Closed
Bug 1362924
Opened 7 years ago
Closed 7 years ago
Fix potential reentry into DocumentViewer from call sites which includes nsAutoScriptBlocker.
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
People
(Reporter: bevis, Assigned: heycam)
References
Details
(Keywords: csectype-uaf, regression, sec-high, Whiteboard: [adv-main55+][adv-esr52.3+])
Attachments
(6 files, 1 obsolete file)
2.07 KB,
patch
|
tnikkel
:
review+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
6.13 KB,
patch
|
tnikkel
:
review+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
8.55 KB,
patch
|
jcristau
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
2.67 KB,
patch
|
jcristau
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
2.67 KB,
patch
|
abillings
:
approval-mozilla-esr52+
|
Details | Diff | Splinter Review |
5.99 KB,
patch
|
Details | Diff | Splinter Review |
Bug 1356558 fixed a reentry from ::Hide() to ::Show(). Bug 1356558 comment 26 points out another one that re-enters into nsDocumentViewer functions potentially. Need an expert from nsDocumentViewer to review the implicit use of nsAutoScriptBlocker to fix these possible reentries into nsDocumentViewer.
Updated•7 years ago
|
status-firefox53:
--- → wontfix
status-firefox54:
--- → affected
status-firefox55:
--- → affected
status-firefox-esr52:
--- → affected
Updated•7 years ago
|
Blocks: 871747
Group: core-security → layout-core-security
tracking-firefox54:
--- → +
tracking-firefox55:
--- → +
tracking-firefox-esr52:
--- → 54+
Comment 2•7 years ago
|
||
Bevis, please include me into bug 1356558 so that I could have a better context for this issue. Thanks.
Flags: needinfo?(btseng)
Comment 4•7 years ago
|
||
heycam, could you help to look at this potential security issue?
Flags: needinfo?(aschen) → needinfo?(cam)
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → cam
Status: NEW → ASSIGNED
Flags: needinfo?(cam)
Assignee | ||
Comment 5•7 years ago
|
||
Timothy/Boris, following on from bug 1356558 comment 26, I'm not sure what the right thing to do here is. The PresShell::Initialize() call itself can't be done while a script blocker is on the stack, because the BindingManager()->ProcessAttachedQueue() call that it does does will run script. The code in nsDocumentViewer::InitPresentationStuff after the PresShell::Initialize() mostly null checks the member variables that it wants to use to continue the initialization process, but since we might have re-entrantly set some new pres shell etc. on the nsDocumentViewer, even if non-null they won't have expected values. (Is it possible, by the way, for the nsDocumentViewer to be destroyed due to the script runners while we're in an nsDocumentViewer method?) Should we instead be doing some explicit re-entrancy checks on all the public nsIContentViewer methods and just bailing out if we are called re-entrantly?
Flags: needinfo?(tnikkel)
Flags: needinfo?(bzbarsky)
Comment 6•7 years ago
|
||
It used to be that PresShell::Initialize did a synchronous reflow. And before it did that it did XBL constructor processing and restyle processing etc. We removed that synchronous reflow in bug 378975 but left the rest of that stuff. But I'm not sure we really need the rest of it. Specifically: 1) I see no reason we need the sync ProcessPendingRestyles() call at all. We'll process restyles before the next time we reflow, as needed. 2) If we remove that ProcessPendingRestyles call, there's no reason to do a sync ProcessAttachedQueue call. We can do that off a scriptrunner instead, for minimal change, or via whatever mechanism we normally use for running XBL ctors from frame construction if we're willing to tolerate a bit more risk. And then I think we can in fact do PresShell::Initialize() under a scriptblocker. > Is it possible, by the way, for the nsDocumentViewer to be destroyed due to the script runners while we're in an nsDocumentViewer method? Maybe. See bug 1365948.
Flags: needinfo?(bzbarsky)
Assignee | ||
Comment 7•7 years ago
|
||
(In reply to Boris Zbarsky [:bz] (if a patch has no decent message, automatic r-) from comment #6) > 2) If we remove that ProcessPendingRestyles call, there's no reason to do a > sync ProcessAttachedQueue call. We can do that off a scriptrunner instead, > for minimal change, or via whatever mechanism we normally use for running > XBL ctors from frame construction if we're willing to tolerate a bit more > risk. OK. Looks like that mechanism is just "call AddPendingBinding in the nsFrameConstructorState destructor", which causes us to run them next style flush. Since this is meant to be running the XBL constructors for that (now to be removed) ProcessPendingRestyles call, we can just leave them to be run naturally in the next style flush.
Assignee | ||
Comment 8•7 years ago
|
||
Well, I got some docshell crashtest assertions when removing the ProcessAttachedQueue call entirely. But using a script runner seems to work.
Flags: needinfo?(tnikkel)
Assignee | ||
Comment 9•7 years ago
|
||
Attachment #8873710 -
Flags: review?(tnikkel)
Assignee | ||
Comment 10•7 years ago
|
||
Attachment #8873711 -
Flags: review?(tnikkel)
Updated•7 years ago
|
Attachment #8873710 -
Flags: review?(tnikkel) → review+
Updated•7 years ago
|
Attachment #8873711 -
Flags: review?(tnikkel) → review+
Assignee | ||
Comment 11•7 years ago
|
||
Comment on attachment 8873710 [details] [diff] [review] Part 1: Stop synchronously running XBL constructors and flushing style in PresShell::Initialize. [Security approval request comment] How easily could an exploit be constructed based on the patch? Not easily. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? From this and the following patch, you can see that we making changes that prevent XBL destructors from running at certain times in nsDocumentViewer. Comments do say that we do this to prevent re-entrant calls, and it's clear that this is "a bad thing", but it would require some work to determine if and how this is exploitable. Which older supported branches are affected by this flaw? I'll say all, in theory. Bug 1356558, which this bug was spawned from, identified (and fixed) a specific case where we could cause these re-entrant calls. This patch protects against more cases where we in theory could have these re-entrant calls, but without specific uses of XBL that would trigger them, they are latent problems rather than ones we know could be abused right now. If not all supported branches, which bug introduced the flaw? - Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? I don't, but I don't think this code is touched very often, so it shouldn't be hard or risky to. How likely is this patch to cause regressions; how much testing does it need? Unsure. The two major changes -- running the XBL destructors slightly later (in a script runner) and not synchronously flushing styles -- seem like they shouldn't cause regressions, since none of the callers to these functions should care that they aren't done synchronously now. Existing tests pass.
Attachment #8873710 -
Flags: sec-approval?
Assignee | ||
Comment 12•7 years ago
|
||
Comment on attachment 8873711 [details] [diff] [review] Part 2: Add script blockers around remaining PresShell::{Destroy,Initialize} calls to protect against re-entrant nsDocumentViewer calls. [Security approval request comment] (as above)
Attachment #8873711 -
Flags: sec-approval?
Comment 13•7 years ago
|
||
This has missed the Firefox 54 window. It's too late to land and make any betas. We're making the release build soon. So, this can't land until June 27, two weeks into the Firefox 55 cycle. I'll give it sec-approval to land *then* but don't land it before June 27.
Whiteboard: [checkin on 6/27]
Updated•7 years ago
|
Updated•7 years ago
|
Attachment #8873710 -
Flags: sec-approval? → sec-approval+
Updated•7 years ago
|
Attachment #8873711 -
Flags: sec-approval? → sec-approval+
Comment 14•7 years ago
|
||
(In reply to Al Billings [:abillings] from comment #13) > So, this can't land until June 27, two weeks into the Firefox 55 cycle. I'll > give it sec-approval to land *then* but don't land it before June 27. Looks like you are suggesting it's a wontfix in FF54. Please correct me if I'm wrong.
Comment 15•7 years ago
|
||
Came across some crashes in nsDocumentViewer::Show on crashstats today that could only be explained by the issues being fixed by this patch. So the issue is definitely real and not theoretical.
Comment 17•7 years ago
|
||
Part 2 needs a bit of rebasing.
Assignee | ||
Comment 18•7 years ago
|
||
I just tried applying both patches and they seemed to apply fine (part 1 with "offset 5 lines", part 2 cleanly).
Flags: needinfo?(cam)
Assignee | ||
Comment 19•7 years ago
|
||
Assignee | ||
Comment 20•7 years ago
|
||
Assignee | ||
Comment 21•7 years ago
|
||
Attachment #8881658 -
Attachment is obsolete: true
Assignee | ||
Comment 22•7 years ago
|
||
Attached rebased patches in case it helps. Could someone check this in to inbound and beta when the trees are open again? Thanks.
Keywords: checkin-needed
Assignee | ||
Comment 23•7 years ago
|
||
I guess I need beta approval still...
Assignee | ||
Comment 24•7 years ago
|
||
Comment on attachment 8881660 [details] [diff] [review] part 1 backport for beta Approval Request Comment [Feature/Bug causing the regression]: unsure [User impact if declined]: potential (though so far unproven to be triggerable) security issue would not be protected against [Is this code covered by automated tests?]: probably don't have great coverage here [Has the fix been verified in Nightly?]: no [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: Unsure. [Why is the change risky/not risky?]: The two major changes -- running the XBL destructors slightly later (in a script runner) and not synchronously flushing styles -- seem like they shouldn't cause regressions, since none of the callers to these functions should care that they aren't done synchronously now. Existing tests pass. [String changes made/needed]: none
Attachment #8881660 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 25•7 years ago
|
||
(And that approval request applies to both patches.)
Comment 26•7 years ago
|
||
I still had issues with the original trunk patches, but the beta ones mostly worked for inbound (modulo one easy to resolve conflict on part 2). https://hg.mozilla.org/integration/mozilla-inbound/rev/2db98c5fe22c9f10f87ba118577c654a992e3eed https://hg.mozilla.org/integration/mozilla-inbound/rev/d9b2f155996d7c2c22ac270042a7ed6e45275b1c Also, part 2 will need a rebased patch for ESR52 when you get a chance. Part 1 grafts OK.
status-firefox56:
--- → affected
tracking-firefox56:
--- → ?
Flags: needinfo?(cam)
Keywords: checkin-needed
Comment 27•7 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #26) > I still had issues with the original trunk patches, but the beta ones mostly > worked for inbound (modulo one easy to resolve conflict on part 2). > > https://hg.mozilla.org/integration/mozilla-inbound/rev/ > 2db98c5fe22c9f10f87ba118577c654a992e3eed > https://hg.mozilla.org/integration/mozilla-inbound/rev/ > d9b2f155996d7c2c22ac270042a7ed6e45275b1c > > Also, part 2 will need a rebased patch for ESR52 when you get a chance. Part > 1 grafts OK. sorry this caused bustage and had to backout for bustage like https://treeherder.mozilla.org/logviewer.html#?job_id=110323595&repo=mozilla-inbound
Updated•7 years ago
|
Assignee | ||
Comment 28•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4d0bd19cf77dc72ce57aa83daa2b06a40c169ad6 https://hg.mozilla.org/integration/mozilla-inbound/rev/6abb5ce2b1eefd5c0d3cecbec4e721b72eecbd50
Flags: needinfo?(cam)
Assignee | ||
Comment 29•7 years ago
|
||
Assignee | ||
Comment 30•7 years ago
|
||
Assignee | ||
Comment 31•7 years ago
|
||
Comment on attachment 8882500 [details] [diff] [review] part 1 backport for esr52 [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: User impact if declined: potential (though so far unproven to be triggerable) security issue would not be protected against Fix Landed on Version: 56 Risk to taking this patch (and alternatives if risky): The two major changes -- running the XBL destructors slightly later (in a script runner) and not synchronously flushing styles -- seem like they shouldn't cause regressions, since none of the callers to these functions should care that they aren't done synchronously now. Existing tests pass. String or UUID changes made by this patch: none See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8882500 -
Flags: approval-mozilla-esr52?
Comment 32•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4d0bd19cf77d https://hg.mozilla.org/mozilla-central/rev/6abb5ce2b1ee
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Updated•7 years ago
|
Group: layout-core-security → core-security-release
Updated•7 years ago
|
Target Milestone: --- → mozilla56
Comment 33•7 years ago
|
||
Comment on attachment 8881660 [details] [diff] [review] part 1 backport for beta sec-high, uaf, beta55+
Attachment #8881660 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Updated•7 years ago
|
Attachment #8881659 -
Flags: approval-mozilla-beta+
Comment 34•7 years ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/706e0da8ef14 https://hg.mozilla.org/releases/mozilla-beta/rev/388ed6dc3c87
Updated•7 years ago
|
Attachment #8882500 -
Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Comment 35•7 years ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-esr52/rev/057ed884ecb0 https://hg.mozilla.org/releases/mozilla-esr52/rev/dd7ed649b82f
Comment 36•7 years ago
|
||
(In reply to Cameron McCormack (:heycam) from comment #24) > [Is this code covered by automated tests?]: probably don't have great > coverage here > [Has the fix been verified in Nightly?]: no > [Needs manual test from QE? If yes, steps to reproduce]: no Setting qe-verify- based on Cameron's assessment on manual testing needs.
Flags: qe-verify-
Updated•7 years ago
|
Whiteboard: [adv-main55+][adv-esr52.3+]
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•