Closed
Bug 1467938
Opened 6 years ago
Closed 6 years ago
VP9 Missing Frame Processing Out-of-Bounds Memory Access
Categories
(Core :: WebRTC: Networking, defect, P1)
Core
WebRTC: Networking
Tracking
()
RESOLVED
FIXED
mozilla62
People
(Reporter: drno, Assigned: drno)
References
()
Details
(Keywords: csectype-bounds, sec-high, Whiteboard: [adv-main61+][adv-esr60.1+][post-critsmash-triage])
Attachments
(2 files, 4 obsolete files)
|
1.58 KB,
patch
|
ng
:
review+
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr60+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
1.70 KB,
patch
|
ng
:
review+
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr60+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
Looks like Firefox 62 is affected by this exploit published today: https://www.exploit-db.com/exploits/44863/
|
Assignee | |
Updated•6 years ago
|
Rank: 3
|
|
Assignee | |
Updated•6 years ago
|
status-firefox60:
--- → affected
status-firefox61:
--- → affected
status-firefox62:
--- → affected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → affected
|
|
Assignee | |
Comment 1•6 years ago
|
||
And for added fun a second one https://www.exploit-db.com/exploits/44862/
|
|
Assignee | |
Comment 2•6 years ago
|
||
Google Project Zero reports for these: https://bugs.chromium.org/p/project-zero/issues/detail?id=1567 https://bugs.chromium.org/p/project-zero/issues/detail?id=1568 I don't have access to the Chromium bug reports to see what the fix looks like. Apparently the fix has been shipped in Chrome 67. But CVE-2018-6129 and CVE-2018-6130 don't appear to be disclosed yet either.
|
|
Assignee | |
Comment 3•6 years ago
|
||
Link to the Chromium bug which probably/hopefully contains the fix https://bugs.chromium.org/p/chromium/issues/detail?id=838402
|
||
Comment 4•6 years ago
|
||
CVE-2018-6130 appears to be https://bugs.chromium.org/p/chromium/issues/detail?id=838402 for which they landed https://webrtc-review.googlesource.com/c/src/+/74923 on the m67 branch (part of a larger https://webrtc-review.googlesource.com/c/src/+/60260). They subsequently backed out and re-landed as https://webrtc-review.googlesource.com/c/src/+/76480 CVE-2018-6129 appears to be https://bugs.chromium.org/p/chromium/issues/detail?id=838672 which is the following change: https://webrtc-review.googlesource.com/c/src/+/74921
|
|
||
Updated•6 years ago
|
tracking-firefox61:
--- → +
tracking-firefox62:
--- → +
tracking-firefox-esr60:
--- → 61+
Keywords: csectype-bounds,
sec-high
|
|
Assignee | |
Comment 5•6 years ago
|
||
|
|
Assignee | |
Comment 6•6 years ago
|
||
This is what really landed in Chrome.
Attachment #8984623 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 7•6 years ago
|
||
Fixed the commit comment
Attachment #8984626 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 8•6 years ago
|
||
This is the patch for https://bugs.chromium.org/p/project-zero/issues/detail?id=1568
|
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → drno
|
|
Assignee | |
Updated•6 years ago
|
Attachment #8984631 -
Flags: review?(na-g)
|
|
Assignee | |
Updated•6 years ago
|
Attachment #8984632 -
Flags: review?(na-g)
|
|
Assignee | |
Comment 9•6 years ago
|
||
Fixed the return value.
Attachment #8984631 -
Attachment is obsolete: true
Attachment #8984631 -
Flags: review?(na-g)
|
|
Assignee | |
Comment 10•6 years ago
|
||
Fixed the logging macro.
Attachment #8984632 -
Attachment is obsolete: true
Attachment #8984632 -
Flags: review?(na-g)
Attachment #8984635 -
Flags: review?(na-g)
|
|
Assignee | |
Updated•6 years ago
|
Attachment #8984634 -
Flags: review?(na-g)
|
||
Updated•6 years ago
|
Attachment #8984635 -
Flags: review?(na-g) → review+
|
|
||
Updated•6 years ago
|
Attachment #8984634 -
Flags: review?(na-g) → review+
|
|
Assignee | |
Comment 11•6 years ago
|
||
Comment on attachment 8984634 [details] [diff] [review] bug1467938_part1.patch [Security approval request comment] How easily could an exploit be constructed based on the patch? For non-webrtc experts the hardest part is probably to figure out how to get the payload into the affected code. For the record I disagree with the statements in the chromium bug reports that this requires for someone to answer a call. For people with WebRTC knowledge it's pretty easy to write JS code which gets the payload into the browser with no user interaction. Since the demo exploit code is now openly available I think this makes exploit construction pretty easy. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? I took the title from the public Chromium bugs. We could make it less obvious. Which older supported branches are affected by this flaw? All branches up to release and ESR60. ESR52 is not affected as it uses an older version of the webrtc.org code. If not all supported branches, which bug introduced the flaw? Probably the import of webrtc.org 57. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Patches apply cleanly to Beta and ESR60. How likely is this patch to cause regressions; how much testing does it need? They already got released in Chrome 67. This affects only the VP9 codec, which is typically not used in WebRTC these days. Thus I think it's unlikely to cause regressions.
Attachment #8984634 -
Flags: sec-approval?
|
|
Assignee | |
Comment 12•6 years ago
|
||
Comment on attachment 8984635 [details] [diff] [review] bug1467938_part2.patch [Security approval request comment] How easily could an exploit be constructed based on the patch? For non-webrtc experts the hardest part is probably to figure out how to get the payload into the affected code. For the record I disagree with the statements in the chromium bug reports that this requires for someone to answer a call. For people with WebRTC knowledge it's pretty easy to write JS code which gets the payload into the browser with no user interaction. Since the demo exploit code is now openly available I think this makes exploit construction pretty easy. Just from the patch itself it's a little less obvious what this protects against. But again the attack description is out there in the public now. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? I took the title from the public Chromium bugs. We could make it less obvious. Which older supported branches are affected by this flaw? All branches up to release and ESR60. ESR52 is not affected as it uses an older version of the webrtc.org code. If not all supported branches, which bug introduced the flaw? Probably the import of webrtc.org 57. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Patches apply cleanly to Beta and ESR60. How likely is this patch to cause regressions; how much testing does it need? They already got released in Chrome 67. This affects only the VP9 codec, which is typically not used in WebRTC these days. Thus I think it's unlikely to cause regressions.
Attachment #8984635 -
Flags: sec-approval?
|
||
Updated•6 years ago
|
Attachment #8984634 -
Flags: sec-approval? → sec-approval+
|
|
||
Comment 13•6 years ago
|
||
Comment on attachment 8984635 [details] [diff] [review] bug1467938_part2.patch sec-approval+. We're going to want to backport patches to affected versions, including ESR60. Please nominate Beta and ESR60 patches.
Attachment #8984635 -
Flags: sec-approval? → sec-approval+
|
||
Updated•6 years ago
|
Group: core-security → media-core-security
|
|
||
Comment 14•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/44ae071a453f285f841d4c3cc13e0b21427ace92 I landed this as a folded-up patch since it seemed a bit more sensible from our end (i.e. avoiding repetitive commit messages and just backporting some upstream patches touching the same bit of code). As was previously noted, this grafts cleanly to Beta and ESR60 as-landed, so it just needs approval requests ASAP.
Flags: needinfo?(drno)
|
|
Assignee | |
Comment 15•6 years ago
|
||
Comment on attachment 8984634 [details] [diff] [review] bug1467938_part1.patch Note this applies to part1 and part2. Approval Request Comment [Feature/Bug causing the regression]: Bug 1341285 landed the merge of libwebrtc 57 into Fx 56 [User impact if declined]: Potential crashes of the content process [Is this code covered by automated tests?]: We have automated tests using the VP9 codec. But it is not guaranteed that these tests will cover exactly the modified code here. [Has the fix been verified in Nightly?]: No [Needs manual test from QE? If yes, steps to reproduce]: No [List of other uplifts needed for the feature/fix]: N/A [Is the change risky?]: Not really. [Why is the change risky/not risky?]: It only adds extra safety checks to catch malformed packets. It has been in Chrome 67 for some time already. And it only applies to the not widely used VP9 codec. [String changes made/needed]: N/A
Flags: needinfo?(drno)
Attachment #8984634 -
Flags: approval-mozilla-beta?
|
|
Assignee | |
Comment 16•6 years ago
|
||
Comment on attachment 8984635 [details] [diff] [review] bug1467938_part2.patch See request for part1
Attachment #8984635 -
Flags: approval-mozilla-beta?
|
|
Assignee | |
Comment 17•6 years ago
|
||
Comment on attachment 8984634 [details] [diff] [review] bug1467938_part1.patch Applies to part1 and part2. [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: It is sec-high User impact if declined: crashes of content process Fix Landed on Version: 62 Risk to taking this patch (and alternatives if risky): It is not very risky (see explanation in Beta request). String or UUID changes made by this patch: N/A See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8984634 -
Flags: approval-mozilla-esr60?
|
|
Assignee | |
Comment 18•6 years ago
|
||
Comment on attachment 8984635 [details] [diff] [review] bug1467938_part2.patch See request for part 1
Attachment #8984635 -
Flags: approval-mozilla-esr60?
|
|
||
Comment 19•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/44ae071a453f
Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
|
|
||
Comment 20•6 years ago
|
||
Comment on attachment 8984634 [details] [diff] [review] bug1467938_part1.patch Approved for 61.0b13 and ESR 60.1.
Attachment #8984634 -
Flags: approval-mozilla-esr60?
Attachment #8984634 -
Flags: approval-mozilla-esr60+
Attachment #8984634 -
Flags: approval-mozilla-beta?
Attachment #8984634 -
Flags: approval-mozilla-beta+
|
|
||
Updated•6 years ago
|
Attachment #8984635 -
Flags: approval-mozilla-esr60?
Attachment #8984635 -
Flags: approval-mozilla-esr60+
Attachment #8984635 -
Flags: approval-mozilla-beta?
Attachment #8984635 -
Flags: approval-mozilla-beta+
|
|
||
Comment 21•6 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/bd79850d10f8 https://hg.mozilla.org/releases/mozilla-esr60/rev/9875e9b3e0ca
|
|
||
Updated•6 years ago
|
Whiteboard: [adv-main61+][adv-esr60.1+]
|
||
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main61+][adv-esr60.1+] → [adv-main61+][adv-esr60.1+][post-critsmash-triage]
|
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•