AddressSanitizer: heap-buffer-overflow [@ js::LiveSavedFrameCache::FramePtr::operator==] with READ of size 1 with ReadableStream
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [jsbugmon:update][adv-main65+][adv-esr60.5+][post-critsmash-triage])
Attachments
(2 files)
47 bytes,
text/x-phabricator-request
|
abillings
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Review |
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr60+
|
Details | Review |
Updated•6 years ago
|
Comment 1•6 years ago
|
||
Comment 2•6 years ago
|
||
Comment 3•6 years ago
|
||
Updated•6 years ago
|
Comment 4•6 years ago
|
||
Comment 5•6 years ago
|
||
Comment 6•6 years ago
|
||
Updated•6 years ago
|
Comment 7•6 years ago
|
||
Comment 8•6 years ago
|
||
Hi Jim, we've got about a week left in the Fx65 cycle before we start RC week. Have you been able to make any progress on this?
Comment 10•6 years ago
•
|
||
The assertion at hand claims that, if a frame has its hasCachedSavedFrame
bit set, then it must have a cache entry. This is untrue after we clear the cache due to compartment mismatch, but the assertion is never reached when the cache is empty - or so we had been led to believe.
Here's the scenario:
-
A capture successfully inserts two frames into the cache, setting the
hasCachedSavedFrame
bit on each. -
A second capture flushes the cache for a compartment mismatch. Now the cache is empty, although both frames still have their bits set.
-
A third capture tolerates the spurious
hasCachedSavedFrame
bits, because the cache is empty, but then OOMs after inserting only the older frame's entry. -
A fourth capture sees that there is no cache entry for the younger frame, yet the cache is not empty, and asserts.
Comment 11•6 years ago
|
||
I'd dealt with a similar case in bug 1445973, but I didn't recognize this other way for the same situation to arise.
Comment 12•6 years ago
|
||
Comment 13•6 years ago
|
||
Comment 14•6 years ago
|
||
Patch revised; new try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=928eb1251a48721c936793aeb0d2dd71b23f4bb8
Comment 15•6 years ago
|
||
This was pushed to autoland:
https://hg.mozilla.org/integration/autoland/rev/a3092a304863
Jim, this should have had sec-approval first because it's sec-high and affects all releases AFAICT. Please request that still and also Beta & ESR60 approval.
Comment 16•6 years ago
|
||
Comment on attachment 9036824 [details]
Bug 1516514: Clear the hasCachedSavedFrame bit on frames on compartment mismatch. r?jorendorff
[Security Approval Request]
How easily could an exploit be constructed based on the patch?: I don't think the patch reveals much. The bug arises from interactions between three separate JavaScript stack captures that must take place from different compartments, and requires OOMs to occur at specific points. Even after we'd reduced the test case it wasn't obvious to us why it happened. The patch just makes the code more aggressive about keeping a flag accurate, so it is not apparent from the code why that would cause a buffer underflow.
However, if one can force the bug to happen, JavaScript stack capture will pop more items off a vector than it contains, leaving the 'end' of the vector pointing outside its buffer. Subsequent attempts to push new items into the vector will then write LiveSavedFrameCache::Entry structures to those addresses, which contain data under user control (a pointer to a script url and function name; a line and column number).
Stack capture occurs whenever a JavaScript Error object is constructed, so the affected code is used in both parent and content processes. However, the attacker would presumably have less control, if any, over LiveSavedFrameCache::Entry contents in the parent process.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
Which older supported branches are affected by this flaw?: esr60
If not all supported branches, which bug introduced the flaw?: Bug 1443592
Do you have backports for the affected branches?: No
If not, how different, hard to create, and risky will they be?: They should be much the same. There is a simple variant of the patch that will guarantee a crash if the bug is triggered.
How likely is this patch to cause regressions; how much testing does it need?: It's unlikely to cause regressions.
Comment 17•6 years ago
|
||
Comment on attachment 9036824 [details]
Bug 1516514: Clear the hasCachedSavedFrame bit on frames on compartment mismatch. r?jorendorff
Sigh.
Approvals given after the fact in discussion with Ryan.
Comment 18•6 years ago
|
||
(In reply to Al Billings [:abillings] from comment #17)
Sigh.
Yeah. I'm sorry. I will be more careful in the future.
Comment 19•6 years ago
|
||
uplift |
Comment 20•6 years ago
|
||
Comment 21•6 years ago
|
||
Updated•6 years ago
|
Updated•6 years ago
|
Comment 22•6 years ago
|
||
https://hg.mozilla.org/releases/mozilla-esr60/rev/256453759958
Note for anybody verifying this later that the ESR60 patch is just making this a safe crash because it doesn't have the clearHasCachedSavedFrame method.
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 23•6 years ago
|
||
Updated•5 years ago
|
Updated•5 years ago
|
Description
•