Use-after-free at CSP Parser

RESOLVED FIXED in Firefox 32

Status

()

Core
DOM: Security
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: m_kato, Assigned: m_kato)

Tracking

({csectype-uaf, regression, sec-critical})

Trunk
mozilla32
csectype-uaf, regression, sec-critical
Points:
---
Bug Flags:
in-testsuite ?
qe-verify -

Firefox Tracking Flags

(firefox31 unaffected, firefox32+ fixed, firefox-esr24 unaffected)

Details

Attachments

(1 attachment)

(Assignee)

Description

4 years ago
Created attachment 8432348 [details] [diff] [review]
Fix

This code is use-after-free.

const char16_t *formatParams[] = { NS_ConvertUTF8toUTF16(newUriSpec).get() };
...
// use formatParams

This code means,

const char16_t *formatParams[1];
{
  NS_ConvertUTF8toUTF16 unicodeSpec(newUrlSpec);
  formatParams[0] = unicodeSpec.get();
}
...
// use formatParams

So formatParams[0] becomes use-after-free.
(Assignee)

Updated

4 years ago
Assignee: nobody → m_kato
(Assignee)

Updated

4 years ago
Attachment #8432348 - Flags: review?(sstamm)

Comment 1

4 years ago
The code in question landed for FF32 in bug 951457.
Blocks: 951457
status-firefox31: --- → unaffected
status-firefox32: --- → affected
tracking-firefox32: --- → +
Keywords: csectype-uaf, sec-critical
Comment on attachment 8432348 [details] [diff] [review]
Fix

Review of attachment 8432348 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me.  We had similar bugs in nsCSPContext.cpp, but fixed those before landing.  Must've missed these... luckily nsCSPParser.cpp is not active code unless you set a pref (it's not enabled yet).
Attachment #8432348 - Flags: review?(sstamm) → review+
Looked at all the CSP code we landed. cspUtils and cspContext are fine. The proposed patch (dis)covers all the problems where that problem occurs.
(Assignee)

Comment 4

4 years ago
landed in m-i
https://hg.mozilla.org/integration/mozilla-inbound/rev/04dd691d5f59
https://hg.mozilla.org/mozilla-central/rev/04dd691d5f59
Status: NEW → RESOLVED
Last Resolved: 4 years ago
status-firefox32: affected → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
status-firefox-esr24: --- → unaffected
Marking qe-verify- due to lack of test case or STR. Please feel free to provide if you'd like this bug to be verified. Thank you.
QA Whiteboard: qe-verify-
QA Whiteboard: qe-verify-
Flags: qe-verify-
Group: core-security
Keywords: regression
You need to log in before you can comment on or make changes to this bug.