Closed Bug 1489020 Opened 6 years ago Closed 6 years ago

Use after free in IndexedDB

Categories

(Core :: Storage: IndexedDB, defect, P1)

Product:
Core
Component:
Storage: IndexedDB
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
firefox-esr60 --- fixed
firefox63 --- fixed
firefox64 --- fixed

People

(Reporter: zhanjiasong45, Assigned: janv)

References

Details

(Keywords: csectype-uaf, sec-high, testcase, Whiteboard: [reporter-external] [client-bounty-form] [verif?],DWS_NEXT)

Attachments

(2 files)

FireFox_IndexedDB_UAF2.html
1.14 KB, text/html
Details
asan log info
26.90 KB, text/plain
Details 
The patch for Bug 1459383 is not good enough, it can be bypassed by setting the getter on Object's prototype.

Steps to reproduce:
run firefox with attached html

Firefox version:62.0 (64-bit)
operating system version:Linux x86_64
Flags: sec-bounty?
Attached file asan log info 
asan log from latest asan version(download from https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer ,64.0a1 (2018-09-06) (64-bit) ).
Group: firefox-core-security → dom-core-security
Component: Security → DOM: IndexedDB
Product: Firefox → Core
See Also: → CVE-2018-12378
Thank you for the repro!  It is invaluable!

Over in bug 1487660 where ASAN caught this (presumably due to your testing of your prototype and reporting of the crash, which we appreciate!)  I was hypothesizing that the problem was a prototype chain issue since we perform the clone in the same realm/global, so it's good to have a conclusive answer and repro here!  (It's bad that I didn't think of the problem during the original fix of course!)
Keywords: csectype-uaf, sec-high
See Also: → 1487660
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Flags: needinfo?(choller)
Keywords: testcase
Flags: needinfo?(choller)
Assignee: nobody → jvarga
Jan, all yours.
Flags: needinfo?(jvarga)
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?],DWS_NEXT
This is the same issue as in bug 1487660, not sure if we should dupe it since there's a sec-bounty? flag.
Flags: needinfo?(jvarga)
(In reply to Jan Varga [:janv] from comment #6)
> This is the same issue as in bug 1487660, not sure if we should dupe it
> since there's a sec-bounty? flag.

The reporter of bug 1487660 and this bug are the same, we can dupe the other bug to this one and handle the sec-bounty flag here.
This has been fixed. See bug 1487660 and bug 1492737.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Group: dom-core-security → core-security-release
status-firefox63: --- → fixed
status-firefox64: --- → fixed
status-firefox-esr60: --- → fixed
Target Milestone: --- → mozilla64
Depends on: 1487660
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: