Ubuntu
unity-firefox-extension package

Rate limit in libunity-webapps can be abused to make Firefox collect C callbacks that are still in use

Bug #1175691 reported by Chris Coulson on 2013-05-02

262

This bug affects 1 person

	Status	Importance	Assigned to
WebApps: unity-firefox-extension	Confirmed	Undecided	Alexandre Abreu
libunity-webapps (Ubuntu)	Invalid	High	Unassigned
unity-firefox-extension (Ubuntu)	Fix Released	High	Unassigned

Bug Description

PoC is attached.

What happens when you click the button (and accept integration) is that it adds an action to the launcher and then repeatedly updates it with a new callback. However, at some point it will hit the rate limit inside libunity-webapps (in unity_webapps_launcher_add_action), at which point it no longer updates the actual C callback. Because this failure is not propagated out of libunity-webapps, unity-firefox-extension stores a reference to the new (and unused) callback thus dropping its reference to the old (and still in use) callback, which will now be collected by the garbage collector.

Give it a few seconds for the garbage collector to free the old callback and then click on the action in the launcher icon. Firefox will crash with a trace that looks a bit like this:

#0 js::ctypes::CClosure::ClosureStub (cif=0x617320, result=0x7fffffffb5d0, args=0x7fffffffb440, userData=0x6c8)
    at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/CTypes.cpp:6116
#1 0x00007ffff4020dab in ffi_closure_unix64_inner (closure=0x7fffe040b940, rvalue=0x7fffffffb5d0, reg_args=0x7fffffffb520, argp=0x7fffffffb5f0 "")
    at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/ffi64.c:621
#2 0x00007ffff40212c4 in ffi_closure_unix64 () at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/unix64.S:228
#3 0x00007ffff402115c in ffi_call_unix64 () at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/unix64.S:75
#4 0x00007ffff402084e in ffi_call (cif=0x7fffffffb7f0, fn=0x7fffc84eccf0 <_launcher_context_action_invoked>, rvalue=0x7fffffffb750, avalue=0x7fffffffb6f0)
    at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/ffi64.c:485
#5 0x00007ffff0fc6f7b in g_cclosure_marshal_generic (closure=0x7fff54009a00, return_gvalue=0x0, n_param_values=<optimised out>, param_values=<optimised out>,
    invocation_hint=<optimised out>, marshal_data=0x7fffc84eccf0 <_launcher_context_action_invoked>) at /build/buildd/glib2.0-2.36.0/./gobject/gclosure.c:1454
#6 0x00007ffff0fc6620 in g_closure_invoke (closure=0x7fff54009a00, return_value=0x0, n_param_values=3, param_values=0x32fc920, invocation_hint=0x7fffffffb9d0)
    at /build/buildd/glib2.0-2.36.0/./gobject/gclosure.c:777
#7 0x00007ffff0fd7f00 in signal_emit_unlocked_R (node=node@entry=0x7fff5400d050, detail=detail@entry=0, instance=instance@entry=0x7fff5400f8e0,
    emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x32fc920) at /build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:3584
#8 0x00007ffff0fdee3b in g_signal_emitv (instance_and_params=instance_and_params@entry=0x32fc920, signal_id=<optimised out>, detail=detail@entry=0,
    return_value=return_value@entry=0x0) at /build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:3059
#9 0x00007fffc84e61c3 in unity_webapps_gen_launcher_proxy_g_signal (proxy=<optimised out>, sender_name=<optimised out>, signal_name=<optimised out>,
    parameters=<optimised out>) at ../unity-webapps-gen-launcher.c:2079
#10 0x00007ffff402115c in ffi_call_unix64 () at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/unix64.S:75
#11 0x00007ffff402084e in ffi_call (cif=0x7fffffffbdb0, fn=0x7fffc84e60b0 <unity_webapps_gen_launcher_proxy_g_signal>, rvalue=0x7fffffffbd10, avalue=0x7fffffffbc90)
    at /home/chr1s/src/firefox/mozilla-central/js/src/ctypes/libffi/src/x86/ffi64.c:485
#12 0x00007ffff0fc6f7b in g_cclosure_marshal_generic (closure=0x6bf720, return_gvalue=0x0, n_param_values=<optimised out>, param_values=<optimised out>,
    invocation_hint=<optimised out>, marshal_data=0x7fffc84e60b0 <unity_webapps_gen_launcher_proxy_g_signal>) at /build/buildd/glib2.0-2.36.0/./gobject/gclosure.c:1454
#13 0x00007ffff0fc6620 in g_closure_invoke (closure=0x6bf720, return_value=0x0, n_param_values=4, param_values=0x7fffffffbff0, invocation_hint=0x7fffffffbf90)
    at /build/buildd/glib2.0-2.36.0/./gobject/gclosure.c:777
#14 0x00007ffff0fd7af8 in signal_emit_unlocked_R (node=node@entry=0x6bf780, detail=detail@entry=0, instance=instance@entry=0x7fff5400f8e0,
    emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffffbff0) at /build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:3622
#15 0x00007ffff0fdfd11 in g_signal_emit_valist (instance=0x7fff5400f8e0, signal_id=<optimised out>, detail=0, var_args=var_args@entry=0x7fffffffc278)
    at /build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:3328
#16 0x00007ffff0fdff92 in g_signal_emit (instance=instance@entry=0x7fff5400f8e0, signal_id=<optimised out>, detail=detail@entry=0)
    at /build/buildd/glib2.0-2.36.0/./gobject/gsignal.c:3384
#17 0x00007fffeee3ebd4 in on_signal_received (connection=<optimised out>, sender_name=0x7fffc00079c0 ":1.218", object_path=<optimised out>, interface_name=<optimised out>,
    signal_name=0x7fffc000f0e0 "ActionInvoked", parameters=0x214eb50, user_data=0x14d8360) at /build/buildd/glib2.0-2.36.0/./gio/gdbusproxy.c:927
#18 0x00007fffeee2e835 in emit_signal_instance_in_idle_cb (data=0x7fffc0002f70) at /build/buildd/glib2.0-2.36.0/./gio/gdbusconnection.c:3715
#19 0x00007ffff0d02f05 in g_main_dispatch (context=0x688b40) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3054
#20 g_main_context_dispatch (context=context@entry=0x688b40) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3630
#21 0x00007ffff0d03248 in g_main_context_iterate (context=context@entry=0x688b40, block=block@entry=0, dispatch=dispatch@entry=1, self=<optimised out>)
    at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3701
#22 0x00007ffff0d03304 in g_main_context_iteration (context=0x688b40, may_block=0) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3762
#23 0x00007ffff3124473 in nsAppShell::ProcessNextNativeEvent (this=<optimised out>, mayWait=<optimised out>)
    at /home/chr1s/src/firefox/mozilla-central/widget/gtk2/nsAppShell.cpp:135
#24 0x00007ffff314a4da in nsBaseAppShell::DoProcessNextNativeEvent (this=this@entry=0xa85580, mayWait=mayWait@entry=false, recursionDepth=recursionDepth@entry=0)
    at /home/chr1s/src/firefox/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:139
#25 0x00007ffff314a5a5 in nsBaseAppShell::OnProcessNextEvent (this=0xa85580, thr=0x70cec0, mayWait=false, recursionDepth=0)
    at /home/chr1s/src/firefox/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:280
#26 0x00007ffff356aac2 in nsThread::ProcessNextEvent (this=0x70cec0, mayWait=false, result=0x7fffffffc5cf)
#27 0x00007ffff352909a in NS_ProcessNextEvent (thread=<optimised out>, mayWait=mayWait@entry=false)
    at /home/chr1s/src/firefox/mozilla-central/obj-x86_64-unknown-linux-gnu/xpcom/build/nsThreadUtils.cpp:238
#28 0x00007ffff323f99b in mozilla::ipc::MessagePump::Run (this=0x70be80, aDelegate=0x70b600) at /home/chr1s/src/firefox/mozilla-central/ipc/glue/MessagePump.cpp:82
#29 0x00007ffff359c698 in MessageLoop::RunInternal (this=this@entry=0x70b600) at /home/chr1s/src/firefox/mozilla-central/ipc/chromium/src/base/message_loop.cc:219
#30 0x00007ffff359c6c0 in RunHandler (this=0x70b600) at /home/chr1s/src/firefox/mozilla-central/ipc/chromium/src/base/message_loop.cc:212
#31 MessageLoop::Run (this=0x70b600) at /home/chr1s/src/firefox/mozilla-central/ipc/chromium/src/base/message_loop.cc:186
#32 0x00007ffff3149af3 in nsBaseAppShell::Run (this=0xa85580) at /home/chr1s/src/firefox/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:163
#33 0x00007ffff2f9395b in nsAppStartup::Run (this=0xa2d310) at /home/chr1s/src/firefox/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:289
#34 0x00007ffff2337624 in XREMain::XRE_mainRun (this=this@entry=0x7fffffffc8a0) at /home/chr1s/src/firefox/mozilla-central/toolkit/xre/nsAppRunner.cpp:3879
#35 0x00007ffff233a02b in XREMain::XRE_main (this=this@entry=0x7fffffffc8a0, argc=argc@entry=1, argv=argv@entry=0x7fffffffdd98, aAppData=aAppData@entry=0x7fffffffca90)
    at /home/chr1s/src/firefox/mozilla-central/toolkit/xre/nsAppRunner.cpp:3946
#36 0x00007ffff233a299 in XRE_main (argc=1, argv=0x7fffffffdd98, aAppData=0x7fffffffca90, aFlags=<optimised out>)
    at /home/chr1s/src/firefox/mozilla-central/toolkit/xre/nsAppRunner.cpp:4147
#37 0x000000000040252e in do_main (argc=argc@entry=1, argv=argv@entry=0x7fffffffdd98, xreDirectory=0x614010)
    at /home/chr1s/src/firefox/mozilla-central/browser/app/nsBrowserApp.cpp:271
#38 0x0000000000401aca in main (argc=1, argv=0x7fffffffdd98) at /home/chr1s/src/firefox/mozilla-central/browser/app/nsBrowserApp.cpp:576

As there is a chance that this memory could now be attacker controlled, this could potentially be exploited to run arbitrary code.