We no longer ship this package:
http://www.ubuntu.com/usn/usn-2743-3/
** Changed in: unity-firefox-extension (Ubuntu)
Status: Confirmed => Fix Released
** Changed in: libunity-webapps (Ubuntu)
Status: Confirmed => Invalid
** Changed in: unity-firefox-extension
Status: New => Confirmed
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of DX
Packages, which is subscribed to libunity-webapps in Ubuntu.
https://bugs.launchpad.net/bugs/1175691
Title:
Rate limit in libunity-webapps can be abused to make Firefox collect C
callbacks that are still in use
Status in WebApps: unity-firefox-extension:
Confirmed
Status in libunity-webapps package in Ubuntu:
Invalid
Status in unity-firefox-extension package in Ubuntu:
Fix Released
Bug description:
PoC is attached.
What happens when you click the button (and accept integration) is
that it adds an action to the launcher and then repeatedly updates it
with a new callback. However, at some point it will hit the rate limit
inside libunity-webapps (in unity_webapps_launcher_add_action), at
which point it no longer updates the actual C callback. Because this
failure is not propagated out of libunity-webapps, unity-firefox-
extension stores a reference to the new (and unused) callback thus
dropping its reference to the old (and still in use) callback, which
will now be collected by the garbage collector.
Give it a few seconds for the garbage collector to free the old
callback and then click on the action in the launcher icon. Firefox
will crash with a trace that looks a bit like this:
#0 js::ctypes::CClosure::ClosureStub (cif=0x617320, result=0x7fffffffb5d0,
args=0x7fffffffb440, userData=0x6c8)
at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/CTypes.cpp:6116
#1 0x00007ffff4020dab in ffi_closure_unix64_inner (closure=0x7fffe040b940,
rvalue=0x7fffffffb5d0, reg_args=0x7fffffffb520, argp=0x7fffffffb5f0 "")
at
/home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/ffi64.c:621
#2 0x00007ffff40212c4 in ffi_closure_unix64 () at
/home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/unix64.S:228
#3 0x00007ffff402115c in ffi_call_unix64 () at
/home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/unix64.S:75
#4 0x00007ffff402084e in ffi_call (cif=0x7fffffffb7f0, fn=0x7fffc84eccf0
<_launcher_context_action_invoked>, rvalue=0x7fffffffb750,
avalue=0x7fffffffb6f0)
at
/home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/ffi64.c:485
#5 0x00007ffff0fc6f7b in g_cclosure_marshal_generic (closure=0x7fff54009a00,
return_gvalue=0x0, n_param_values=<optimised out>, param_values=<optimised
out>,
invocation_hint=<optimised out>, marshal_data=0x7fffc84eccf0
<_launcher_context_action_invoked>) at
/build/buildd/glib2.0-2.36.0/./gobject/gclosure.c:1454
#6 0x00007ffff0fc6620 in g_closure_invoke (closure=0x7fff54009a00,
return_value=0x0, n_param_values=3, param_values=0x32fc920,
invocation_hint=0x7fffffffb9d0)
at /build/buildd/glib2.0-2.36.0/./gobject/gclosure.c:777
#7 0x00007ffff0fd7f00 in signal_emit_unlocked_R
(node=node@entry=0x7fff5400d050, detail=detail@entry=0,
instance=instance@entry=0x7fff5400f8e0,
emission_return=emission_return@entry=0x0,
instance_and_params=instance_and_params@entry=0x32fc920) at
/build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:3584
#8 0x00007ffff0fdee3b in g_signal_emitv
(instance_and_params=instance_and_params@entry=0x32fc920, signal_id=<optimised
out>, detail=detail@entry=0,
return_value=return_value@entry=0x0) at
/build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:3059
#9 0x00007fffc84e61c3 in unity_webapps_gen_launcher_proxy_g_signal
(proxy=<optimised out>, sender_name=<optimised out>, signal_name=<optimised
out>,
parameters=<optimised out>) at ../unity-webapps-gen-launcher.c:2079
#10 0x00007ffff402115c in ffi_call_unix64 () at
/home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/unix64.S:75
#11 0x00007ffff402084e in ffi_call (cif=0x7fffffffbdb0, fn=0x7fffc84e60b0
<unity_webapps_gen_launcher_proxy_g_signal>, rvalue=0x7fffffffbd10,
avalue=0x7fffffffbc90)
at
/home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/ffi64.c:485
#12 0x00007ffff0fc6f7b in g_cclosure_marshal_generic (closure=0x6bf720,
return_gvalue=0x0, n_param_values=<optimised out>, param_values=<optimised
out>,
invocation_hint=<optimised out>, marshal_data=0x7fffc84e60b0
<unity_webapps_gen_launcher_proxy_g_signal>) at
/build/buildd/glib2.0-2.36.0/./gobject/gclosure.c:1454
#13 0x00007ffff0fc6620 in g_closure_invoke (closure=0x6bf720,
return_value=0x0, n_param_values=4, param_values=0x7fffffffbff0,
invocation_hint=0x7fffffffbf90)
at /build/buildd/glib2.0-2.36.0/./gobject/gclosure.c:777
#14 0x00007ffff0fd7af8 in signal_emit_unlocked_R (node=node@entry=0x6bf780,
detail=detail@entry=0, instance=instance@entry=0x7fff5400f8e0,
emission_return=emission_return@entry=0x0,
instance_and_params=instance_and_params@entry=0x7fffffffbff0) at
/build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:3622
#15 0x00007ffff0fdfd11 in g_signal_emit_valist (instance=0x7fff5400f8e0,
signal_id=<optimised out>, detail=0, var_args=var_args@entry=0x7fffffffc278)
at /build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:3328
#16 0x00007ffff0fdff92 in g_signal_emit
(instance=instance@entry=0x7fff5400f8e0, signal_id=<optimised out>,
detail=detail@entry=0)
at /build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:3384
#17 0x00007fffeee3ebd4 in on_signal_received (connection=<optimised out>,
sender_name=0x7fffc00079c0 ":1.218", object_path=<optimised out>,
interface_name=<optimised out>,
signal_name=0x7fffc000f0e0 "ActionInvoked", parameters=0x214eb50,
user_data=0x14d8360) at /build/buildd/glib2.0-2.36.0/./gio/gdbusproxy.c:927
#18 0x00007fffeee2e835 in emit_signal_instance_in_idle_cb
(data=0x7fffc0002f70) at
/build/buildd/glib2.0-2.36.0/./gio/gdbusconnection.c:3715
#19 0x00007ffff0d02f05 in g_main_dispatch (context=0x688b40) at
/build/buildd/glib2.0-2.36.0/./glib/gmain.c:3054
#20 g_main_context_dispatch (context=context@entry=0x688b40) at
/build/buildd/glib2.0-2.36.0/./glib/gmain.c:3630
#21 0x00007ffff0d03248 in g_main_context_iterate
(context=context@entry=0x688b40, block=block@entry=0,
dispatch=dispatch@entry=1, self=<optimised out>)
at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3701
#22 0x00007ffff0d03304 in g_main_context_iteration (context=0x688b40,
may_block=0) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3762
#23 0x00007ffff3124473 in nsAppShell::ProcessNextNativeEvent (this=<optimised
out>, mayWait=<optimised out>)
at /home/chr1s/src/firefox/mozilla-central/widget/gtk2/nsAppShell.cpp:135
#24 0x00007ffff314a4da in nsBaseAppShell::DoProcessNextNativeEvent
(this=this@entry=0xa85580, mayWait=mayWait@entry=false,
recursionDepth=recursionDepth@entry=0)
at
/home/chr1s/src/firefox/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:139
#25 0x00007ffff314a5a5 in nsBaseAppShell::OnProcessNextEvent (this=0xa85580,
thr=0x70cec0, mayWait=false, recursionDepth=0)
at
/home/chr1s/src/firefox/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:280
#26 0x00007ffff356aac2 in nsThread::ProcessNextEvent (this=0x70cec0,
mayWait=false, result=0x7fffffffc5cf)
#27 0x00007ffff352909a in NS_ProcessNextEvent (thread=<optimised out>,
mayWait=mayWait@entry=false)
at
/home/chr1s/src/firefox/mozilla-central/obj-x86_64-unknown-linux-gnu/xpcom/build/nsThreadUtils.cpp:238
#28 0x00007ffff323f99b in mozilla::ipc::MessagePump::Run (this=0x70be80,
aDelegate=0x70b600) at
/home/chr1s/src/firefox/mozilla-central/ipc/glue/MessagePump.cpp:82
#29 0x00007ffff359c698 in MessageLoop::RunInternal (this=this@entry=0x70b600)
at
/home/chr1s/src/firefox/mozilla-central/ipc/chromium/src/base/message_loop.cc:219
#30 0x00007ffff359c6c0 in RunHandler (this=0x70b600) at
/home/chr1s/src/firefox/mozilla-central/ipc/chromium/src/base/message_loop.cc:212
#31 MessageLoop::Run (this=0x70b600) at
/home/chr1s/src/firefox/mozilla-central/ipc/chromium/src/base/message_loop.cc:186
#32 0x00007ffff3149af3 in nsBaseAppShell::Run (this=0xa85580) at
/home/chr1s/src/firefox/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:163
#33 0x00007ffff2f9395b in nsAppStartup::Run (this=0xa2d310) at
/home/chr1s/src/firefox/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:289
#34 0x00007ffff2337624 in XREMain::XRE_mainRun
(this=this@entry=0x7fffffffc8a0) at
/home/chr1s/src/firefox/mozilla-central/toolkit/xre/nsAppRunner.cpp:3879
#35 0x00007ffff233a02b in XREMain::XRE_main (this=this@entry=0x7fffffffc8a0,
argc=argc@entry=1, argv=argv@entry=0x7fffffffdd98,
aAppData=aAppData@entry=0x7fffffffca90)
at
/home/chr1s/src/firefox/mozilla-central/toolkit/xre/nsAppRunner.cpp:3946
#36 0x00007ffff233a299 in XRE_main (argc=1, argv=0x7fffffffdd98,
aAppData=0x7fffffffca90, aFlags=<optimised out>)
at
/home/chr1s/src/firefox/mozilla-central/toolkit/xre/nsAppRunner.cpp:4147
#37 0x000000000040252e in do_main (argc=argc@entry=1,
argv=argv@entry=0x7fffffffdd98, xreDirectory=0x614010)
at
/home/chr1s/src/firefox/mozilla-central/browser/app/nsBrowserApp.cpp:271
#38 0x0000000000401aca in main (argc=1, argv=0x7fffffffdd98) at
/home/chr1s/src/firefox/mozilla-central/browser/app/nsBrowserApp.cpp:576
As there is a chance that this memory could now be attacker
controlled, this could potentially be exploited to run arbitrary code.
To manage notifications about this bug go to:
https://bugs.launchpad.net/unity-firefox-extension/+bug/1175691/+subscriptions
--
Mailing list: https://launchpad.net/~dx-packages
Post to : dx-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dx-packages
More help : https://help.launchpad.net/ListHelp
