Closed Bug 1287266 (CVE-2016-5261) Opened 9 years ago Closed 9 years ago

Integer overflow and memory corruption in WebSocketChannel

Categories

(Core :: Networking: WebSockets, defect)

Product:
Core
Component:
Networking: WebSockets
Version:
47 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla50
Tracking Flags:
Tracking Status
firefox47 --- wontfix
firefox48 --- fixed
firefox49 --- fixed
firefox-esr45 49+ fixed
firefox50 --- fixed

People

(Reporter: mozilla, Assigned: michal)

Details

(Keywords: csectype-intoverflow, reporter-external, sec-high, Whiteboard: [necko-active][adv-main48+][adv-esr45.4+])

Attachments

(2 files, 1 obsolete file)

Proof of Concept code
1.78 KB, application/zip
Details
fix
1.07 KB, patch
mcmanus
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Sylvestre
: approval-mozilla-esr45+
Details | Diff | Splinter Review
Attached file Proof of Concept code
From WebSocketChannel::ProcessInput if (payloadLength64 + mFragmentAccumulator > mMaxMessageSize) { return NS_ERROR_FILE_TOO_BIG; } |payloadLength64| is taken from the incoming websocket frame, and thus attacker controlled, while |mFragmentAccumulator| is the total size of all previous fragments belonging to the current message. The check tries to ensure that no incoming message is ever larger than |kMaxMessageSize|, which itself is at most INT32_MAX. However, The check is incorrect due to the types of the operands: int64_t payloadLength64 uint32_t mFragmentAccumulator; int32_t mMaxMessageSize; According to the arithmetic conversion rules [1], |mFragmentAccumulator| and |kMaxMessageSize| will be converted to int64_t before the comparison. As such the comparison is signed and will evaluate to false if the sum becomes negative. This can be achieved as follows: 1. Send a websocket fragment of size X (where X is less than |kMaxMessageSize|) 2. Send a second websocket fragment of size 0x7fffffffffffffff The sum will then become negative and the check fails. What happens then? uint32_t payloadLength = static_cast<uint32_t>(payloadLength64); if (avail < payloadLength) break; |payloadLength| will be 0xffffffff and so ProcessInput will defer processing of the message until this many bytes have been received. Incoming data is thus buffered internally until a whole message has been received. WebSocketChannel::UpdateReadBuffer does this. Let's see what happens there: } else { // existing buffer is not sufficient, extend it mBufferSize += count + 8192 + mBufferSize/3; LOG(("WebSocketChannel: update read buffer extended to %u\n", mBufferSize)); uint8_t *old = mBuffer; mBuffer = (uint8_t *)realloc(mBuffer, mBufferSize); if (!mBuffer) { mBuffer = old; return false; } mFramePtr = mBuffer + (mFramePtr - old); } ::memcpy(mBuffer + mBuffered, buffer, count); The buffer will be resized multiple times. However, at some point 'count + 8192 + mBufferSize/3' will overflow, resulting in realloc actually shrinking the array. The following memcpy will then write controlled data at a known offset from the new buffer. Attached is an html file and a python script. The html file sets up the websocket connection while the python script implements a simple websocket server and sends the malicious frames once a client is connected. To reproduce: start the python script on localhost and open websocket.html via file://. The python script should start printing progress information and at some point the browser will crash. The backtrace at the time of the crash: Process 75634 stopped * thread #8: tid = 0x206a90, 0x00007fff882ed01c libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 252, name = 'Socket Thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x26d51700a) frame #0: 0x00007fff882ed01c libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 252 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell: -> 0x7fff882ed01c <+252>: vmovups ymmword ptr [rax], ymm0 0x7fff882ed020 <+256>: vmovups ymm2, ymmword ptr [rsi + 0x20] 0x7fff882ed025 <+261>: add rsi, 0x40 0x7fff882ed029 <+265>: sub rdx, 0x80 (lldb) bt * thread #8: tid = 0x206a90, 0x00007fff882ed01c libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 252, name = 'Socket Thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x26d51700a) * frame #0: 0x00007fff882ed01c libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 252 frame #1: 0x0000000102f91eb8 XUL`mozilla::net::WebSocketChannel::UpdateReadBuffer(this=0x00000001217c3000, buffer="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., count=2048, accumulatedFragments=1024, available=0x000070000029ee0c) + 1096 at WebSocketChannel.cpp:1481 frame #2: 0x0000000102f92088 XUL`mozilla::net::WebSocketChannel::ProcessInput(this=0x00000001217c3000, buffer="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., count=2048) + 360 at WebSocketChannel.cpp:1512 frame #3: 0x0000000102fa06b2 XUL`mozilla::net::WebSocketChannel::OnInputStreamReady(this=0x00000001217c3000, aStream=0x0000000122ee5630) + 898 at WebSocketChannel.cpp:3937 frame #4: 0x00000001027c6489 XUL`nsInputStreamReadyEvent::Run(this=0x000000011a713880) + 137 at nsStreamUtils.cpp:95 frame #5: 0x00000001027fabeb XUL`nsThread::ProcessNextEvent(this=0x0000000100719100, aMayWait=true, aResult=0x000070000029f88e) + 1211 at nsThread.cpp:1067 frame #6: 0x0000000102885e4c XUL`NS_ProcessNextEvent(aThread=0x0000000100719100, aMayWait=true) + 140 at nsThreadUtils.cpp:290 frame #7: 0x00000001029e8a74 XUL`mozilla::net::nsSocketTransportService::Run(this=0x0000000100719000) + 1572 at nsSocketTransportService2.cpp:911 frame #8: 0x00000001027fabeb XUL`nsThread::ProcessNextEvent(this=0x0000000100719100, aMayWait=false, aResult=0x000070000029fbfe) + 1211 at nsThread.cpp:1067 frame #9: 0x0000000102885e4c XUL`NS_ProcessNextEvent(aThread=0x0000000100719100, aMayWait=false) + 140 at nsThreadUtils.cpp:290 frame #10: 0x00000001031f7c86 XUL`mozilla::ipc::MessagePumpForNonMainThreads::Run(this=0x000000011a82b5c0, aDelegate=0x000000010072b460) + 646 at MessagePump.cpp:354 frame #11: 0x00000001030f4f15 XUL`MessageLoop::RunInternal(this=0x000000010072b460) + 117 at message_loop.cc:235 frame #12: 0x00000001030f4e75 XUL`MessageLoop::RunHandler(this=0x000000010072b460) + 21 at message_loop.cc:228 frame #13: 0x00000001030f4e1d XUL`MessageLoop::Run(this=0x000000010072b460) + 45 at message_loop.cc:208 frame #14: 0x00000001027f8538 XUL`nsThread::ThreadFunc(aArg=0x0000000100719100) + 472 at nsThread.cpp:467 frame #15: 0x000000010235692d libnss3.dylib`_pt_root(arg=0x0000000100734eb0) + 429 at ptthread.c:216 frame #16: 0x00007fff894cf99d libsystem_pthread.dylib`_pthread_body + 131 frame #17: 0x00007fff894cf91a libsystem_pthread.dylib`_pthread_start + 168 frame #18: 0x00007fff894cd351 libsystem_pthread.dylib`thread_start + 13 [1] http://en.cppreference.com/w/c/language/conversion#Usual_arithmetic_conversions
Pat/Jed/Michal, can you look into this?
Flags: needinfo?(michal.novotny)
Flags: needinfo?(mcmanus)
Flags: needinfo?(jld)
thanks - michal can fix this up.
Group: firefox-core-security → network-core-security
Component: Security → Networking: WebSockets
Flags: needinfo?(mcmanus)
Product: Firefox → Core
Whiteboard: [necko-active]
Assignee: nobody → michal.novotny
Flags: needinfo?(michal.novotny)
Flags: needinfo?(jld)
Attached patch fix (obsolete) — Splinter Review
Attachment #8772804 - Flags: review?(mcmanus)
Comment on attachment 8772804 [details] [diff] [review] fix Review of attachment 8772804 [details] [diff] [review]: ----------------------------------------------------------------- ::: netwerk/protocol/websocket/WebSocketChannel.cpp @@ +1568,5 @@ > > LOG(("WebSocketChannel::ProcessInput: payload %lld avail %lu\n", > payloadLength64, avail)); > > + if (payloadLength64 > UINT32_MAX) { What about: CheckedInt<in64_t> payloadLengthChecked(payloadLength64); payloadLengthChecked += mFragmentAccumulator; if (!payloadLengthChecked.isValid() || payloadLengthChecked.value() > mMaxMessageSize) { return NS_ERROR_FILE_TOO_BIG; }
Attachment #8772804 - Flags: feedback-
Attached patch fixSplinter Review
Attachment #8772804 - Attachment is obsolete: true
Attachment #8772804 - Flags: review?(mcmanus)
Attachment #8772816 - Flags: review?(mcmanus)
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Comment on attachment 8772816 [details] [diff] [review] fix Review of attachment 8772816 [details] [diff] [review]: ----------------------------------------------------------------- Thanks Michal - and thanks for the CheckedInt shoutout
Attachment #8772816 - Flags: review?(mcmanus) → review+
Comment on attachment 8772816 [details] [diff] [review] fix Approval Request Comment [Feature/regressing bug #]: probably 640003 [User impact if declined]: memory corruption caused by malicious page [Describe test coverage new/current, TreeHerder]: tested manually against test provided by reporter [Risks and why]: low, simple integer overflow fix [String/UUID change made/needed]: none
Attachment #8772816 - Flags: approval-mozilla-beta?
Attachment #8772816 - Flags: approval-mozilla-aurora?
I think we need a sec approval here. I guess esr45 is also impacted?
status-firefox47: --- → wontfix
status-firefox48: --- → affected
status-firefox49: --- → affected
status-firefox50: --- → affected
status-firefox-esr45: --- → ?
Yes, this needs sec-approval to go into trunk (and anywhere else).
Flags: sec-bounty?
(In reply to Sylvestre Ledru [:sylvestre] from comment #8) > I think we need a sec approval here. > I guess esr45 is also impacted? landed without sec-approval in https://hg.mozilla.org/integration/mozilla-inbound/rev/311e127edfff and got now merged in: https://hg.mozilla.org/mozilla-central/rev/311e127edfff
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox50: affectedfixed
Flags: needinfo?(abillings)
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Comment on attachment 8772816 [details] [diff] [review] fix Next time, please wait for the sec approval before landing it. Taking it to beta and aurora as we don't have much choice and we need it for beta 10... Al, should we take into esr45? Thanks
Attachment #8772816 - Flags: approval-mozilla-beta?
Attachment #8772816 - Flags: approval-mozilla-beta+
Attachment #8772816 - Flags: approval-mozilla-aurora?
Attachment #8772816 - Flags: approval-mozilla-aurora+
This needs a security rating before we can know and the sec-approval? template questions answered.
Flags: needinfo?(abillings)
(In reply to Al Billings [:abillings] from comment #12) > This needs a security rating before we can know and the sec-approval? > template questions answered. --> michal?
Flags: needinfo?(michal.novotny)
The bug allows to write data provided by the web server outside the allocated buffer. I have no idea whether this can be used to execute native code or just to crash the firefox. I guess this is security-critical or security-high.
Flags: needinfo?(michal.novotny)
Flags: sec-bounty? → sec-bounty+
Alias: CVE-2016-5261
Whiteboard: [necko-active] → [necko-active][adv-main48+]
Do we need a different patch for the ESR-45 branch? We're basically out of time to get this into this release, please request esr-approval on the patch if it will work or on a new patch if it's needed.
tracking-firefox-esr45: --- → 48+
Flags: needinfo?(michal.novotny)
Comment on attachment 8772816 [details] [diff] [review] fix [Approval Request Comment] User impact if declined: memory corruption caused by malicious page Fix Landed on Version: 48 Risk to taking this patch (and alternatives if risky): low, simple integer overflow fix String or UUID changes made by this patch: none
Flags: needinfo?(michal.novotny)
Attachment #8772816 - Flags: approval-mozilla-esr45?
Flags: needinfo?(sledru)
This is too late for esr, we already built it and we have the sign off.
tracking-firefox-esr45: 48+49+
Flags: needinfo?(sledru)
Group: network-core-security → core-security-release
Comment on attachment 8772816 [details] [diff] [review] fix sec-high, taking it to esr45 - 45.4.0
Attachment #8772816 - Flags: approval-mozilla-esr45? → approval-mozilla-esr45+
Whiteboard: [necko-active][adv-main48+] → [necko-active][adv-main48+][adv-esr45.4+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: