Closed Bug 1180988 Opened 4 years ago Closed 4 years ago

Global-buffer-overflow in MessageChannel

Categories

(Core :: DOM: Service Workers, defect)

defect
Not set

Tracking

()

VERIFIED FIXED
mozilla42
Tracking Status
firefox40 --- unaffected
firefox41 --- verified
firefox42 --- verified
firefox-esr38 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-v2.2r --- unaffected
b2g-master --- fixed

People

(Reporter: inferno, Assigned: baku)

References

Details

(Keywords: csectype-bounds, regression, sec-high)

Attachments

(2 files)

Attached file test.html
=================================================================
==36990==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fb88c372488 at pc 0x7fb8840de736 bp 0x7fff92b6b900 sp 0x7fff92b6b8f8
READ of size 8 at 0x7fb88c372488 thread T0 (Web Content)
    #0 0x7fb8840de735 in operator[] /build/firefox/src/objdir-ff-asan/dom/messagechannel/../../dist/include/nsTArray.h:488
    #1 0x7fb887f9a277 in DiscardTransferables /build/firefox/src/js/src/vm/StructuredClone.cpp:428
    #2 0x7fb887fac7c1 in JS_ClearStructuredClone /build/firefox/src/js/src/vm/StructuredClone.cpp:1913
    #3 0x7fb8840d9954 in FreeStructuredClone /build/firefox/src/dom/messagechannel/MessagePortUtils.cpp:285
    #4 0x7fb8840d1d0e in Release /build/firefox/src/dom/messagechannel/SharedMessagePortMessage.h:21 (discriminator 20)
    #5 0x7fb8840cce6f in ~nsTArray_Impl /build/firefox/src/objdir-ff-asan/dom/messagechannel/../../dist/include/nsTArray.h:827
    #6 0x7fb8840cd4ad in ~MessagePort /build/firefox/src/dom/messagechannel/MessagePort.cpp:311
    #7 0x7fb87ea494ef in ~SnowWhiteKiller /build/firefox/src/xpcom/base/nsCycleCollector.cpp:2638
    #8 0x7fb87ea4901e in FreeSnowWhite /build/firefox/src/xpcom/base/nsCycleCollector.cpp:2806 (discriminator 1)
    #9 0x7fb87fed8304 in Run /build/firefox/src/js/xpconnect/src/XPCJSRuntime.cpp:139
    #10 0x7fb87eb527d6 in ProcessNextEvent /build/firefox/src/xpcom/threads/nsThread.cpp:848
    #11 0x7fb87ebcb41c in NS_ProcessNextEvent /build/firefox/src/xpcom/glue/nsThreadUtils.cpp:265
    #12 0x7fb87f47e38e in Run /build/firefox/src/ipc/glue/MessagePump.cpp:95
    #13 0x7fb87f408fb1 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:234
    #14 0x7fb8844d677f in _ZN14nsBaseAppShell3RunEv /build/firefox/src/widget/nsBaseAppShell.cpp:165
    #15 0x7fb88642ae03 in XRE_RunAppShell /build/firefox/src/toolkit/xre/nsEmbedFunctions.cpp:778
    #16 0x7fb87f408fb1 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:234
    #17 0x7fb88642a327 in XRE_InitChildProcess /build/firefox/src/toolkit/xre/nsEmbedFunctions.cpp:614
    #18 0x4dbbb2 in content_process_main /build/firefox/src/ipc/app/../contentproc/plugin-container.cpp:236
    #19 0x7fb87bf27ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #20 0x41d403 in _start ??:?

0x7fb88c372488 is located 0 bytes to the right of global variable 'nsTArrayHeader::sEmptyHdr' defined in '/build/firefox/src/xpcom/glue/nsTArray.cpp:13:32' (0x7fb88c372480) of size 8
Shadow bytes around the buggy address:
  0x0ff791866440: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff791866450: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff791866460: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff791866470: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff791866480: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
=>0x0ff791866490: 00[f9]f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff7918664a0: 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff7918664b0: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
  0x0ff7918664c0: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff7918664d0: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff7918664e0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==36990==ABORTING
Assignee: nobody → amarchesini
Attached patch mc.patchSplinter Review
Attachment #8630474 - Flags: review?(bugs)
Attachment #8630474 - Flags: review?(bugs) → review+
Comment on attachment 8630474 [details] [diff] [review]
mc.patch

Approval Request Comment
[Feature/regressing bug #]: MessagePort/Channel
[User impact if declined]: a crash
[Describe test coverage new/current, TreeHerder]: none
[Risks and why]: none
[String/UUID change made/needed]: none
Attachment #8630474 - Flags: approval-mozilla-aurora?
Duplicate of this bug: 1183612
Andrea, do you know which versions of Firefox are affected? Thanks.
Flags: needinfo?(amarchesini)
Flags: needinfo?(amarchesini)
Andrea, could you please comment on the testing done and risks section of the aurora-uplift template? This will help RelMan decide on whether this patch is ready for uplift to Aurora or not.

Also, has this been checked into trunk yet? I don't see it but maybe I am missing something.
Flags: needinfo?(amarchesini)
> Also, has this been checked into trunk yet? I don't see it but maybe I am
> missing something.

It's not in m-i. I was waiting for a sec-approval. Can I land it without it?
Flags: needinfo?(amarchesini) → needinfo?(rkothari)
Comment on attachment 8630474 [details] [diff] [review]
mc.patch

Approval Request Comment
[Feature/regressing bug #]: MessagePort/MessageChannel in worker
[User impact if declined]: A crash
[Describe test coverage new/current, TreeHerder]: No test can be done because this issue is racy.
[Risks and why]: none
[String/UUID change made/needed]: none
Actually, we don't need this patch for m-i/m-c because bug 1185569 changes completely how MessagePort sends data via postMessage(). Unfortunately it's too risky to land bug 1185569 and all the dependences.
Flags: needinfo?(rkothari)
Ok. You might want to update the sec-approval tracking flag on the patch to "?" in that case. I will hold off on approving aurora-uplift until sec-approval is +.
Comment on attachment 8630474 [details] [diff] [review]
mc.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Relatively easy.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Yes. Basically the issue is that when the message is freed without been dispatched we don't free the message correctly.

Which older supported branches are affected by this flaw?

just ff 41.

If not all supported branches, which bug introduced the flaw?

This is a new API.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Easy to write it.

How likely is this patch to cause regressions; how much testing does it need?

None.
Attachment #8630474 - Flags: sec-approval?
Comment on attachment 8630474 [details] [diff] [review]
mc.patch

Approvals given!
Attachment #8630474 - Flags: sec-approval?
Attachment #8630474 - Flags: sec-approval+
Attachment #8630474 - Flags: approval-mozilla-aurora?
Attachment #8630474 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/619f2707ec0d

Resolving the bug and setting trunk to fixed by bug 1185569 based on comment 8.
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(amarchesini)
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Flags: needinfo?(amarchesini)
Group: core-security → core-security-release
Flags: qe-verify+
Reproduced the crash on 2015-07-28 Aurora (build ID: 20150728004007).

Confirming the fix on:
* Latest 42.0a2 Aurora, build ID: 20150907004030
* Firefox 41 beta 7, build ID: 20150903133607.

Tested on Windows 10 64-bit.
Status: RESOLVED → VERIFIED
QA Contact: cornel.ionce
Group: core-security-release
Keywords: regression
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
You need to log in before you can comment on or make changes to this bug.