Closed
Bug 1134131
Opened 9 years ago
Closed 9 years ago
Type confusion with <picture> and <source> elements
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla38
| Tracking | Status | |
|---|---|---|
| firefox35 | --- | disabled |
| firefox36 | --- | wontfix |
| firefox37 | + | disabled |
| firefox38 | + | fixed |
| firefox-esr31 | --- | unaffected |
| b2g-v1.4 | --- | unaffected |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | disabled |
| b2g-v2.1S | --- | disabled |
| b2g-v2.2 | --- | disabled |
| b2g-master | --- | fixed |
People
(Reporter: nils, Assigned: longsonr)
References
Details
(Keywords: sec-critical)
Attachments
(3 files)
|
519 bytes,
text/html
|
Details | |
|
8.00 KB,
text/plain
|
Details | |
|
4.60 KB,
patch
|
jst
:
review+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The following code in HTMLImageElement::TryCreateResponsiveSelector is vulnerable to a type confusion issue:
bool isSourceTag = aSourceNode->Tag() == nsGkAtoms::source;
if (isSourceTag) {
DebugOnly<nsINode *> parent(nsINode::GetParentNode());
MOZ_ASSERT(parent && parent->Tag() == nsGkAtoms::picture);
MOZ_ASSERT(IsPreviousSibling(aSourceNode, this));
MOZ_ASSERT(pictureEnabled);
// Check media and type
HTMLSourceElement *src = static_cast<HTMLSourceElement*>(aSourceNode);
if (!src->MatchesCurrentMedia()) {
return false;
}
The code only checks whether aSourceNode has the tag name "source" without validating the namespace. The attached testcase demonstrates the issues.
|
Assignee | |
Comment 2•9 years ago
|
||
|
|
Assignee | |
Comment 3•9 years ago
|
||
Comment on attachment 8565890 [details] [diff] [review] Possible fix? Are you able to test whether this patch fixes the vulnerability?
Attachment #8565890 -
Flags: feedback?(nils)
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → longsonr
I can confirm that the testcase doesn't crash in an ASAN build with the patch applied.
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8565890 -
Flags: review?(jst)
|
||
Comment 5•9 years ago
|
||
[Tracking Requested - why for this release]: Security bug. This affects 33 and later; we may want to backport this to aurora/beta...
|
||
Comment 6•9 years ago
|
||
Comment on attachment 8565890 [details] [diff] [review] Possible fix? Looks good, r=jst
Attachment #8565890 -
Flags: review?(jst) → review+
|
|
Assignee | |
Comment 7•9 years ago
|
||
Comment on attachment 8565890 [details] [diff] [review] Possible fix? [Security approval request comment] How easily could an exploit be constructed based on the patch? You'd know you needed to create something using a picture tag in a non-html namespace but not exactly how to do that. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? no. Which older supported branches are affected by this flaw? Firefox 33 onwards preffed off, only preffed on in Firefox 38 If not all supported branches, which bug introduced the flaw? bug 870022, bug 1017875 turned the pref on. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? I think the patch will apply to all branches. How likely is this patch to cause regressions; how much testing does it need? The ASAN test has been rerun on it and no longer fails. This whole area could do with more tests but that seems to be bug 1017878 as far as I can tell.
Attachment #8565890 -
Flags: sec-approval?
|
||
Comment 8•9 years ago
|
||
This needs a security rating before it can be approved. It isn't clear to me what the effects of this are on the end use and the risks. Is the crash exploitable? ASAN calls it a heap-buffer-overflow but it does that a lot.
status-firefox35:
--- → disabled
status-firefox36:
--- → wontfix
status-firefox37:
--- → disabled
status-firefox38:
--- → affected
status-firefox-esr31:
--- → unaffected
tracking-firefox36:
? → ---
tracking-firefox38:
--- → +
|
|
||
Updated•9 years ago
|
Flags: sec-bounty?
I would suspect this is exploitable. The type confusion results in a heap buffer overflow. By confusing an Element (smaller) type object with a HTMLSourceElement (larger) object we end up reading past the original object, reading a pointer which might be controlled by an attacker. Looking at the crash in windbg suggests an exploitable condition as well: 5758e15c 8b4314 mov eax,dword ptr [ebx+14h] ds:002b:5a5a5a6e=???????? An object pointer is read from freed memory, the code then continues working with this bogus object pointer.
|
||
Updated•9 years ago
|
Keywords: sec-critical
|
|
||
Comment 10•9 years ago
|
||
Comment on attachment 8565890 [details] [diff] [review] Possible fix? sec-approval+ for trunk checkin.
Attachment #8565890 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Comment 11•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=08efd42d1664
|
|
Assignee | |
Comment 12•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/67ea8244ccf3
|
||
Comment 13•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/67ea8244ccf3
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
|
Reporter | |
Comment 14•9 years ago
|
||
Comment on attachment 8565890 [details] [diff] [review] Possible fix? Review of attachment 8565890 [details] [diff] [review]: ----------------------------------------------------------------- Feedback already given in previous comment.
Attachment #8565890 -
Flags: feedback?(nils)
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•9 years ago
|
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → disabled
status-b2g-v2.1S:
--- → disabled
status-b2g-v2.2:
--- → disabled
status-b2g-master:
--- → fixed
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•