Ubuntu

firefox executable stack (security best-practice failure)

Reported by John Moser on 2006-03-08
10
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Wishlist
Unassigned

Bug Description

lsmemmap.sh shows firefox has an executable stack and several write-execute anonymous mappings on x86-64. This is a security best-practice failure: shellcode injection into the stack or any of these anonymous mappings is possible now that they are data-code confused. This makes vulnerabilities in which Firefox improperly processes a Web page and executes data on the stack easy to take advantage of.

task 6862 (/usr/lib/firefox/firefox-bin)
  40001000-40801000 rwxp 40001000 00:00 0
  40802000-41002000 rwxp 40802000 00:00 0
  41003000-41803000 rwxp 41003000 00:00 0
  41804000-42004000 rwxp 41804000 00:00 0
  42005000-42805000 rwxp 42005000 00:00 0
  42806000-43006000 rwxp 42806000 00:00 0
  43007000-43807000 rwxp 43007000 00:00 0
  7fffffad1000-7fffffae8000 rwxp 7fffffad1000 00:00 0 [stack]

Please note that this is not a security vulnerability; it is a failure to execute security best practices. By correcting this, certain real vulnerabilities will become difficult or impossible to exploit beyond basic denial of service.

The most likely cause of this is the use of gcc nested functions in Firefox or an attached plug-in. As this affects Thunderbird as well, it is likely a failing in the Gecko Runtime Engine, which processes the XUL language that Firefox and Thunderbird are written in.

See also bug #34129 which has the script I used as an attachment.

John Moser (nigelenki) wrote :

This is an Ubuntu bug, dependent on bug #49192, which I have already explained how to fix as of last night. :)

Yes, I was wrong with my nested function guess.

Changed in firefox:
status: Unconfirmed → Confirmed
John Moser (nigelenki) wrote :

Okay fix released for #49192 in Edgy, closing this bug.

Changed in firefox:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers