Closed
Bug 1204155
(CVE-2015-7200)
Opened 9 years ago
Closed 9 years ago
Missing status check in CryptoKey::SetSymKey creates potential security bug
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
People
(Reporter: q1, Assigned: ttaubert)
Details
(Keywords: reporter-external, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main42+])
Attachments
(4 files)
4.41 KB,
patch
|
mt
:
review+
|
Details | Diff | Splinter Review |
7.15 KB,
patch
|
mt
:
review+
|
Details | Diff | Splinter Review |
9.78 KB,
patch
|
ttaubert
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
9.78 KB,
patch
|
ttaubert
:
review+
Sylvestre
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
CryptoKey::SetSymKey (dom\crypto\CryptoKey.cpp) assigns its argument to a member variable, but the destination isa CryptoBuffer, which isa FallibleTArray, so the assignment can fail if FF is nearly OOM due to some other operation. If it fails, the Javascript program that invoked SetSymKey (such as via crypto.subtle,deriveKey) receives a zero-length key. If it doesn't check the length before using the key for an encryption or signing operation, the resulting ciphertext or signature will be trivially weak.
Details:
--------
(cryptokey.cpp)
297: void CryptoKey::SetSymKey(const CryptoBuffer& aSymKey)
298: {
299: mSymKey = aSymKey;
300: }
(cryptokey.h)
61: class CryptoKey final : public nsISupports,
62: public nsWrapperCache,
63: public nsNSSShutDownObject
64: {
...
196: CryptoBuffer mSymKey;
...
199:};
(cryptobuffer.h)
21: class CryptoBuffer : public FallibleTArray<uint8_t>
...
There is also a similar bug in CryptoKey::ReadStructuredClone line 1128.
There is also a similar bug in ImportKeyTask::SetKeyData (dom\crypto\WebCryptoTask.cpp line 1289, though that one appears to be latent, at least as to the code path that arises from window.crypto.subtle,deriveKey (ImportSymmetricKeyTask::BeforeCrypto gets called after the assignment. It checks whether mKeyData.Length() == 0, and errors out if so). There may, however, be other non-latent paths into SetKeyData.
These bugs are still present in today's Aurora:
http://hg.mozilla.org/releases/mozilla-aurora/file/a7bb121ef972/dom/crypto/CryptoKey.cpp
http://hg.mozilla.org/releases/mozilla-aurora/file/a7bb121ef972/dom/crypto/CryptoKey.h
http://hg.mozilla.org/releases/mozilla-aurora/file/a7bb121ef972/dom/crypto/CryptoBuffer.h
http://hg.mozilla.org/releases/mozilla-aurora/file/a7bb121ef972/dom/crypto/WebCryptoTask.cpp
Updated•9 years ago
|
Group: core-security → dom-core-security
The following JS illustrates the issue. Use it by attaching a debugger to FF.
First run it without any breakpoints. You should see an alert box saying "keytype is oct with length 43 and k <base64 data>".
Next put a breakpoint on CryptoKey::SetSymKey and run the JS again. Skip the assignment and proceed to emulate an OOM. You should see no exceptions, with an alert box saying "keytype is oct with length 0 and k".
-------------------
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<script type="text/javascript">
window.crypto.subtle.generateKey(
{
name: "ECDH", namedCurve: "P-256",
},
true, ["deriveKey"]
)
.then(function (key) {
window.crypto.subtle.deriveKey(
{
name: "ECDH", namedCurve: "P-256",
public: key.publicKey,
},
key.privateKey,
{
name: "AES-CBC", length: 256,
},
true, ["encrypt", "decrypt"]
)
.then(function (keydata) {
window.crypto.subtle.exportKey(
"jwk", keydata)
.then(function (keydata) {
alert(
"keytype is " + keydata.kty + " with length " + keydata.k.length + " and k " + keydata.k);
})
.catch(function (err) {
alert(err);
});
})
.catch(function (err) {
alert(err);
});
})
.catch(function (err) {
alert(err);
});
</script>
</body>
</html>
Ack! "Skip the assignment and proceed to emulate an OOM" is ambiguous. It should say "Emulate an OOM by skipping the assignment and continuing execution".
Updated•9 years ago
|
Flags: sec-bounty?
Flags: needinfo?(rlb)
Assignee | ||
Comment 4•9 years ago
|
||
This uses CryptoBuffer.Assign() instead of the = operator for SetSymKey() to catch OOM situations.
Assignee | ||
Comment 5•9 years ago
|
||
Did the same thing for CryptoKey::SetPrivateKey() and ::SetPublicKey() where SECKEY_CopyPrivateKey() and SECKEY_CopyPublicKey() can fail due to OOM.
Attachment #8660649 -
Flags: review?(rlb)
Comment 6•9 years ago
|
||
Seems an unlikely and unreliable attack vector, but this could unknowingly affect people leading to weak keys which would be an ongoing problem for them.
Keywords: sec-moderate
Assignee | ||
Comment 7•9 years ago
|
||
Comment on attachment 8660648 [details] [diff] [review]
0001-Bug-1204155-Account-for-OOM-in-CryptoKey-SetSymKey.patch
Hey Martin, would you maybe have time for a look?
Attachment #8660648 -
Flags: review?(martin.thomson)
Assignee | ||
Updated•9 years ago
|
Attachment #8660649 -
Flags: review?(martin.thomson)
Updated•9 years ago
|
Attachment #8660648 -
Flags: review?(martin.thomson) → review+
Updated•9 years ago
|
Attachment #8660649 -
Flags: review?(martin.thomson) → review+
Assignee | ||
Comment 8•9 years ago
|
||
Thank you Martin!
Assignee | ||
Updated•9 years ago
|
Attachment #8660648 -
Flags: review?(rlb)
Assignee | ||
Updated•9 years ago
|
Attachment #8660649 -
Flags: review?(rlb)
Assignee | ||
Comment 9•9 years ago
|
||
Comment on attachment 8660648 [details] [diff] [review]
0001-Bug-1204155-Account-for-OOM-in-CryptoKey-SetSymKey.patch
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Seems an unlikely and unreliable attack vector, but this could unknowingly affect people leading to weak keys which would be an ongoing problem for them.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
From looking at the patch it's obvious we're checking for OOM situations, not much more than that.
Which older supported branches are affected by this flaw?
Everything from ESR 38 to Nightly 44.
If not all supported branches, which bug introduced the flaw?
Bug 995385, i.e. Firefox 32, although pref'ed off at that time.
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Same risk, the patches posted here apply perfectly on Aurora and Beta, almost perfectly on Release and ESR 38.
How likely is this patch to cause regressions; how much testing does it need?
Quite unlikely to cause regressions, we also have tests covering that code.
Attachment #8660648 -
Flags: sec-approval?
Assignee | ||
Comment 10•9 years ago
|
||
I assume that some versions of FirefoxOS are affected as well, not sure how the versioning scheme there works.
status-firefox41:
--- → affected
status-firefox42:
--- → affected
status-firefox43:
--- → affected
status-firefox44:
--- → affected
status-firefox-esr38:
--- → affected
Comment 11•9 years ago
|
||
Tim, I think that the trick here will be to uplift 3.21 when we have some evidence that it works. This is the usual process. We have an NSS call in a few minutes where we will decide what the contents of 3.21 are. I will advise.
I wouldn't consider a bug of this severity to be worth doing anything exceptional for, but we do generally uplift NSS to beta once we are sure that it's OK.
Assignee | ||
Comment 12•9 years ago
|
||
(In reply to Martin Thomson [:mt:] from comment #11)
> Tim, I think that the trick here will be to uplift 3.21 when we have some
> evidence that it works. This is the usual process. We have an NSS call in
> a few minutes where we will decide what the contents of 3.21 are. I will
> advise.
Those are all just changes in dom/crypto/, not in NSS.
> I wouldn't consider a bug of this severity to be worth doing anything
> exceptional for, but we do generally uplift NSS to beta once we are sure
> that it's OK.
Yeah, I figured it's not a very sensitive bug but I wanted that confirmed :)
Comment 13•9 years ago
|
||
Plan is to cut a 3.21 beta early next week. We will ask for uplift of that once NSS releases, which is usually a week after we land a beta in m-c, assuming that we discover no issues in that time.
Comment 14•9 years ago
|
||
Comment on attachment 8660648 [details] [diff] [review]
0001-Bug-1204155-Account-for-OOM-in-CryptoKey-SetSymKey.patch
Sec-moderate bugs don't need sec-approval so I'm clearing the request. https://wiki.mozilla.org/Security/Bug_Approval_Process
Attachment #8660648 -
Flags: sec-approval?
Assignee | ||
Comment 15•9 years ago
|
||
(In reply to Al Billings [:abillings] from comment #14)
> Sec-moderate bugs don't need sec-approval so I'm clearing the request.
> https://wiki.mozilla.org/Security/Bug_Approval_Process
Ah, I didn't know that. Sorry for the hassle.
Assignee | ||
Comment 16•9 years ago
|
||
(In reply to Martin Thomson [:mt:] from comment #13)
> Plan is to cut a 3.21 beta early next week. We will ask for uplift of that
> once NSS releases, which is usually a week after we land a beta in m-c,
> assuming that we discover no issues in that time.
I'm confused, these patches don't depend on NSS, do they? Maybe we're just talking past each other? :)
Comment 17•9 years ago
|
||
Gah, I'm sorry, you are right. I'm getting wires crossed. If it were up to me, I'd go for uplift to aurora or beta only, they aren't especially dangerous.
Assignee | ||
Comment 18•9 years ago
|
||
Agreed.
Comment 19•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/48dfe8c77b2f
https://hg.mozilla.org/mozilla-central/rev/a4bf09cda682
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Updated•9 years ago
|
Group: dom-core-security → core-security-release
Assignee | ||
Comment 20•9 years ago
|
||
Approval Request Comment
[Feature/regressing bug #]: Introduced with initial WebCrypto API landing
[User impact if declined]: We don't fail (as we should) when copying or setting CryptoKeys fails due to OOM.
[Describe test coverage new/current, TreeHerder]:
[Risks and why]: Low risk, covered by tests.
[String/UUID change made/needed]: None.
Squashed patches for Aurora uplift r=mt
Attachment #8669568 -
Flags: review+
Attachment #8669568 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 21•9 years ago
|
||
Approval Request Comment
[Feature/regressing bug #]: Introduced with initial WebCrypto API landing
[User impact if declined]: We don't fail (as we should) when copying or setting CryptoKeys fails due to OOM.
[Describe test coverage new/current, TreeHerder]:
[Risks and why]: Low risk, covered by tests.
[String/UUID change made/needed]: None.
Squashed patches for Beta uplift r=mt
Attachment #8669583 -
Flags: review+
Attachment #8669583 -
Flags: approval-mozilla-beta?
Comment 22•9 years ago
|
||
Comment on attachment 8669568 [details] [diff] [review]
0001-Bug-1204155-Account-for-OOM-when-setting-or-copying-.patch
Taking in two branches.
As the patch mostly checks error code, it should be pretty safe. Should be in 42 beta 4.
Attachment #8669568 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•9 years ago
|
Attachment #8669583 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 23•9 years ago
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage]
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main42+]
Updated•9 years ago
|
Alias: CVE-2015-7200
Updated•9 years ago
|
Flags: needinfo?(rlb)
Updated•8 years ago
|
Group: core-security-release
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•