AddressSanitizer: heap-use-after-free nsTArray.h:372:37 in Length
Categories
(Core :: DOM: Service Workers, defect, P2)
Tracking
()
People
(Reporter: bc, Assigned: ytausky)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uaf, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main72+r][adv-esr68.4+r])
Attachments
(2 files)
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr68+
tjr
:
sec-approval+
|
Details | Review |
47 bytes,
text/x-phabricator-request
|
Details | Review |
Updated•6 years ago
|
Comment 1•6 years ago
|
||
Reporter | ||
Comment 2•6 years ago
|
||
Updated•6 years ago
|
Assignee | ||
Comment 3•6 years ago
|
||
It looks like StreamControl::CloseAllReadStreams
drains its mReadStreamList
and on the last iteration line [1] reaches all the way down to [2], which deletes the this
while StreamControl::CloseAllReadStreams
still holds a reference to a member of the deleted object.
[1] https://searchfox.org/mozilla-central/source/dom/cache/StreamControl.cpp#62
[2] https://searchfox.org/mozilla-central/source/dom/cache/CacheStreamControlParent.cpp#149
Assignee | ||
Comment 4•6 years ago
|
||
I think we could trigger this reliably in a test by adding the result of a hanging fetch to the cache and then shutting down (i.e. make the server stop sending data in the middle of the stream without resetting the connection). I'll try it next week.
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 5•6 years ago
|
||
I dug a little deeper and found out that the offending code path is only used when retrieving something from the cache, not the other way around. This makes it somewhat hard to test, because the timing needs to be just right. I'll put this on hold for a while.
Assignee | ||
Comment 6•5 years ago
|
||
Assignee | ||
Comment 7•5 years ago
|
||
Hopefully this comment would prevent a future contributor from
removing the copy operation.
Assignee | ||
Comment 8•5 years ago
|
||
Comment on attachment 9112554 [details]
Bug 1507180 - Make copy of list before iterating over it
Security Approval Request
- How easily could an exploit be constructed based on the patch?: I don't think it's obvious, but I'm not sure.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: The same patch should apply cleanly to all supported branches.
- How likely is this patch to cause regressions; how much testing does it need?: Very unlikely.
Comment 10•5 years ago
|
||
Comment on attachment 9112554 [details]
Bug 1507180 - Make copy of list before iterating over it
The patch is pretty obvious what the problem is; but given it's a hard to reproduce race in the parent (where you have limited grooming capability) I think it's okay to land now and request uplift.
Comment 11•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/cdf525897bffc445c4c860225ecb42eda5925a86
https://hg.mozilla.org/mozilla-central/rev/cdf525897bff
Comment 12•5 years ago
|
||
Please nominate this patch for Beta and ESR68 approval when you get a chance.
Assignee | ||
Comment 13•5 years ago
|
||
Comment on attachment 9112554 [details]
Bug 1507180 - Make copy of list before iterating over it
Beta/Release Uplift Approval Request
- User impact if declined: If an exploit for this emerges, it could be used against users of beta.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It's not risky because it's a one line change that creates a copy of a list and iterates over it instead of the original.
- String changes made/needed: None
Assignee | ||
Comment 14•5 years ago
|
||
Comment on attachment 9112554 [details]
Bug 1507180 - Make copy of list before iterating over it
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: It's a low-risk fix.
- User impact if declined: If an exploit for this emerges, it could be used against users of ESR.
- Fix Landed on Version: 73
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It's not risky because it's a straightforward one line change.
- String or UUID changes made by this patch: None
Comment 15•5 years ago
|
||
Comment on attachment 9112554 [details]
Bug 1507180 - Make copy of list before iterating over it
Fixes a service worker UAF bug. Approved for 72.0b6 and 68.4esr.
Comment 16•5 years ago
|
||
uplift |
Comment 17•5 years ago
|
||
uplift |
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Comment 18•5 years ago
|
||
The explanatory comment of D55424 did not yet make it to mozilla-central. Can you please take care of it?
Updated•5 years ago
|
Updated•5 years ago
|
Comment 19•5 years ago
|
||
Comment 20•5 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/25beb671c14a
Shall it also be ported to beta etc.?
Comment 21•5 years ago
|
||
(In reply to Sebastian Hengst [:aryx] (needinfo on intermittent or backout) from comment #20)
Shall it also be ported to beta etc.?
I don't think we need to. It's just a comment and it's not likely to be something that other uplifts would depend on in their patch context.
Updated•5 years ago
|
Description
•