Closed Bug 1033492 Opened 10 years ago Closed 10 years ago

WebCrypto: heap-buffer-overflow crash [@PK11_EnterSlotMonitor]

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla33
Tracking Flags:
Tracking Status
firefox31 --- unaffected
firefox32 --- verified
firefox33 --- verified
firefox-esr24 --- unaffected
b2g-v1.3 --- unaffected
b2g-v1.3T --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- fixed
b2g-v2.1 --- fixed

People

(Reporter: posidron, Assigned: rbarnes)

References

(Blocks 1 open bug)

Details

(5 keywords)

Attachments

(4 files, 2 obsolete files)

testcase
416 bytes, text/html
Details
callstack
11.76 KB, text/plain
Details
bug-1033492.patch r=keeler
980 bytes, patch
dveditz
: approval-mozilla-aurora+
dveditz
: sec-approval+
Details | Diff | Splinter Review
bug-1033492.2.patch
1.18 KB, patch
rbarnes
: review+
Details | Diff | Splinter Review
Attached file callstack 

    
  
Keywords: testcase

    
    

    
  
Note that the test case only needs the generateKey call, not the rest.

After a brief look, my hypothesis is that it's effectively trying to free an unallocated object:

(1) GenerateAsymmetricKeyPairTask::GenerateAsymmetricKeyPairTask() is not permitting a key to be generated, but doesn't fail properly.  (The combination of "sign" and "RSAES-PKCS1-v1_5" is invalid.)

(2) As a result, no key pair is actually generated.

(3) ReleaseNSSResources() still tries to free the key objects, even though they don't exist.

I'll try to take a look at this tonight.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        bug-1033492.patch (obsolete)
        — Splinter Review
      

    


  
Turns out it was a failure to initialize a pointer to nullptr before using nullptr as a signal of it not having been assigned.  But I went ahead and fixed the usage issue while I was there.

The test case now behaves correctly, failing with DataError due to the incorrect "usage" value provided.

        Attachment #8449916 -
        Flags: review?(dkeeler)

    
    

    
  
Comment on attachment 8449916 [details] [diff] [review]
bug-1033492.patch

Review of attachment 8449916 [details] [diff] [review]:
-----------------------------------------------------------------

Unless I'm misunderstanding the key usages changes you're making, I think AddUsageIntersecting should be where that gets handled.
In any case, maybe that should be handled in a separate bug. r=me for 'SECKEYPublicKey* pubKey = nullptr;'
Also, we should make sure that kind of thing isn't happening elsewhere in this code.
Additionally, the testcase should be added to the test suite. However, since this code is in Aurora, there's a process so we don't 0-day ourselves, in case you weren't familiar with it already: https://wiki.mozilla.org/Security/Bug_Approval_Process

::: dom/crypto/Key.h
@@ +112,5 @@
>    void SetExtractable(bool aExtractable);
>    void SetAlgorithm(KeyAlgorithm* aAlgorithm);
> +
> +  // Usage-related utilities
> +  static nsresult StringToUsage(const nsString& aUsage, 

nit: trailing space

::: dom/crypto/WebCryptoTask.cpp
@@ +1352,5 @@
> +      Key::KeyUsage usage;
> +      mEarlyRv = Key::StringToUsage(aKeyUsages[i], usage);
> +      if (NS_FAILED(mEarlyRv)) {
> +        return;
> +      } else if (!(usage & (publicAllowedUsages | privateAllowedUsages))) {

Shouldn't AddUsageIntersecting handle this and return an error?

        Attachment #8449916 -
        Flags: review?(dkeeler) → review-

    
    

    
  


  
This patch has only the nullptr assignment.
Assignee: nobody → rlb

        Attachment #8449916 -
        Attachment is obsolete: true
Status: NEW → ASSIGNED

    
    

    
  
Comment on attachment 8450690 [details] [diff] [review]
bug-1033492.patch r=keeler

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

  Unknown

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

  It's a one-line patch, and the check-in comment indicate that there is a crash.

Which older supported branches are affected by this flaw?

  Aurora 32

If not all supported branches, which bug introduced the flaw?

  998471

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

  Included patch should also apply to Aurora.

How likely is this patch to cause regressions; how much testing does it need?

  Unlikely.

        Attachment #8450690 -
        Flags: sec-approval?
Blocks: 998471
Keywords: regression

    
    

    
  
Comment on attachment 8450690 [details] [diff] [review]
bug-1033492.patch r=keeler

sec-approval+ and aurora a+ = dveditz

        Attachment #8450690 -
        Flags: sec-approval?

        Attachment #8450690 -
        Flags: sec-approval+

        Attachment #8450690 -
        Flags: approval-mozilla-aurora+

    
  
Keywords: checkin-needed

    
    

    
  

      
      
      
      

        Attached patch
          
          
        bug-1033492.1.patch r=keeler (obsolete)
        — Splinter Review
      

    


  
Added test case.

        Attachment #8450690 -
        Attachment is obsolete: true

        Attachment #8451770 -
        Flags: review+

    
  
Keywords: checkin-needed

    
    

    
  


  

        Attachment #8451770 -
        Attachment is obsolete: true

        Attachment #8451830 -
        Flags: review+

        Attachment #8450690 -
        Attachment is obsolete: false

    
    

    
  
Reproduced the original issue several times using the following build:
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1404320841/

fx34: [PASSED]
- http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1408701721/

fx33: [PASSED]
- http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-aurora-linux64-asan/1408739215/

fx32: [PASSED]
- http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-beta-linux64-asan/1408738736/

Went through the following test cases for each of the above channels:

- opened the poc in 10 different tabs and windows
- opened the poc in 10 different private browser tabs and windows
- opened the poc in 10 different e10s tabs and windows (m-c only)
Status: RESOLVED → VERIFIED

          status-firefox32:
          fixedverified

          status-firefox33:
          fixedverified
Group: core-security
Component: Security → DOM: Security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: