Closed Bug 1245866 Opened 9 years ago Closed 9 years ago

Crash at nsIDNService::IDNA2008ToUnicode nsUDPSocket::SetMulticastLoopback js::frontend::Parser<js::frontend::FullParseHandler>::functionDef NS_UnescapeURL arena_run_dalloc

Categories

(Core :: Networking: DNS, defect)

Product:
Core
Component:
Networking: DNS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox44 --- wontfix
firefox45 + verified
firefox46 + fixed
firefox47 + verified
firefox-esr38 --- unaffected

People

(Reporter: cbook, Assigned: baku)

References

(
URL
)

Details

(Keywords: crash, csectype-bounds, sec-critical, Whiteboard: [adv-main45+])

Attachments

(3 files, 3 obsolete files)

bughunter stack
117.59 KB, text/plain
Details
crash.patch
1008 bytes, patch
jfkthame
: review+
abillings
: approval-mozilla-aurora+
abillings
: approval-mozilla-beta+
abillings
: sec-approval+
Details | Diff | Splinter Review
Testcase
1.18 KB, patch
smaug
: review+
Details | Diff | Splinter Review
Attached file bughunter stack
Found via bughunter and reproduced on a win 7 trunk debug build based on m-c tip from today Steps to reproduce: -> Load http://estimativa.org.br/home/index.php/noticias/257-como-funciona-o-orcamento-publico --> Crashes both opt and debug builds Windbg reports: STATUS_STACK_BUFFER_OVERRUN encountered Signature seems to be nsIDNService::IDNA2008ToUnicode nsUDPSocket::SetMulticastLoopback js::frontend::Parser<js::frontend::FullParseHandler>::functionDef NS_UnescapeURL arena_run_dalloc
baku, smaug: is this something for you guys ?
Flags: needinfo?(bugs)
Flags: needinfo?(amarchesini)
baku can reproduce this, I can't. (I'm using clang on linux, he is using gcc. perhaps that matters here.)
Flags: needinfo?(bugs)
Also Beta/45 and Aurora/46 on Windows and RHEL Linux 64bit. Note bughunter uses tinderbox builds, so you might have some luck with those.
status-firefox45: --- → affected
status-firefox46: --- → affected
and Firefox 44 bp-d119c2eb-c2cb-4bd1-a568-ae8fd2160131 which is rated as medium.
status-firefox44: --- → affected
I'm taking this bug.
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
Attached patch crash.patch (obsolete) — Splinter Review
Attachment #8716940 - Flags: review?(bugs)
This looks like an out-of-bounds write to the stack with some kind of content-controlled data, so I'm going to mark it sec-critical.
Component: DOM → Networking: DNS
Keywords: csectype-bounds, sec-critical
Group: core-security → network-core-security
sylvester, something for beta (according to #3 and #4) and ride along ?
Flags: needinfo?(sledru)
Comment on attachment 8716940 [details] [diff] [review] crash.patch I have no idea why this would be right. Sure, shouldn't crash, but why we use different kind of buffer here comparing to the other case uidna_labelToUnicode is being called. I'm not familiar with this code. Simon or Jonathan should review this. This is after all a regression from bug 479520.
Attachment #8716940 - Flags: review?(bugs) → review?(smontagu)
Flags: needinfo?(smontagu)
Flags: needinfo?(jfkthame)
Yes, we probably want this in beta. Thanks Carsten!
Flags: needinfo?(sledru)
Comment on attachment 8716940 [details] [diff] [review] crash.patch Review of attachment 8716940 [details] [diff] [review]: ----------------------------------------------------------------- ::: netwerk/dns/nsIDNService.cpp @@ +168,5 @@ > UIDNAInfo info = UIDNA_INFO_INITIALIZER; > UErrorCode errorCode = U_ZERO_ERROR; > int32_t inLen = inputStr.Length(); > int32_t outMaxLen = inLen - kACEPrefixLen + 1; > + UChar outputBuffer[outMaxLen]; Is it OK to use a variable-size array here? I thought that was a non-standard extension. AIUI, it's part of C99, but became optional in C11; not sure of the status in C++ but at least https://gcc.gnu.org/onlinedocs/gcc/Variable-Length.html describes it as an extension. ISTM we should probably either use kMaxDNSNodeLen + 1 as outMaxLen (if truncating excessively-long input is OK here -- Simon?), or use a standard C++ method to allocate the variable-sized buffer.
Attached patch crash.patchSplinter Review
Attachment #8716940 - Attachment is obsolete: true
Attachment #8716940 - Flags: review?(smontagu)
Attachment #8719471 - Flags: review?(bugs)
Comment on attachment 8719471 [details] [diff] [review] crash.patch (I'm really not familiar with this code, so I don't know what is a good max length. Is there some testcase leading to executing this code and also the other method using uidna_labelToUnicode)
Attachment #8719471 - Flags: review?(bugs) → review?(jfkthame)
Attached patch Testcase (obsolete) — Splinter Review
Here's an example that will hit both those codepaths. It will crash with current trunk due to the bug in IDNA2008ToUnicode; the patch makes that function safely return an error code instead. Obviously, we can't land the crashtest until the bug is fixed, as it points directly at the badness.
Attachment #8719544 - Flags: review?(bugs)
Comment on attachment 8719471 [details] [diff] [review] crash.patch Review of attachment 8719471 [details] [diff] [review]: ----------------------------------------------------------------- Yes, AFAICS using the fixed kMaxDNSNodeLen+1 limit is fine here.
Attachment #8719471 - Flags: review?(jfkthame) → review+
Attached patch Testcase (obsolete) — Splinter Review
Just adding <meta charset=utf-8> to the testcase; sorry for the churn.
Attachment #8719545 - Flags: review?(bugs)
Attachment #8719544 - Attachment is obsolete: true
Attachment #8719544 - Flags: review?(bugs)
Attached patch TestcaseSplinter Review
Just adding <meta charset=utf-8> to the testcase; sorry for the churn.
Attachment #8719546 - Flags: review?(bugs)
Attachment #8719545 - Attachment is obsolete: true
Attachment #8719545 - Flags: review?(bugs)
Flags: needinfo?(jfkthame)
Attachment #8719546 - Flags: review?(bugs) → review+
Comment on attachment 8719471 [details] [diff] [review] crash.patch [Security approval request comment] How easily could an exploit be constructed based on the patch? The patch makes it pretty obvious which buffer is being overrun; and then it's not hard to guess how one might hit this codepath from content. So a DoS exploit, at least, is trivial; and given that it's a stack buffer being overflowed, I imagine overwriting a return address and executing arbitrary code may not be much more difficult. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Comments aren't needed, the patch itself is a bullseye! As is the crashtest (in separate patch). Which older supported branches are affected by this flaw? Affects mozilla-44 and later; esr-38 should be unaffected. If not all supported branches, which bug introduced the flaw? Bug 479520. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Backport is trivial. How likely is this patch to cause regressions; how much testing does it need? Minimal regression risk, this just ensures we pass the correct buffer size to prevent an overflow.
Attachment #8719471 - Flags: sec-approval?
Comment on attachment 8719546 [details] [diff] [review] Testcase See above. The crashtest provides a trivial demonstration of how to hit the bug; I assume we should wait until the bug is fixed on all channels before we land the test anywhere.
Attachment #8719546 - Flags: sec-approval?
Comment on attachment 8719471 [details] [diff] [review] crash.patch sec-approval+ for the patch. The crashtest should wait until we ship a release with a fix so I'm clearing sec-approval? on that. Please nominate for aurora and beta so we can land it there as well.
Attachment #8719471 - Flags: sec-approval? → sec-approval+
Attachment #8719546 - Flags: sec-approval?
Comment on attachment 8719471 [details] [diff] [review] crash.patch Approval Request Comment [Feature/regressing bug #]: bug 479520 [User impact if declined]: buffer overflow triggered by content, leading to crash or potentially exploitable vulnerability [Describe test coverage new/current, TreeHerder]: crashtest will be landed after we ship the fix [Risks and why]: minimal risk -- matches outbuffer size and parameter [String/UUID change made/needed]: none
Attachment #8719471 - Flags: approval-mozilla-beta?
Attachment #8719471 - Flags: approval-mozilla-aurora?
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Attachment #8719471 - Flags: approval-mozilla-beta?
Attachment #8719471 - Flags: approval-mozilla-beta+
Attachment #8719471 - Flags: approval-mozilla-aurora?
Attachment #8719471 - Flags: approval-mozilla-aurora+
Approved (and discussed with Release Management).
What's the status of esr45 at this point? Does landing this in beta45 mean it's automatically going to be fixed for esr45 as well, or do we need to track/fix that separately?
Flags: needinfo?(abillings)
As long as it makes it onto 45 (which it did), it is ok for ESR45. People are only marking ESR45 affected on things to make sure, if we fixed it later, that ESR45 doesn't get lost.
status-firefox44: affectedwontfix
status-firefox-esr45: affected → ---
Flags: needinfo?(abillings)
Group: network-core-security → core-security-release
Whiteboard: [adv-main45+]
Reproduced the crash with "Nightly has stopped working" message using 47.0a1 Nightly debug builds under Win 7 64-bit and Ubuntu 14.04 64-bit. The crash no longer occurs with Firefox 45.0 2016-03-01 and Nightly 47.0a1 2016-03-02.
Status: RESOLVED → VERIFIED
status-firefox45: fixedverified
status-firefox47: fixedverified
Group: core-security-release

Oops, the needinfo should have been cleared.

URL: http://estimativa.org.br/home/index.p...http://estimativa.org.br/home/index.p...
Flags: needinfo?(smontagu)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: