Closed
Bug 1462891
(CVE-2018-12367)
Opened 6 years ago
Closed 6 years ago
PerformanceNavigationTiming should reduce the time precision
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
People
(Reporter: baku, Assigned: tjr)
Details
(Keywords: sec-moderate, Whiteboard: [domsecurity-active][adv-main61+][adv-esr60.1+][post-critsmash-triage])
Attachments
(2 files, 1 obsolete file)
|
9.25 KB,
patch
|
tjr
:
review+
RyanVM
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
|
9.43 KB,
patch
|
RyanVM
:
approval-mozilla-esr60+
|
Details | Diff | Splinter Review |
It doesn't seem that PerformanceNavigationTiming::{UnloadEventStart,UnloadEventEnd,DomInteractive,...} use nsRFPService::ReduceTimePrecisionAsMSecs.
|
Reporter | |
Updated•6 years ago
|
Component: DOM → DOM: Security
|
Assignee | |
Comment 2•6 years ago
|
||
I think you're right. This doesn't affect Tor; it does affect Resist Fingerprinting and Spectre.
Group: dom-core-security
Flags: needinfo?(tom)
|
||
Updated•6 years ago
|
Assignee: nobody → tom
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
|
||
Comment 3•6 years ago
|
||
Are these timing issues that can be used in Spectre attacks sec-high? Or is this one less serious?
Flags: needinfo?(tom)
|
|
Assignee | |
Comment 4•6 years ago
|
||
No, I'd say the resolution is quite good. If that's what we're calling sec-high (I believe we don't know of a practical vector for exploitation even with a high res timer) then yea this is sec-high.
Flags: needinfo?(tom)
|
|
Assignee | |
Comment 5•6 years ago
|
||
Attachment #8980420 -
Flags: review?(amarchesini)
|
|
Reporter | |
Updated•6 years ago
|
Attachment #8980420 -
Attachment is patch: true
|
|
Reporter | |
Comment 6•6 years ago
|
||
Comment on attachment 8980420 [details] [diff] [review] central.patch Review of attachment 8980420 [details] [diff] [review]: ----------------------------------------------------------------- r+ with the macro. ::: dom/performance/PerformanceNavigationTiming.cpp @@ +26,5 @@ > { > + DOMHighResTimeStamp rawValue = > + mPerformance->GetDOMTiming()->GetUnloadEventStartHighRes(); > + > + if (mPerformance->IsSystemPrincipal()) {} wondering if we can have a macro here: #define REDUCE_TIME_PRECISION \ if (mPerformance->IsSystemPrincipal()) { \ return rawValue; \ } \ return nsRFPService::ReduceTimePrecisionAsMSecs(rawValue, \ mPerformance->GetRandomTimelineSeed());
Attachment #8980420 -
Flags: review?(amarchesini) → review+
|
|
Assignee | |
Comment 7•6 years ago
|
||
[Security approval request comment] How easily could an exploit be constructed based on the patch? Not easily, one also needs to find a Spectre gadget. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Yes. Which older supported branches are affected by this flaw? All of them. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Not difficult. How likely is this patch to cause regressions; how much testing does it need? It might cause some intermittents.
Attachment #8980420 -
Attachment is obsolete: true
Attachment #8980564 -
Flags: sec-approval?
Attachment #8980564 -
Flags: review+
|
|
||
Updated•6 years ago
|
Keywords: sec-moderate
|
|
Assignee | |
Comment 8•6 years ago
|
||
After checking with dveditz, I sent this to try here: https://treeherder.mozilla.org/#/jobs?repo=try&revision=de0976144eecf31b1e44ec14773a1beddefd3668&selectedJob=180263607 I'm going to need to clean up at least /fetch/api/redirect/redirect-count.any.html but I think that's it.
|
||
Comment 9•6 years ago
|
||
Comment on attachment 8980564 [details] [diff] [review] central.patch Clearing sec-approval? since Dan made this a sec-moderate and it doesn't need approval to land on trunk. Should this ride the trains or be backported, do you think?
Attachment #8980564 -
Flags: sec-approval?
|
|
Assignee | |
Comment 10•6 years ago
|
||
(In reply to Al Billings [:abillings] from comment #9) > Comment on attachment 8980564 [details] [diff] [review] > central.patch > > Clearing sec-approval? since Dan made this a sec-moderate and it doesn't > need approval to land on trunk. > > Should this ride the trains or be backported, do you think? We're earlyish in beta so I guess I'd like to uplift it there and then it ride out.
|
|
Assignee | |
Updated•6 years ago
|
Keywords: checkin-needed
|
||
Comment 11•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/fe352021e444c9e94fbb6869107b498259b30302 How sure are we that we don't eventually want this on ESR60 as well?
status-firefox60:
--- → wontfix
status-firefox61:
--- → affected
status-firefox62:
--- → affected
status-firefox-esr52:
--- → wontfix
status-firefox-esr60:
--- → ?
tracking-firefox61:
--- → +
tracking-firefox62:
--- → +
tracking-firefox-esr60:
--- → ?
Flags: needinfo?(tom)
Flags: in-testsuite+
|
|
||
Updated•6 years ago
|
Keywords: checkin-needed
|
|
||
Updated•6 years ago
|
|
||
Comment 13•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/fe352021e444
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
|
|
||
Comment 14•6 years ago
|
||
Please nominate this for uplift whenever you feel it's had enough bake time on Nightly.
Flags: needinfo?(tom)
|
|
Assignee | |
Comment 15•6 years ago
|
||
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: It expands our Spectre timing mitigations to cover a situation we missed.
User impact if declined: Low impact; but it would be good to be thorough in ESR.
Fix Landed on Version: 62, requesting uplift to 61.
Risk to taking this patch (and alternatives if risky): Low risk, includes test coverage.Flags: needinfo?(tom)
Attachment #8983154 -
Flags: approval-mozilla-esr60?
|
|
Assignee | |
Comment 16•6 years ago
|
||
Comment on attachment 8980564 [details] [diff] [review] central.patch Approval Request Comment [Feature/Bug causing the regression]: We missed a component when we developed our spectre timing mitigations. [User impact if declined]: Low impact but it would be nice to be thorough in our coverage [Is this code covered by automated tests?]: Yes [Has the fix been verified in Nightly?]: Yes [Needs manual test from QE? If yes, steps to reproduce]: No [List of other uplifts needed for the feature/fix]: None [Is the change risky?]: Not really. [Why is the change risky/not risky?]: Small affected component, includes test
Attachment #8980564 -
Flags: approval-mozilla-beta?
|
|
||
Comment 17•6 years ago
|
||
Comment on attachment 8980564 [details] [diff] [review] central.patch Spectre mitigation for a spot we missed before. Approved for 61.0b12 and ESR 60.1.
Attachment #8980564 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Updated•6 years ago
|
Attachment #8983154 -
Attachment is patch: true
Attachment #8983154 -
Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
|
|
||
Comment 18•6 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/30b75eae500b https://hg.mozilla.org/releases/mozilla-esr60/rev/e62057262371
|
|
||
Updated•6 years ago
|
Whiteboard: [domsecurity-active] → [domsecurity-active][adv-main61+][adv-esr60.1+]
|
||
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [domsecurity-active][adv-main61+][adv-esr60.1+] → [domsecurity-active][adv-main61+][adv-esr60.1+][post-critsmash-triage]
|
|
||
Updated•6 years ago
|
Alias: CVE-2018-12367
|
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•