Closed
Bug 1184500
(CVE-2015-4482)
Opened 10 years ago
Closed 10 years ago
Out of bounds write in mar_read.c
Categories
(Toolkit :: Application Update, defect)
Tracking
()
VERIFIED
FIXED
mozilla42
People
(Reporter: hofusec, Assigned: spohl)
Details
(Keywords: reporter-external, sec-high, Whiteboard: [adv-main40+][adv-esr38.2+])
Attachments
(3 files)
|
3.98 MB,
application/zip
|
Details | |
|
2.73 KB,
text/plain
|
Details | |
|
764 bytes,
patch
|
robert.strong.bugs
:
review+
lmandel
:
approval-mozilla-aurora+
lmandel
:
approval-mozilla-beta+
lmandel
:
approval-mozilla-esr31-
lmandel
:
approval-mozilla-esr38+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
While opening a mar file it's possible to trigger an out of bounds write with a very long item file name (near 4 GB, so it's work only on 64bit).
This will happen before any signature or size check so it's can be triggered during a normal update process.
To reproduce extract the update.mar and try an update with an 64bit updater or use the mar tool like 'mar -t ./update.mar'
|
Reporter | |
Comment 1•10 years ago
|
||
|
Assignee | |
Comment 3•10 years ago
|
||
Sure!
Assignee: nobody → spohl.mozilla.bugs
Flags: needinfo?(spohl.mozilla.bugs)
|
|
Assignee | |
Comment 4•10 years ago
|
||
The length of the name is stored as a signed int, but is obtained by subtracting one pointer from another. If the result was greater than the max positive value of the signed int, we would pass along a negative name length to |mar_insert_item|, which would call |malloc| with an incorrect size.
Attachment #8634920 -
Flags: review?(robert.strong.bugs)
|
||
Comment 5•10 years ago
|
||
Comment on attachment 8634920 [details] [diff] [review]
Patch
Thanks! Could you go through the libmar code to look for other cases that might be exploitable?
Attachment #8634920 -
Flags: review?(robert.strong.bugs) → review+
|
|
Assignee | |
Comment 6•10 years ago
|
||
(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #5)
> Thanks! Could you go through the libmar code to look for other cases that
> might be exploitable?
Yes, will do. I'll open separate bugs in case I encounter anything else.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
|
Assignee | |
Comment 7•10 years ago
|
||
Comment on attachment 8634920 [details] [diff] [review]
Patch
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Unfortunately, the patch is very straightforward. With some familiarity with our MAR format, it isn't very hard to construct an exploit.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
The commit message is kept pretty vague, but the straightforward code of the fix itself gives it away quite easily.
Which older supported branches are affected by this flaw?
This has been in the tree since we moved to Mercurial in 2007.
If not all supported branches, which bug introduced the flaw?
n/a
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
This patch should apply to all branches. If any changes are necessary, it will be straightforward.
How likely is this patch to cause regressions; how much testing does it need?
Risk of regression is virtually 0. Manual testing & verification with the attached test case is straightforward on any OS supported by libmar.
Attachment #8634920 -
Flags: sec-approval?
|
|
Assignee | |
Comment 8•10 years ago
|
||
(In reply to Holger Fuhrmannek from comment #0)
> To reproduce extract the update.mar and try an update with an 64bit updater
> or use the mar tool like 'mar -t ./update.mar'
nit: this should read './mar -t update.mar'
|
||
Comment 9•10 years ago
|
||
Sec-approval+ for trunk and we should get branch patches.
status-firefox39:
--- → wontfix
status-firefox40:
--- → affected
status-firefox41:
--- → affected
status-firefox42:
--- → affected
status-firefox-esr31:
--- → affected
status-firefox-esr38:
--- → affected
tracking-firefox40:
--- → +
tracking-firefox41:
--- → +
tracking-firefox42:
--- → +
tracking-firefox-esr31:
--- → ?
tracking-firefox-esr38:
--- → 40+
|
|
||
Updated•10 years ago
|
Attachment #8634920 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Comment 10•10 years ago
|
||
Comment on attachment 8634920 [details] [diff] [review]
Patch
I just confirmed that this patch applies to all the branches for which I'm requesting approval here.
Approval Request Comment
[Feature/regressing bug #]: n/a
[User impact if declined]: Security bug would remain in our updater and any other products that rely on libmar.
[Describe test coverage new/current, TreeHerder]: Local testing shows that we correctly abort in the situation reported in this bug.
[Risks and why]: Virtually none.
[String/UUID change made/needed]: none.
Attachment #8634920 -
Flags: approval-mozilla-esr38?
Attachment #8634920 -
Flags: approval-mozilla-esr31?
Attachment #8634920 -
Flags: approval-mozilla-beta?
Attachment #8634920 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 11•10 years ago
|
||
Keywords: checkin-needed
|
||
Comment 12•10 years ago
|
||
Keywords: checkin-needed
|
||
Comment 13•10 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
|
||
Comment 14•10 years ago
|
||
Comment on attachment 8634920 [details] [diff] [review]
Patch
Let's get this small fix on active branches. Note that ESR31 will be EOL on Aug 11 so will only receive chemspill fixes at this point. We do not need to backport to ESR31.
Beta+ Aurora+ ESR38+
ESR31-
Attachment #8634920 -
Flags: approval-mozilla-esr38?
Attachment #8634920 -
Flags: approval-mozilla-esr38+
Attachment #8634920 -
Flags: approval-mozilla-esr31?
Attachment #8634920 -
Flags: approval-mozilla-esr31-
Attachment #8634920 -
Flags: approval-mozilla-beta?
Attachment #8634920 -
Flags: approval-mozilla-beta+
Attachment #8634920 -
Flags: approval-mozilla-aurora?
Attachment #8634920 -
Flags: approval-mozilla-aurora+
|
||
Comment 15•10 years ago
|
||
|
|
||
Comment 16•10 years ago
|
||
status-b2g-v2.0:
--- → affected
status-b2g-v2.0M:
--- → affected
status-b2g-v2.1:
--- → affected
status-b2g-v2.1S:
--- → affected
status-b2g-v2.2:
--- → affected
status-b2g-v2.2r:
--- → affected
status-b2g-master:
--- → fixed
|
|
||
Comment 17•10 years ago
|
||
|
|
||
Comment 18•10 years ago
|
||
|
|
||
Comment 19•10 years ago
|
||
|
|
||
Updated•10 years ago
|
Whiteboard: [adv-main40+][adv-esr38.2+]
|
||
Updated•10 years ago
|
QA Contact: florin.mezei
|
|
||
Updated•10 years ago
|
Alias: CVE-2015-4482
|
||
Comment 20•10 years ago
|
||
I've tried to verify this today on Windows 7 x64, using the latest available win64 Firefox 38 ESR (http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-esr38-win64/latest/).
To verify I used steps from here: https://wiki.mozilla.org/Software_Update:Manually_Installing_a_MAR_file#Steps_for_Windows.
When I run: <path to outside directory>\updater.exe <path to outside directory> <path to installation directory> <path to installation directory>, the update starts to apply but then hugs all system memory and the OS hangs. Is this expected to happen even after the fix? Is this test scenario correct to verify this issue?
Flags: needinfo?(spohl.mozilla.bugs)
|
|
Assignee | |
Comment 21•10 years ago
|
||
Yes, that's a valid scenario to verify the fix. I just confirmed this locally. You're correct that running this test will use 100% of one CPU and about 4GB of memory. After about half a minute, the updater should exit without a crash. You should see an update.log file next to <path to outside directory>\updater.exe with contents similar to:
> PATCH DIRECTORY C:\Users\spohl\Desktop\test
> INSTALLATION DIRECTORY C:\Program Files\Nightly
> WORKING DIRECTORY C:\Program Files\Nightly
> failed: 6
> calling QuitProgressUI
Another way to verify is to run mar.exe[1] directly in a cmd prompt:
> mar.exe -t update.mar
This will use 100% of one CPU, require about 4GB to run and take about half a minute. Once the mar.exe exits, you can type the following in the cmd prompt to get its return code:
> echo %errorlevel%
The value should read -1.
Prior to the fix in this bug, you should see a crash dialog appear after about half a minute of running either updater.exe or mar.exe. I confirmed this with[2].
Please let me know if you don't get the same results.
[1] http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-esr38-win64/latest/mar.exe
[2] http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-esr38-win64/1437070886/
Flags: needinfo?(spohl.mozilla.bugs) → needinfo?(florin.mezei)
|
|
||
Comment 22•10 years ago
|
||
Thanks for your help Stephen! I gave this another try today on the same machine (after freeing up some additional memory) and it worked as you've specified:
- Firefox 39 (x64) => updater crashed after a little while
- Firefox 40 Beta 9, latest Firefox 41 Aurora, latest Firefox 42 Nightly, latest ESR 38 tinderbox build [1] (all x64) => updater closed without crashing and the log file contents look exactly as you've specified
I used the same test scenario as in comment 20 (with updater.exe from each build). Marking this as verified.
[1] - http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-esr38-win64/latest/
Status: RESOLVED → VERIFIED
Flags: needinfo?(florin.mezei)
|
|
||
Updated•10 years ago
|
Flags: sec-bounty?
|
||
Updated•10 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•