Closed
Bug 1240760
(CVE-2016-1962)
Opened 9 years ago
Closed 9 years ago
Second datachannel with id crashes in PR_Unlock | mozilla::DataChannelConnection::Close after navigation
Categories
(Core :: WebRTC: Networking, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla47
| backlog | webrtc/webaudio+ |
People
(Reporter: dominique.hazael-massieux, Assigned: jesup)
References
Details
(5 keywords, Whiteboard: [adv-main45+][adv-esr38.7+])
Crash Data
Attachments
(4 files)
|
773 bytes,
text/html
|
Details | |
|
58 bytes,
text/x-review-board-request
|
mcmanus
:
review+
|
Details |
|
3.75 KB,
patch
|
jesup
:
review+
ritu
:
approval-mozilla-aurora+
ritu
:
approval-mozilla-beta+
ritu
:
approval-mozilla-esr38+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
3.48 KB,
patch
|
jesup
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20160106231438
Steps to reproduce:
Load the attached page
Actual results:
The page loads, redirects to mozilla.org, and after ~20 seconds, Firefox crashes.
This is reproducible with any other navigation action, including a simple reload.
from my quick tests, it only happens when 2 data channels are open, with the 2nd set to use the same id as the one the first one automatically gets; it's probably somewhat related to https://bugzilla.mozilla.org/show_bug.cgi?id=1017462
Expected results:
Firefox should not have crashed
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Updated•9 years ago
|
Component: Untriaged → WebRTC: Networking
Product: Firefox → Core
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=d3a2e391df48f1c9389bdc132eb72065442dc2db&tochange=9a44575026505c955bdda462d6ad346d197ab107
I guess the crash was already present and surfaced after bug 1205249 which has disabled jemalloc.
Blocks: 1205249
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ PR_Unlock | mozilla::DataChannelConnection::Close ]
status-firefox43:
--- → affected
status-firefox44:
--- → affected
status-firefox45:
--- → affected
status-firefox46:
--- → affected
tracking-firefox45:
--- → ?
tracking-firefox46:
--- → ?
Ever confirmed: true
Keywords: crash,
reproducible
OS: Unspecified → All
Hardware: Unspecified → All
Summary: Second datachannel with id crashes Firefox after navigation → Second datachannel with id crashes in PR_Unlock | mozilla::DataChannelConnection::Close after navigation
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → rjesup
backlog: --- → webrtc/webaudio+
Rank: 10
Priority: -- → P1
|
||
Comment 3•9 years ago
|
||
Forgot to mention that I actually tried to reproduce the problem with the provided test page. But it looks like because of the timing of adding the ICE candidates (before calling setRemoteDescription) on my machine ICE fails to establish any connection. So I was not able to reproduce the problem.
|
||
Comment 4•9 years ago
|
||
Tracking for 46+ since this sounds like a reproducible crash.
|
||
Comment 5•9 years ago
|
||
I see only two crashes over the last 28 days. Not sure I care enough to track it.
|
|
Assignee | |
Comment 6•9 years ago
|
||
Hold onto mConnection since inside Close() it may call through the mConnection and
then null it out inside.
Review commit: https://reviewboard.mozilla.org/r/35499/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/35499/
Attachment #8720898 -
Flags: review?(mcmanus)
|
|
Assignee | |
Comment 7•9 years ago
|
||
Note: should be trivially upliftable
|
|
Assignee | |
Comment 8•9 years ago
|
||
Note: this is a UAF crash - we're freeing the DataChannelConnection from within a call through it. Minimum sec-high, but it's a UAF-on-GC basically, so that seems worth sec-crit
Group: media-core-security
Keywords: csectype-uaf,
sec-critical
|
|
Assignee | |
Updated•9 years ago
|
status-firefox-esr38:
--- → affected
status-firefox-esr45:
--- → affected
|
||
Updated•9 years ago
|
Attachment #8720898 -
Flags: review?(mcmanus) → review+
|
|
||
Comment 9•9 years ago
|
||
Comment on attachment 8720898 [details]
MozReview Request: Bug 1240760: keep a grip on the owning DataChannelConnection DataChannel::Close() r?mcmanus
https://reviewboard.mozilla.org/r/35499/#review32155
|
|
Assignee | |
Comment 10•9 years ago
|
||
mcmanus r+'d the mozreview version; re-uploading for approvals
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8720910 -
Flags: review+
|
|
Assignee | |
Comment 11•9 years ago
|
||
Comment on attachment 8720910 [details] [diff] [review]
keep a grip on the owning DataChannelConnection DataChannel::Close()
[Security approval request comment]
How easily could an exploit be constructed based on the patch? Not easily, though may point to a possible UAF, especially the comment
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Somewhat (the comment). Someone who knows gecko may intuit that adding a ref like this implies possible UAF.
Which older supported branches are affected by this flaw? All
If not all supported branches, which bug introduced the flaw?
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Trivial, should apply with little or no change
How likely is this patch to cause regressions; how much testing does it need? Very unlikely to regress; holds a ref for a little longer.
Attachment #8720910 -
Flags: sec-approval?
Attachment #8720910 -
Flags: approval-mozilla-beta?
Attachment #8720910 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 12•9 years ago
|
||
Comment on attachment 8720910 [details] [diff] [review]
keep a grip on the owning DataChannelConnection DataChannel::Close()
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined:
Fix Landed on Version: 47 (will land)
Risk to taking this patch (and alternatives if risky): Very low risk
String or UUID changes made by this patch: none
See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8720910 -
Flags: approval-mozilla-esr38?
|
||
Comment 13•9 years ago
|
||
(In reply to Sylvestre Ledru [:sylvestre] from comment #5)
> I see only two crashes over the last 28 days. Not sure I care enough to
> track it.
Because it is a sec-critical rated security issue. Please reconsider your minusing of it everywhere.
sec-approval+.
|
|
||
Updated•9 years ago
|
Attachment #8720910 -
Flags: sec-approval? → sec-approval+
|
|
||
Updated•9 years ago
|
tracking-firefox-esr38:
--- → ?
|
|
Assignee | |
Comment 14•9 years ago
|
||
(In reply to Al Billings [:abillings] from comment #13)
> (In reply to Sylvestre Ledru [:sylvestre] from comment #5)
> > I see only two crashes over the last 28 days. Not sure I care enough to
> > track it.
>
> Because it is a sec-critical rated security issue. Please reconsider your
> minusing of it everywhere.
>
> sec-approval+.
I'll note he minused it before I made it a sec issue (I noted the crash address was a 5e5e...)
|
|
Assignee | |
Updated•9 years ago
|
Flags: needinfo?(sledru)
|
|
Assignee | |
Comment 16•9 years ago
|
||
Version of patch with comment removed and simplified log comment for checkin
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8721156 -
Flags: review+
|
|
Assignee | |
Comment 17•9 years ago
|
||
|
||
Comment 18•9 years ago
|
||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Comment on attachment 8720910 [details] [diff] [review]
keep a grip on the owning DataChannelConnection DataChannel::Close()
Sec-crit issue, taking it in beta, aurora, esr38.
Attachment #8720910 -
Flags: approval-mozilla-esr38?
Attachment #8720910 -
Flags: approval-mozilla-esr38+
Attachment #8720910 -
Flags: approval-mozilla-beta?
Attachment #8720910 -
Flags: approval-mozilla-beta+
Attachment #8720910 -
Flags: approval-mozilla-aurora?
Attachment #8720910 -
Flags: approval-mozilla-aurora+
|
||
Updated•9 years ago
|
Group: media-core-security → core-security-release
|
|
||
Comment 20•9 years ago
|
||
|
|
||
Comment 21•9 years ago
|
||
|
|
||
Comment 22•9 years ago
|
||
(In reply to Al Billings [:abillings] from comment #13)
> Because it is a sec-critical rated security issue. Please reconsider your
> minusing of it everywhere.
Is it just for tracking and as Randell mentioned, it wasn't a security issue at this time.
I would have been happy to take the uplift (and happy that Ritu did it)
Flags: needinfo?(sledru)
Carsten, Wes: Could you please land this on esr38 branch too? Thanks!
Flags: needinfo?(wkocher)
Flags: needinfo?(cbook)
Looks like it was already done, just not marked:
https://hg.mozilla.org/releases/mozilla-esr38/rev/221de852fda3
|
|
||
Updated•9 years ago
|
Flags: sec-bounty?
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Updated•9 years ago
|
|
||
Comment 27•9 years ago
|
||
I was able to reproduce this crash on Firefox 46.0a1 (2016-01-19) using Windows 10 64-bit.
Verified fixed on Firefox 47.0a1 (2016-02-29), Firefox 46.0a2 (2016-02-29), Firefox 45 beta 10 (20160225145837), Firefox 45 ESR tinderbox-build (20160229180409) and Firefox 38.6.1esrpre tinderbox-build (20160229210832) under Windows 10 64-bit, Ubuntu 12.04 32-bit and Mac OS X 10.11.
Status: RESOLVED → VERIFIED
|
|
||
Updated•9 years ago
|
Whiteboard: [adv-main45+][adv-esr38.7+]
|
|
||
Updated•9 years ago
|
Alias: CVE-2016-1962
|
|
||
Updated•8 years ago
|
Group: core-security-release
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•