Closed
Bug 1033492
Opened 10 years ago
Closed 10 years ago
WebCrypto: heap-buffer-overflow crash [@PK11_EnterSlotMonitor]
Categories
(Core :: DOM: Security, defect)
Tracking
()
VERIFIED
FIXED
mozilla33
Tracking | Status | |
---|---|---|
firefox31 | --- | unaffected |
firefox32 | --- | verified |
firefox33 | --- | verified |
firefox-esr24 | --- | unaffected |
b2g-v1.3 | --- | unaffected |
b2g-v1.3T | --- | unaffected |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | fixed |
b2g-v2.1 | --- | fixed |
People
(Reporter: posidron, Assigned: rbarnes)
References
(Blocks 1 open bug)
Details
(5 keywords)
Attachments
(4 files, 2 obsolete files)
416 bytes,
text/html
|
Details | |
11.76 KB,
text/plain
|
Details | |
980 bytes,
patch
|
dveditz
:
approval-mozilla-aurora+
dveditz
:
sec-approval+
|
Details | Diff | Splinter Review |
1.18 KB,
patch
|
rbarnes
:
review+
|
Details | Diff | Splinter Review |
Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/4ffff7bdb4c8a3ddb3f4d356385350b9bd3125d4
Reporter | ||
Comment 1•10 years ago
|
||
Assignee | ||
Comment 2•10 years ago
|
||
Note that the test case only needs the generateKey call, not the rest. After a brief look, my hypothesis is that it's effectively trying to free an unallocated object: (1) GenerateAsymmetricKeyPairTask::GenerateAsymmetricKeyPairTask() is not permitting a key to be generated, but doesn't fail properly. (The combination of "sign" and "RSAES-PKCS1-v1_5" is invalid.) (2) As a result, no key pair is actually generated. (3) ReleaseNSSResources() still tries to free the key objects, even though they don't exist. I'll try to take a look at this tonight.
Assignee | ||
Comment 3•10 years ago
|
||
Turns out it was a failure to initialize a pointer to nullptr before using nullptr as a signal of it not having been assigned. But I went ahead and fixed the usage issue while I was there. The test case now behaves correctly, failing with DataError due to the incorrect "usage" value provided.
Attachment #8449916 -
Flags: review?(dkeeler)
Comment on attachment 8449916 [details] [diff] [review] bug-1033492.patch Review of attachment 8449916 [details] [diff] [review]: ----------------------------------------------------------------- Unless I'm misunderstanding the key usages changes you're making, I think AddUsageIntersecting should be where that gets handled. In any case, maybe that should be handled in a separate bug. r=me for 'SECKEYPublicKey* pubKey = nullptr;' Also, we should make sure that kind of thing isn't happening elsewhere in this code. Additionally, the testcase should be added to the test suite. However, since this code is in Aurora, there's a process so we don't 0-day ourselves, in case you weren't familiar with it already: https://wiki.mozilla.org/Security/Bug_Approval_Process ::: dom/crypto/Key.h @@ +112,5 @@ > void SetExtractable(bool aExtractable); > void SetAlgorithm(KeyAlgorithm* aAlgorithm); > + > + // Usage-related utilities > + static nsresult StringToUsage(const nsString& aUsage, nit: trailing space ::: dom/crypto/WebCryptoTask.cpp @@ +1352,5 @@ > + Key::KeyUsage usage; > + mEarlyRv = Key::StringToUsage(aKeyUsages[i], usage); > + if (NS_FAILED(mEarlyRv)) { > + return; > + } else if (!(usage & (publicAllowedUsages | privateAllowedUsages))) { Shouldn't AddUsageIntersecting handle this and return an error?
Attachment #8449916 -
Flags: review?(dkeeler) → review-
Assignee | ||
Comment 5•10 years ago
|
||
This patch has only the nullptr assignment.
Assignee | ||
Comment 6•10 years ago
|
||
Comment on attachment 8450690 [details] [diff] [review] bug-1033492.patch r=keeler [Security approval request comment] How easily could an exploit be constructed based on the patch? Unknown Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? It's a one-line patch, and the check-in comment indicate that there is a crash. Which older supported branches are affected by this flaw? Aurora 32 If not all supported branches, which bug introduced the flaw? 998471 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Included patch should also apply to Aurora. How likely is this patch to cause regressions; how much testing does it need? Unlikely.
Attachment #8450690 -
Flags: sec-approval?
Updated•10 years ago
|
Blocks: 998471
Keywords: regression
Comment 7•10 years ago
|
||
Comment on attachment 8450690 [details] [diff] [review] bug-1033492.patch r=keeler sec-approval+ and aurora a+ = dveditz
Attachment #8450690 -
Flags: sec-approval?
Attachment #8450690 -
Flags: sec-approval+
Attachment #8450690 -
Flags: approval-mozilla-aurora+
Assignee | ||
Updated•10 years ago
|
Keywords: checkin-needed
Comment 8•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4c59adf6c245 Can we land the testcase too?
status-b2g-v1.3:
--- → unaffected
status-b2g-v1.3T:
--- → unaffected
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → affected
status-b2g-v2.1:
--- → affected
status-firefox31:
--- → unaffected
status-firefox32:
--- → affected
status-firefox33:
--- → affected
status-firefox-esr24:
--- → unaffected
Flags: in-testsuite?
Keywords: checkin-needed
Target Milestone: --- → mozilla33
Assignee | ||
Comment 9•10 years ago
|
||
Added test case.
Attachment #8450690 -
Attachment is obsolete: true
Attachment #8451770 -
Flags: review+
Assignee | ||
Updated•10 years ago
|
Keywords: checkin-needed
Assignee | ||
Comment 10•10 years ago
|
||
Attachment #8451770 -
Attachment is obsolete: true
Attachment #8451830 -
Flags: review+
https://hg.mozilla.org/mozilla-central/rev/4c59adf6c245
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
Attachment #8450690 -
Attachment is obsolete: false
Comment 12•10 years ago
|
||
Test: https://hg.mozilla.org/integration/mozilla-inbound/rev/2c7546553188
Comment 15•10 years ago
|
||
Reproduced the original issue several times using the following build: - http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1404320841/ fx34: [PASSED] - http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1408701721/ fx33: [PASSED] - http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-aurora-linux64-asan/1408739215/ fx32: [PASSED] - http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-beta-linux64-asan/1408738736/ Went through the following test cases for each of the above channels: - opened the poc in 10 different tabs and windows - opened the poc in 10 different private browser tabs and windows - opened the poc in 10 different e10s tabs and windows (m-c only)
Updated•10 years ago
|
Group: core-security
Updated•8 years ago
|
Component: Security → DOM: Security
You need to log in
before you can comment on or make changes to this bug.
Description
•