Closed Bug 1393362 Opened 7 years ago Closed 3 years ago

Unchecked size can lead to zero byte allocation or undefined behavior

Categories

(Core :: Graphics, defect, P2)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
96 Branch
Tracking Flags:
Tracking Status
firefox-esr91 95+ fixed
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox93 --- wontfix
firefox94 --- wontfix
firefox95 + fixed
firefox96 + fixed

People

(Reporter: tedd, Assigned: lsalzman)

References

Details

(Keywords: csectype-bounds, csectype-sandbox-escape, sec-high, Whiteboard: [gfx-noted][sb+][sec-survey][adv-main95+r][adv-ESR91.4.0+r])

Attachments

(1 file)

Bug 1393362 - Make more RecordedEvent implementations fallible. r?bobowen
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr91+
tjr
: sec-approval+
Details | Review 
+++ This bug was initially created as a clone of Bug #1393357 +++

As part of the sandboxing effort, printing was remoted to the parent in order to allow enabling the content process sandbox.

For remote printing, the content process writes Moz2D commands to a file which is used in the chrome process to redraw the content that shall be printed.

When deserializing the commands, a compromised content process can supply incorrect or unexpected values as sizes for memory allocations happening in the chrome process, this could be leveraged to allocate zero bytes of memory, where a later write to that region results in a buffer overflow/out of bounds write, or memory leaks.

Depending on how we handle allocation failures (unless specifically marked as fallible and handled properly) supplying a negative value as size could lead to undefined behavior. (Unfortunately, I am not familiar with how we handle negative size values, regular C++ throws an exception when providing a negative size for new [] allocations)

However a zero byte allocation may be more severe if later on a certain size is expected.
The locations in question are [1][2][3] . 

Note, given the architecture complexity and the content <-> parent communication, I haven't debugged this manually. This bug is filed as a result of reading the code.

[1] http://searchfox.org/mozilla-central/rev/b258e6864ee3e809d40982bc5d0d5aff66a20780/gfx/2d/RecordedEventImpl.h#2433-2435
[2] http://searchfox.org/mozilla-central/rev/b258e6864ee3e809d40982bc5d0d5aff66a20780/gfx/2d/RecordedEventImpl.h#2572-2575
[3] http://searchfox.org/mozilla-central/rev/b258e6864ee3e809d40982bc5d0d5aff66a20780/gfx/2d/RecordedEventImpl.h#2746-2748
Jim, is this going to affect 57 or is sandboxing not riding the trains yet? Should we track this?
Flags: needinfo?(jmathies)
(In reply to Panos Astithas [:past] (56 Regression Engineering Owner) (please ni?) from comment #1)
> Jim, is this going to affect 57 or is sandboxing not riding the trains yet?
> Should we track this?

Sounds like this is a hardening bug. cc'ing Bob who worked on the serialization code so he's is aware of it.
Flags: needinfo?(jmathies) → needinfo?(bobowencode)
status-firefox57: --- → unaffected
Priority: -- → P3
Whiteboard: [gfx-noted]
(In reply to Jim Mathies [:jimm] from comment #2)
> (In reply to Panos Astithas [:past] (56 Regression Engineering Owner)
> (please ni?) from comment #1)
> > Jim, is this going to affect 57 or is sandboxing not riding the trains yet?
> > Should we track this?
> 
> Sounds like this is a hardening bug. cc'ing Bob who worked on the
> serialization code so he's is aware of it.

I didn't work on the original serialization code, although I used it for printing.
I had to change a few things to get it into a usable state for printing, mainly around being able to turn it on at any point and things that had been added to the DrawTarget API since it was first implemented.

milan - are you sure this is unaffected, this is used for printing?

I don't mind looking at fixing these if nobody is available.
Flags: needinfo?(bobowencode) → needinfo?(milan)
Jim, is sandboxing at this level riding 57?

If it is, then this bug (and a bunch of others) would be fix-optional, as they seem not to be blocking the release.  If they are blocking the release, then we'd have to back out sandboxing, as we'd have no chance of getting to them all :)
Flags: needinfo?(milan) → needinfo?(jmathies)
(In reply to Milan Sreckovic [:milan] from comment #4)
> Jim, is sandboxing at this level riding 57?
> 
> If it is, then this bug (and a bunch of others) would be fix-optional, as
> they seem not to be blocking the release.  If they are blocking the release,
> then we'd have to back out sandboxing, as we'd have no chance of getting to
> them all :)

Printing's use of this started (at least on Windows) with Fx50 and is required for pretty much any sandboxing not just the things riding in 56 and 57.
(In reply to Bob Owen (:bobowen) from comment #3)
> I don't mind looking at fixing these if nobody is available.

I could help too.
(In reply to Milan Sreckovic [:milan] from comment #4)
> Jim, is sandboxing at this level riding 57?
> 
> If it is, then this bug (and a bunch of others) would be fix-optional, as
> they seem not to be blocking the release.  If they are blocking the release,
> then we'd have to back out sandboxing, as we'd have no chance of getting to
> them all :)

https://wiki.mozilla.org/Security/Sandbox#Current_Status

Yes, we have sandboxing active on all platforms in various release, including 57.

Backing out doesn't fix anything here imo. If we disable sandboxing, then any exploit in printing is available in an insecure content process. 

Flagging this for sandboxing triage, we'll discuss this week.
status-firefox55: --- → fix-optional
status-firefox56: --- → fix-optional
status-firefox57: unaffectedfix-optional
Flags: needinfo?(jmathies)
OS: Unspecified → All
Hardware: Unspecified → All
Whiteboard: [gfx-noted] → [gfx-noted][sb?]
Whiteboard: [gfx-noted][sb?] → [gfx-noted][sb+]
Priority: P3 → P2
Hi Milan:

I have assigned these security bugs to you to reassign them to appropriate developers in your team to investigate and fix them.

Thanks!

Wennie
Assignee: nobody → milan
Jim, you mentionned a while ago that this bug would be discussed in the sandboxing triage meeting, what came out of it?
Flags: needinfo?(jmathies)
(In reply to Stephanie Ouillon [:arroway] from comment #9)
> Jim, you mentionned a while ago that this bug would be discussed in the
> sandboxing triage meeting, what came out of it?

This bug is about hardening the boundary between content processes and the chrome process. This work is important but not as high priority as removing attack surface in the content process, which is what we're concentrating on now.
Flags: needinfo?(jmathies)
Is this really sec-high given that it's based on the code inspection and has a number of unanswered questions of whether anything would go wrong?
Keywords: sec-highsec-audit
Assignee: milaninbugzilla → nobody

This should not have been classified as sec-audit; which is for investigating a pattern of concern. If a bug is not certain to be valid, it should remain classified with a security rating until it can be definitively shown to be not applicable.

Haik, Bob could I ask you to look at this again to determine it's status?

Flags: needinfo?(haftandilian)
Flags: needinfo?(bobowencode)
Keywords: sec-auditcsectype-sandbox-escape, sec-high

It appears comment 11 was asking for a re-triage, which can be accomplished by removing the sec- keyword or asking security folks (needinfo, slack, matrix, etc). Doing that now. Moving the bug to a different keyword keeps it off the security team's radar. It does not look like the printing team was actually signing themselves up to do this investigation, nor was one done.

The various integer overflows and trusting of communication from a potentially compromised child process are still present

(In reply to Tom Ritter [:tjr] (ni? for response to CVE/sec-approval/advisories/etc) from comment #12)

This should not have been classified as sec-audit; which is for investigating a pattern of concern. If a bug is not certain to be valid, it should remain classified with a security rating until it can be definitively shown to be not applicable.

Haik, Bob could I ask you to look at this again to determine it's status?

I'm not too sure about the talk about negative values for allocation in the description, I think these are all unsigned or used to calculate an unsigned, but I think new would convert to unsigned anyway, so either allocation will fail if fallible or we'll OOM crash.

In the examples given in the description two use fallible (now) and handle failure, so I think we can't do any more for them.
The other (and another I found, both below) would OOM crash.
I suppose they could be 0, in which case I think our allocator always allocates 1 byte and never returns null.
So, I think the subsequent reads (and memcpys) would just do nothing.

lsalzman - I guess we might want to make these fallible rather than potentially crash the GPU process or worse the parent process and either way test for 0 size to make it fail more clearly (assuming 0 is invalid), what do you think?
tjr - I let you decide whether this should still stay at sec-high

https://searchfox.org/mozilla-central/rev/2e3b0483e31abffe0b4374480a34c6d23f5186ea/gfx/2d/RecordedEventImpl.h#2416
https://searchfox.org/mozilla-central/rev/2e3b0483e31abffe0b4374480a34c6d23f5186ea/gfx/2d/RecordedEventImpl.h#3273

Flags: needinfo?(tom)
Flags: needinfo?(lsalzman)
Flags: needinfo?(haftandilian)
Flags: needinfo?(bobowencode)

Making it fallible would be fine. I would rather leave open the possibility of mNumGlyphs == 0 as being a valid case. Then check if mNumGlyphs > 0 and mGlyphs == nullptr during playback, and if so, return false, because that would mean we failed to allocate...

Flags: needinfo?(lsalzman)

Lee, this sounds like a pretty small change, can you pick this up?

Flags: needinfo?(lsalzman)
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Flags: needinfo?(lsalzman)

Comment on attachment 9248337 [details]
Bug 1393362 - Make more RecordedEvent implementations fallible. r?bobowen

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Unknown. Bug report is only hypothetical.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely
Attachment #9248337 - Flags: sec-approval?

Comment on attachment 9248337 [details]
Bug 1393362 - Make more RecordedEvent implementations fallible. r?bobowen

Approved to land and request uplift

Flags: needinfo?(tom)
Attachment #9248337 - Flags: sec-approval? → sec-approval+

Make more RecordedEvent implementations fallible. r=bobowen
https://hg.mozilla.org/integration/autoland/rev/7a92d641690b9737c7a9d1d5cf35e8418d7f4884
https://hg.mozilla.org/mozilla-central/rev/7a92d641690b

Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox96: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(lsalzman)
Whiteboard: [gfx-noted][sb+] → [gfx-noted][sb+][sec-survey]
Flags: needinfo?(lsalzman)

Comment on attachment 9248337 [details]
Bug 1393362 - Make more RecordedEvent implementations fallible. r?bobowen

Beta/Release Uplift Approval Request

  • User impact if declined: Potential underflow on deserialized values that could lead to OOMs or overreads.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This just adds some overflow checking to deserialization in cases that were previously undefined behavior.
  • String changes made/needed:

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: Potential underflow on deserialized values that could lead to OOMs or overreads.
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This just adds some overflow checking to deserialization in cases that were previously undefined behavior.
  • String or UUID changes made by this patch:
Attachment #9248337 - Flags: approval-mozilla-esr91?
Attachment #9248337 - Flags: approval-mozilla-beta?

Comment on attachment 9248337 [details]
Bug 1393362 - Make more RecordedEvent implementations fallible. r?bobowen

Approved for 95 beta 5, thanks.

Attachment #9248337 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify-

Comment on attachment 9248337 [details]
Bug 1393362 - Make more RecordedEvent implementations fallible. r?bobowen

Approved for 91.4esr.

Attachment #9248337 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
Whiteboard: [gfx-noted][sb+][sec-survey] → [gfx-noted][sb+][sec-survey][adv-main95+][adv-ESR91.4+]
Whiteboard: [gfx-noted][sb+][sec-survey][adv-main95+][adv-ESR91.4+] → [gfx-noted][sb+][sec-survey][adv-main95+][adv-ESR91.4.0+]
Whiteboard: [gfx-noted][sb+][sec-survey][adv-main95+][adv-ESR91.4.0+] → [gfx-noted][sb+][sec-survey][adv-main95+r][adv-ESR91.4.0+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: