Closed
Bug 1493629
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: heap-use-after-free [@ fetch_sub] with WRITE of size 8 in WorkerCSPEventListener
Categories
(Core :: DOM: Security, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla64
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox62 | --- | unaffected |
firefox63 | + | fixed |
firefox64 | + | fixed |
People
(Reporter: decoder, Assigned: baku)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [domsecurity-active][post-critsmash-triage])
Attachments
(3 files)
29.38 KB,
text/plain
|
Details | |
2.51 KB,
patch
|
ckerschb
:
review+
pascalc
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
2.71 KB,
application/octet-stream
|
Details |
The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 64.0a1-20180920220102-https://hg.mozilla.org/mozilla-central/rev/5347c7e4811a1a4d80bcee4119cead9192fdff69. For detailed crash information, see attachment.
Reporter | ||
Comment 1•6 years ago
|
||
Reporter | ||
Updated•6 years ago
|
Flags: sec-bounty?
Reporter | ||
Comment 3•6 years ago
|
||
Needinfo for :baku, could you take a look at this since you are the author of WorkerCSPEventListener? Thanks!
Flags: needinfo?(amarchesini)
Updated•6 years ago
|
Group: core-security → dom-core-security
Keywords: csectype-uaf,
sec-high
Comment 4•6 years ago
|
||
Assigning to :baku as a likely victim, but if it's not you please hand it off to a specific someone to look at this sec-high bug rather than dropping it back to "nobody".
Assignee: nobody → amarchesini
Priority: -- → P1
Whiteboard: [domsecurity-active]
Assignee | ||
Comment 5•6 years ago
|
||
Flags: needinfo?(amarchesini)
Attachment #9013920 -
Flags: review?(ckerschb)
Comment 7•6 years ago
|
||
Comment on attachment 9013920 [details] [diff] [review] csp.patch Review of attachment 9013920 [details] [diff] [review]: ----------------------------------------------------------------- I guess that works, thanks. r=ckerschb
Attachment #9013920 -
Flags: review?(ckerschb) → review+
Assignee | ||
Comment 8•6 years ago
|
||
Comment on attachment 9013920 [details] [diff] [review] csp.patch [Security Approval Request] How easily could an exploit be constructed based on the patch?: Not easy at all. It's use-after-free hard to reproduce. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No Which older supported branches are affected by this flaw?: m-b If not all supported branches, which bug introduced the flaw?: Bug 1472927 Do you have backports for the affected branches?: No If not, how different, hard to create, and risky will they be?: Easy How likely is this patch to cause regressions; how much testing does it need?: None. Note that this could be not enough to fix for the crash: the patch adds security checks in the CSP EventListener creation, but maybe the bug is elsewhere.
Attachment #9013920 -
Flags: sec-approval?
Updated•6 years ago
|
status-firefox62:
--- → unaffected
status-firefox63:
--- → affected
status-firefox-esr60:
--- → unaffected
tracking-firefox63:
--- → +
tracking-firefox64:
--- → +
Comment 9•6 years ago
|
||
We only have two betas left. This bug will need release management approval, so we can backport to affected branches, before I can give sec-approval. Ritu? We should take this since it only affects mozilla-central and beta.
Flags: needinfo?(rkothari)
Comment 11•6 years ago
|
||
Comment on attachment 9013920 [details] [diff] [review] csp.patch sec-approval+. Please nominate branch patches as well.
Flags: needinfo?(abillings)
Attachment #9013920 -
Flags: sec-approval? → sec-approval+
Assignee | ||
Comment 12•6 years ago
|
||
Comment on attachment 9013920 [details] [diff] [review] csp.patch [Beta/Release Uplift Approval Request] Feature/Bug causing the regression: Bug 1472927 User impact if declined: a crash can occur Is this code covered by automated tests?: No Has the fix been verified in Nightly?: No Needs manual test from QE?: No If yes, steps to reproduce: List of other uplifts needed: none Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): This patch introduces some security checks on how CSP worker event listener is used. No big changes. String changes made/needed: none
Attachment #9013920 -
Flags: approval-mozilla-beta?
Comment 13•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/dae89dbd2159c0b2a5865389dadab9a8f938e8ee https://hg.mozilla.org/mozilla-central/rev/dae89dbd2159
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
QA Contact: ckerschb
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Comment 14•6 years ago
|
||
Comment on attachment 9013920 [details] [diff] [review] csp.patch Uplift approved for 63 beta 13, thanks.
Attachment #9013920 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 15•6 years ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/01237eeedfac
Comment 16•6 years ago
|
||
Backed out from beta for wpt failures on ContentSecurityPolicy: https://hg.mozilla.org/releases/mozilla-beta/rev/9671f6ac6cbeae04e605a35ebda003d1006e2af5 Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-beta&resultStatus=usercancel%2Crunnable%2Ctestfailed%2Cbusted%2Cexception%2Cretry&group_state=expanded&revision=01237eeedfac765312a1322b28719782c3a71731 debug failure: https://treeherder.mozilla.org/logviewer.html#?job_id=203677584&repo=mozilla-beta [task 2018-10-05T15:56:30.194Z] 15:56:30 INFO - TEST-PASS | /content-security-policy/inside-worker/dedicated-inheritance.html | Filesystem and blob. [task 2018-10-05T15:56:30.195Z] 15:56:30 INFO - TEST-PASS | /content-security-policy/inside-worker/dedicated-inheritance.html | Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,default-src%20*) [task 2018-10-05T15:56:30.195Z] 15:56:30 INFO - TEST-UNEXPECTED-TIMEOUT | /content-security-policy/inside-worker/dedicated-inheritance.html | Same-origin 'fetch()' in http:?pipe=sub|header(Content-Security-Policy,connect-src%20%27none%27) - Test timed out [task 2018-10-05T15:56:30.195Z] 15:56:30 INFO - TEST-INFO | expected FAIL Please also check the Nightly and DevEdition wpt failures (there are 2 per platform compared to 1 on debug).
Flags: needinfo?(amarchesini)
Assignee | ||
Comment 18•6 years ago
|
||
We need to uplift bug 1490165 as well.
Flags: needinfo?(amarchesini)
Assignee | ||
Comment 19•6 years ago
|
||
Actually, instead of uplifting the 3 patches of bug 1490165, I can create a custom patch for m-b. This is better because we don't need all those 3 patches from bug 1490165.
Assignee | ||
Comment 20•6 years ago
|
||
Comment 21•6 years ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/be85aa71510b
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [domsecurity-active] → [domsecurity-active][post-critsmash-triage]
Updated•5 years ago
|
Group: core-security-release
Updated•4 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•