Closed
Bug 1493903
(CVE-2018-12387)
Opened 6 years ago
Closed 6 years ago
Infoleak bug from Hack2Win
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
People
(Reporter: dveditz, Assigned: jandem)
References
()
Details
(Keywords: regression, sec-critical, testcase)
Attachments
(5 files, 1 obsolete file)
179.19 KB,
application/pdf
|
Details | |
2.05 KB,
text/html
|
Details | |
1.43 KB,
patch
|
tcampbell
:
review+
gkw
:
feedback+
dveditz
:
approval-mozilla-beta+
dveditz
:
approval-mozilla-release+
dveditz
:
approval-mozilla-esr60+
dveditz
:
sec-approval+
|
Details | Diff | Splinter Review |
236 bytes,
application/x-javascript
|
Details | |
1.85 KB,
patch
|
nbp
:
feedback+
|
Details | Diff | Splinter Review |
We received the 2018 Hack2Win Firefox Infoleak exploit from Noam Rathaus of Beyond Security.
Please use the following for the acknowledgement.
"Two independent security researcher, Bruno Keith and Niklas Baumstark,
have reported this vulnerability to Beyond Security’s SecuriTeam Secure
Disclosure program."
Reporter | ||
Comment 1•6 years ago
|
||
Reporter | ||
Updated•6 years ago
|
Keywords: sec-critical,
testcase
Comment 2•6 years ago
|
||
This testcase shows the infoleak and then crashes when run with --ion-eager. Without that flag, it will work as expected and print out the correct values.
The loop being jitted is the inner loop after the `gen(...)` call.
Comment 3•6 years ago
|
||
Note that despite this being reported as an information leak, it can be leveraged to RCE. Doing so is just very build dependent and more work compared to the first issue (bug 1493900).
Assignee | ||
Comment 4•6 years ago
|
||
This one is likely caused by inlining of push with multiple arguments. That has some complicated code for restoring the call stack and I think it's buggy when used with fun.call, like |push.call(arr, x, ...)|. The safest and fastest thing is to just disable this optimization for now.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Assignee | ||
Comment 5•6 years ago
|
||
Attachment #9011734 -
Flags: review?(tcampbell)
Attachment #9011734 -
Flags: feedback?(nth10sd)
Attachment #9011734 -
Flags: feedback?(choller)
Assignee | ||
Comment 6•6 years ago
|
||
Oh the feedback requests here are mostly to double check the patch fixes all known test cases. This patch is very safe and doesn't need fuzzing.
Assignee | ||
Comment 7•6 years ago
|
||
I think this one goes back to bug 966743.
status-firefox62:
--- → affected
status-firefox63:
--- → affected
status-firefox64:
--- → affected
status-firefox-esr60:
--- → affected
status-geckoview62:
--- → affected
status-thunderbird_esr60:
--- → affected
tracking-firefox62:
--- → ?
tracking-firefox63:
--- → ?
tracking-firefox64:
--- → ?
tracking-firefox-esr60:
--- → ?
tracking-geckoview62:
--- → ?
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/8b1881ead0b6
user: Nicolas B. Pierron
date: Thu Sep 07 13:01:13 2017 +0000
summary: Bug 966743 - Inline Array.prototype.push with more than one argument. r=jandem
You're right.
Comment on attachment 9011734 [details] [diff] [review]
Patch
I verify that this patch fixes the MOZ_CRASH as shown by the shell testcase. I tested with "--ion-offthread-compile=off --ion-eager".
Attachment #9011734 -
Flags: feedback?(nth10sd) → feedback+
Comment 10•6 years ago
|
||
Run this test with --ion-eager --ion-offthread-compile=off on a debug build to reproduce the assertion.
Attachment #9011727 -
Attachment is obsolete: true
Updated•6 years ago
|
status-geckoview62:
affected → ---
status-thunderbird_esr60:
affected → ---
tracking-geckoview62:
? → ---
Reporter | ||
Updated•6 years ago
|
Blocks: 966743
status-geckoview62:
--- → affected
status-thunderbird_esr60:
--- → affected
tracking-geckoview62:
--- → +
Keywords: regression
Reporter | ||
Updated•6 years ago
|
Attachment #9011710 -
Attachment mime type: text/plain → text/html
Comment 11•6 years ago
|
||
Comment on attachment 9011734 [details] [diff] [review]
Patch
r=me to disable the problematic path entirely. I'm looking into the root cause so we understand it more too.
Attachment #9011734 -
Flags: review?(tcampbell) → review+
Comment 12•6 years ago
|
||
Still looking, but it seems like the issue is that when IonBuilder::inlineArrayPush ends up using IonBuilder::pushPriorCallStack, we don't also restore the |this| of Function.prototype.call. We actually identified the problem in Bug 1412653 but only fixed the Function.prototype.apply case.
(Only 80% sure.. still digging).
Comment 13•6 years ago
|
||
This patch is the targeted fix to the flaw. I still strongly favor Jan's patch
to just disable this mode. We should work on giving more checks for fuzzing to
get better coverage here.
Assignee | ||
Comment 14•6 years ago
|
||
Comment on attachment 9011734 [details] [diff] [review]
Patch
[Security approval request comment]
> How easily could an exploit be constructed based on the patch?
Not trivial but targeted fuzzing could help.
> Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No.
> Which older supported branches are affected by this flaw?
All.
> If not all supported branches, which bug introduced the flaw?
Bug 966743.
> Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Should apply or be trivial to rebase.
> How likely is this patch to cause regressions; how much testing does it need?
Worst case it will regress perf (benchmarks) but I don't expect anything serious.
Attachment #9011734 -
Flags: sec-approval?
Attachment #9011734 -
Flags: approval-mozilla-release?
Attachment #9011734 -
Flags: approval-mozilla-esr60?
Attachment #9011734 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 15•6 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #14)
> > How easily could an exploit be constructed based on the patch?
>
> Not trivial but targeted fuzzing could help.
To be more clear: this *is* the kind of bug that people could figure out when doing some serious testing in this area. Landing later or a chemspill might make sense because of that.
Updated•6 years ago
|
Alias: CVE-2018-12387
If all goes as planned, ETA to land this is 10/1 am Paris time in order to gtb 10/1 afternoon Paris time.
Updated•6 years ago
|
Attachment #9011734 -
Flags: feedback?(choller)
Reporter | ||
Comment 17•6 years ago
|
||
Comment on attachment 9011734 [details] [diff] [review]
Patch
sec-approval+ and a=dveditz
Attachment #9011734 -
Flags: sec-approval?
Attachment #9011734 -
Flags: sec-approval+
Attachment #9011734 -
Flags: approval-mozilla-release?
Attachment #9011734 -
Flags: approval-mozilla-release+
Attachment #9011734 -
Flags: approval-mozilla-esr60?
Attachment #9011734 -
Flags: approval-mozilla-esr60+
Attachment #9011734 -
Flags: approval-mozilla-beta?
Attachment #9011734 -
Flags: approval-mozilla-beta+
Comment 18•6 years ago
|
||
Comment 19•6 years ago
|
||
Comment 20•6 years ago
|
||
uplift |
status-geckoview62:
affected → ---
status-thunderbird_esr60:
affected → ---
tracking-geckoview62:
+ → ---
Comment 21•6 years ago
|
||
uplift |
Updated•6 years ago
|
Group: javascript-core-security → core-security-release
Comment 22•6 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Reporter | ||
Updated•6 years ago
|
Flags: qe-verify?
Comment 23•6 years ago
|
||
Unfortunately, we don't have the bandwidth required to build Firefox with the required parameters today. If someone could do that and give us the required build, we'll do our best to accomodate this verification.
An alternative would also be if someone else to confirm the fix for this issue.
Comment 25•6 years ago
|
||
So, I was able to reproduce this error on revision aa7b44bb25aa (https://treeherder.mozilla.org/#/jobs?repo=mozilla-release&searchStr=build,debug&revision=aa7b44bb25aa)
> Assertion failure: isObject(), at z:\build\build\src\obj-firefox\dist\include\js/Value.h:792
Confirming that the assestion failure is no longer reproducing on:
- Fx 63.0b11 (rev f76a129ff2f2)
- Fx 64.0a1 (rev 7cda6e1eb528)
- ESR 60.2.2 (rev 20d20599f4e8)
- Fx 62.0.3 (rev c9ed11ae5c79)
Status: RESOLVED → VERIFIED
Flags: qe-verify?
Reporter | ||
Comment 26•6 years ago
|
||
SecuriTeam has published full details at https://blogs.securiteam.com/index.php/archives/3766 -- we can unhide this now.
Group: core-security-release
Comment 27•6 years ago
|
||
Comment on attachment 9011906 [details] [diff] [review]
Fix bailout tracking with fun.call. DO_NOT_LAND
This patch should address root cause and is probably worth landing for our future sanity. I'd suggest we leave Jan's patch in place for now. I'll add a targeted testcase too.
Attachment #9011906 -
Flags: review?(nicolas.b.pierron)
Comment 28•6 years ago
|
||
Please move any follow-up work to a new bug for proper tracking.
Comment 29•6 years ago
|
||
Comment on attachment 9011906 [details] [diff] [review]
Fix bailout tracking with fun.call. DO_NOT_LAND
Review of attachment 9011906 [details] [diff] [review]:
-----------------------------------------------------------------
This patch looks good to me, and should fix the issue. r=me on a follow-up bug.
Attachment #9011906 -
Flags: review?(nicolas.b.pierron) → feedback+
Assignee | ||
Comment 30•6 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #24)
> NI myself to file a follow-up bug.
Clearing. Ted is adding a test and proper fix.
Flags: needinfo?(jdemooij)
You need to log in
before you can comment on or make changes to this bug.
Description
•