Closed Bug 1111079 Opened 11 years ago Closed 11 years ago

Chromium IPC channel bug: use-after-free in IPC::Channel::ChannelImpl::ProcessOutgoingMessages()

Categories

(Core :: IPC, defect)

Product:
Core
Component:
IPC
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla39
Tracking Flags:
Tracking Status
firefox36 --- wontfix
firefox37 + fixed
firefox38 + fixed
firefox39 + fixed
firefox-esr31 --- unaffected
firefox-esr38 --- fixed
b2g-v1.4 --- fixed
b2g-v2.0 --- fixed
b2g-v2.0M --- fixed
b2g-v2.1 --- fixed
b2g-v2.1S --- fixed
b2g-v2.2 --- fixed
b2g-master --- fixed

People

(Reporter: jld, Assigned: jld)

References

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [adv-main37-][post-critsmash-triage])

Attachments

(2 files)

Patch
2.61 KB, patch
bent.mozilla
: review+
abillings
: sec-approval+
Details | Diff | Splinter Review
bug1111079-hg2.diff
2.61 KB, patch
lmandel
: approval-mozilla-aurora+
lmandel
: approval-mozilla-beta+
Details | Diff | Splinter Review
Upstream bug report: https://crbug.com/22451
Keywords: sec-high
Is this something you can look at soon, Jed?
Group: dom-core-security
Hi Jed, any ideas?
Flags: needinfo?(jld)
Attached patch PatchSplinter Review
Here's a patch, but I don't have any test cases to verify that it actually fixes anything. Mildly obscured try run, combined with bug 1111065: https://treeherder.mozilla.org/#/jobs?repo=try&revision=ea158edc4d70
Assignee: nobody → jld
Flags: needinfo?(jld)
Attachment #8578024 - Flags: review?(bent.mozilla)
Comment on attachment 8578024 [details] [diff] [review] Patch Review of attachment 8578024 [details] [diff] [review]: ----------------------------------------------------------------- Looks sane to me.
Attachment #8578024 - Flags: review?(bent.mozilla) → review+
Comment on attachment 8578024 [details] [diff] [review] Patch [Security approval request comment] > How easily could an exploit be constructed based on the patch? I'm not sure. I'm not even sure how exploitable this is. The upstream bug mentions a Chromium test case that caused valgrind failures, but it doesn't correspond directly to our use of IPC. Someone who knows the IPC code better might have a better idea. > Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Probably. I can remove the upstream commit ids from the commit message. The code comments, I'd prefer to leave intact. But this bug has been public upstream since 2012: https://crbug.com/22451#c25 > Which older supported branches are affected by this flaw? Potentially all of them, but see above about how I don't actually know what the impact is. Even branches that don't use IPC as a security boundary might be affected, if it were possible for web content to somehow cause the use-after-free to occur. > Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? No, but not difficult; anything older than 35 will have a merge conflict with bug 1063318 but it's trivial to resolve. > How likely is this patch to cause regressions; how much testing does it need? Someone with a better understanding of the IPC code might have a better idea about this.
Attachment #8578024 - Flags: sec-approval?
Comment on attachment 8578024 [details] [diff] [review] Patch sec-approval+ for trunk. We will want beta and aurora patches for this once it is in. I don't think we'll take this for ESR31 as it isn't clear it is affected by the issue.
Attachment #8578024 - Flags: sec-approval? → sec-approval+
The final 37 Beta goes to build on Thu (Mar 19). Can you please create a Beta branch patch if one is necessary and request uplift approval by tomorrow morning?
Flags: needinfo?(jld)
Approval Request Comment [Feature/regressing bug #]: GeckoMediaPlugin sandboxing [User impact if declined]: See earlier comments about security implications. [Describe test coverage new/current, TreeHerder]: Built and tested dom/media/test/test_eme_playback.html on Linux/x86_64 on aurora and beta. See also previous m-c try run. [Risks and why]: Some; this touches core IPC code. [String/UUID change made/needed]: None. Note: I edited the commit message before landing (to omit the pointers to specific Chromium issues, and give it a description that may or may not be innocuous enough), which is reflected here; otherwise it's the same as the previous patch.
Flags: needinfo?(jld)
Attachment #8580350 - Flags: approval-mozilla-beta?
Attachment #8580350 - Flags: approval-mozilla-aurora?
Comment on attachment 8580350 [details] [diff] [review] bug1111079-hg2.diff This has already landed on inbound so we should get it onto Beta and Aurora. Beta+ Aurora+
Attachment #8580350 - Flags: approval-mozilla-beta?
Attachment #8580350 - Flags: approval-mozilla-beta+
Attachment #8580350 - Flags: approval-mozilla-aurora?
Attachment #8580350 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/e01fd5b164d6
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox39: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Whiteboard: [adv-main37+]
Group: dom-core-security
Whiteboard: [adv-main37+] → [adv-main37-]
Group: core-security → core-security-release
Whiteboard: [adv-main37-] → [adv-main37-][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: