Closed
Bug 1200835
Opened 9 years ago
Closed 9 years ago
Missing status check can cause ExportingKeyTask::DoCrypto to silently elide key usages
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 968520
People
(Reporter: q1, Unassigned)
Details
ExportingKeyTask::DoCrypto (dom\crypto\WebCryptoTask.cpp) does not check the return status of Sequence<nsString>::AppendElements when creating its list of allowed key usages. This bug can cause DoCrypto falsely to indicate that a given key has no valid usages. That, in turn, might deceive a JS program into using a different, possibly-weaker key, or possibly no encryption at all, for a given task. This could occur either because a site unintentionally causes OOM, or because an attacker site intentionally causes OOM with the idea of compromising a different site running in the same browser. Details: -------- The bug is in WebCryptoTask.cpp line 1965: 1963: if (!mKeyUsages.IsEmpty()) { 1964: mJwk.mKey_ops.Construct(); 1965: mJwk.mKey_ops.Value().AppendElements(mKeyUsages); 1966: } 1967: 1968: return NS_OK; mKey_ops is defined in obj*\dist\include\mozilla\dom\SubtleCryptoBinding.h: 912: struct JsonWebKey : public DictionaryBase ... 922: Optional<Sequence<nsString>> mKey_ops; A Sequence<> isa FallibleTArray, as defined in dom\bindings\BindingDeclarations.h: 443: template<typename T> 444: class Sequence : public FallibleTArray<T> ... so AppendElements returns error on OOM rather than crashing the browser, but line 1965 doesn't check it and line 1968 incorrectly returns success.
Updated•9 years ago
|
Flags: sec-bounty?
Updated•9 years ago
|
Flags: needinfo?(ttaubert)
Comment 1•9 years ago
|
||
This is already fixed by bug 968520: http://mxr.mozilla.org/mozilla-central/source/dom/crypto/WebCryptoTask.cpp#2014
(In reply to Andrea Marchesini (PTO until 8/9) from comment #1) > This is already fixed by bug 968520: > > http://mxr.mozilla.org/mozilla-central/source/dom/crypto/WebCryptoTask. > cpp#2014 Looks like it. Marking as a dupe.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Flags: needinfo?(ttaubert)
Updated•9 years ago
|
Group: core-security → core-security-release
Is there a schedule for https://bugzilla.mozilla.org/show_bug.cgi?id=968520 to land?
Comment 4•9 years ago
|
||
(In reply to q1 from comment #3) > Is there a schedule for https://bugzilla.mozilla.org/show_bug.cgi?id=968520 > to land? Parts of it landed already in July. I'm not sure why the bug is still open.
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty-
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•