1270381 - (CVE-2016-2819) HTML5 parser heap-buffer-overflow

Status: VERIFIED FIXED

(Core :: DOM: HTML Parser, defect)

Description

[firehack]

Attachment: Detail report: minimized PoC, demo exploit, asan 49 log, brief of analysis

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36

Steps to reproduce:

Using Firefox to load proof-of-concept code


Actual results:

Firefox crashed.

Comment 1

[firehack]

Attachment: Minimized PoC

Comment 2

[firehack]

Attachment: Firefox 46.0.1 crash with register value 0x41414141

Comment 3

[:Gijs (he/him)]

Henri, can you look into this?

(I'm tidying up the signature field; the full stack is also in attachment 8749033 [details].)

Comment 4

[Henri Sivonen (:hsivonen)]

I'll take a look.

Comment 5

[Henri Sivonen (:hsivonen)]

Attachment: Treat the root of the stack as being "special" per spec

Root cause:

Fragment parsing in the spec does not put the context node at the start of the stack. Instead, it always puts an <html> node there. Our parser implementation puts the context node there in order to have stuff appended to the context node without special casing what note to append to.

Algorithms in the spec use the guaranteed presence of the <html> as a sentinel when walking the stack. Even though this has been taken into account in the algorithms in the implementation where the spec checks for <html>, it hadn't been taken into account in cases where the spec checks for "special". <html> is "special" but e.g. <svg> as a context node isn't.

Fix:

Adding stack position checks to isSpecial() checks.

Additional info:

After applying the patch, Firefox and Chrome produce different trees. (I was unable to test in Edge, because innerHTML on <svg> doesn't appear to work in Edge.) Once it's okay to disclose the PoC, we should follow up and figure out why Firefox and Chrome behave differently here.

On the topic of disclosing the PoC: Reporter, once Mozilla's security folks mark this bug as publicly visible, are you OK with contributing the PoC to https://github.com/html5lib/html5lib-tests/ ? If you don't want to go through the trouble of preparing a pull request in the right format, I can prepare the PR (once it's time to disclose) if you like.

Comment 6

[firehack]

(In reply to Henri Sivonen (:hsivonen) from comment #5)
> 
> On the topic of disclosing the PoC: Reporter, once Mozilla's security folks
> mark this bug as publicly visible, are you OK with contributing the PoC to
> https://github.com/html5lib/html5lib-tests/ ? If you don't want to go
> through the trouble of preparing a pull request in the right format, I can
> prepare the PR (once it's time to disclose) if you like.

Yes, please do a pull request if you think it's need. I'm not understanding parser and spec enough to do. Thank you.

Comment 7

[William Chen [:wchen]]

Comment on attachment 8749604 [details] [diff] [review]
Treat the root of the stack as being "special" per spec

Review of attachment 8749604 [details] [diff] [review]:
-----------------------------------------------------------------

::: parser/html/javasrc/TreeBuilder.java
@@ +2187,1 @@
>                                      } else if (node.isSpecial()

I think it would be easier to understand that the (eltPos == 0) statement and the (node.isSpecial() && ...) statement are actually handling the same situation if you combined them. i.e. ((eltPos == 0 || node.isSpecial()) && ...). Normally when I see eltPos == 0 by itself in the code I expect that it's because the spec explicitly requires special handling for the root element.

Comment 8

[Henri Sivonen (:hsivonen)]

Comment on attachment 8749604 [details] [diff] [review]
Treat the root of the stack as being "special" per spec

[Security approval request comment]
> How easily could an exploit be constructed based on the patch?

It's obvious from the patch what the core problem is, but it takes a bit more than trivial effort to work out how to get the parser into the problematic state.

> Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

There's a new assertion that makes it pretty clear what the core problem is, but that's apparent from the code changes, too.

> Which older supported branches are affected by this flaw?

All still supported ones.

> If not all supported branches, which bug introduced the flaw?

(Either foreign fragment parsing or the combination of templates on top of foreign fragment parsing.)

> Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

The same patch should apply (possibly with trivial edits).

> How likely is this patch to cause regressions; how much testing does it need?

Extremely unlikely to regress anything.

Comment 9

[Al Billings [:abillings - ex-MoCo]]

sec-approval+ for trunk. We'll want Aurora, Beta, and ESR45 patches made and nominated to go in following trunk landing. If you can get them nom'd soon, we can make next week's beta.

Comment 10

[Henri Sivonen (:hsivonen)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/5f64adf2773bb89ba6867f60906f390266b6ab4f
Bug 1270381. r=wchen.

Comment 11

[Henri Sivonen (:hsivonen)]

Attachment: Patch as landed with review comment addressed

The patch applies to branches as-is.

Comment 12

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/5f64adf2773b

Comment 13

[Henri Sivonen (:hsivonen)]

Comment on attachment 8752585 [details] [diff] [review]
Patch as landed with review comment addressed

Approval Request Comment
> [Feature/regressing bug #]:

SVG fragment parsing combined with HTML templates.

> [User impact if declined]:

Security risk.

> [Describe test coverage new/current, TreeHerder]:

Landed uneventfully on trunk.

> [Risks and why]: 

About as low as code change risk can be.

> [String/UUID change made/needed]:

None.

[Approval Request Comment]
> If this is not a sec:{high,crit} bug, please state case for ESR consideration:

sec-critical.

> User impact if declined:

Security risk.
 
> Fix Landed on Version:

49

> Risk to taking this patch (and alternatives if risky): 

About as low as code change risk can be.

> String or UUID changes made by this patch: 

None.

Comment 14

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Comment on attachment 8752585 [details] [diff] [review]
Patch as landed with review comment addressed

Sec-crit, Aurora48+, Beta47+, ESR45+

Comment 15

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/releases/mozilla-aurora/rev/3d583c1845ca
https://hg.mozilla.org/releases/mozilla-beta/rev/c9199c063d5b
https://hg.mozilla.org/releases/mozilla-esr45/rev/072992bf176d

Comment 16

[Bogdan Maris, Desktop QA]

Reproduced the initial crash on Windows 7 64bit using old Nightly from 2016-05-04 :
bp-e1212068-c791-45d2-92ec-c78b82160530
Verified that using Firefox 47beta9, latest Developer Edition 48.0a2, latest Nightly 49.0a1 and preESR build 45.1.2 on Windows 7 64bit, Ubuntu 14.04 64bit and Mac OS X 10.10.5 the crash does not reproduce anymore.

Comment 17

[Henri Sivonen (:hsivonen)]

https://hg.mozilla.org/projects/htmlparser/rev/2fa40a1fc9bc9204e939b65ee4d66bb4f486706c
Mozilla bug 1270381. r=wchen.

Comment 18

[Henri Sivonen (:hsivonen)]

(In reply to Henri Sivonen (:hsivonen) from comment #17)
> https://hg.mozilla.org/projects/htmlparser/rev/
> 2fa40a1fc9bc9204e939b65ee4d66bb4f486706c
> Mozilla bug 1270381. r=wchen.

I forgot to push the change to the htmlparser repo back in May. The corresponding landing to Firefox repos was already handled in comment 12 and in comment 15.