Closed Bug 1200835 Opened 10 years ago Closed 10 years ago

Missing status check can cause ExportingKeyTask::DoCrypto to silently elide key usages

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
40 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 968520

People

(Reporter: q1, Unassigned)

Details

(Keywords: reporter-external)

ExportingKeyTask::DoCrypto (dom\crypto\WebCryptoTask.cpp) does not check the return status of Sequence<nsString>::AppendElements when creating its list of allowed key usages. This bug can cause DoCrypto falsely to indicate that a given key has no valid usages. That, in turn, might deceive a JS program into using a different, possibly-weaker key, or possibly no encryption at all, for a given task. This could occur either because a site unintentionally causes OOM, or because an attacker site intentionally causes OOM with the idea of compromising a different site running in the same browser. Details: -------- The bug is in WebCryptoTask.cpp line 1965: 1963: if (!mKeyUsages.IsEmpty()) { 1964: mJwk.mKey_ops.Construct(); 1965: mJwk.mKey_ops.Value().AppendElements(mKeyUsages); 1966: } 1967: 1968: return NS_OK; mKey_ops is defined in obj*\dist\include\mozilla\dom\SubtleCryptoBinding.h: 912: struct JsonWebKey : public DictionaryBase ... 922: Optional<Sequence<nsString>> mKey_ops; A Sequence<> isa FallibleTArray, as defined in dom\bindings\BindingDeclarations.h: 443: template<typename T> 444: class Sequence : public FallibleTArray<T> ... so AppendElements returns error on OOM rather than crashing the browser, but line 1965 doesn't check it and line 1968 incorrectly returns success.
Flags: sec-bounty?
Flags: needinfo?(ttaubert)
(In reply to Andrea Marchesini (PTO until 8/9) from comment #1) > This is already fixed by bug 968520: > > http://mxr.mozilla.org/mozilla-central/source/dom/crypto/WebCryptoTask. > cpp#2014 Looks like it. Marking as a dupe.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(ttaubert)
Group: core-security → core-security-release
Is there a schedule for https://bugzilla.mozilla.org/show_bug.cgi?id=968520 to land?
(In reply to q1 from comment #3) > Is there a schedule for https://bugzilla.mozilla.org/show_bug.cgi?id=968520 > to land? Parts of it landed already in July. I'm not sure why the bug is still open.
Flags: sec-bounty? → sec-bounty-
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.