDirectory=0x614010)
      at /home/chr1s/src/firefox/mozilla-central/browser/app/nsBrowserApp.cpp:271
  #38 0x0000000000401aca in main (argc=1, argv=0x7fffffffdd98) at /home/chr1s/src/firefox/mozilla-central/browser/app/nsBrowserApp.cpp:576

  As there is a chance that this memory could now be attacker
  controlled, this could potentially be exploited to run arbitrary code.

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity-firefox-extension/+bug/1175691/+subscriptions