Closed Bug 1522987 Opened 5 years ago Closed 5 years ago

<area>s don't get their frame pointers properly cleared if inside shadow trees.

Categories

(Core :: Layout: Images, Video, and HTML Frames, defect)

Product:
Core
Component:
Layout: Images, Video, and HTML Frames
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox-esr60 --- disabled
firefox64 --- wontfix
firefox65 --- wontfix
firefox66 + verified
firefox67 + verified

People

(Reporter: emilio, Assigned: emilio)

References

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [post-critsmash-triage][adv-main66+])

Attachments

(2 files)

Testcase
1.06 KB, text/html
Details
Bug 1522987 - Cleanup frames for areas properly.
47 bytes, text/x-phabricator-request
lizzard
: approval-mozilla-beta+
abillings
: sec-approval+
Details | Review
Attached file Testcase
No description provided.
Group: core-security

Comment on attachment 9039241 [details]
Bug 1522987 - Cleanup frames for areas properly.

Security Approval Request

How easily could an exploit be constructed based on the patch?

Easily, with a bit of knowledge of browser internals.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Yes

Which older supported branches are affected by this flaw?

63+ presumably

If not all supported branches, which bug introduced the flaw?

Shadow DOM

Do you have backports for the affected branches?

Yes

If not, how different, hard to create, and risky will they be?

How likely is this patch to cause regressions; how much testing does it need?

Not likely.

Attachment #9039241 - Flags: sec-approval?

Al, Daniel, mind giving this a sec rating? It's effectively frame poisoning but can end up in UAF really, if the iframe's shell goes away.

Flags: needinfo?(dveditz)
Flags: needinfo?(abillings)
Group: core-security → layout-core-security
status-firefox64: --- → wontfix
status-firefox65: --- → wontfix
status-firefox66: --- → affected
status-firefox-esr60: --- → disabled
tracking-firefox66: --- → +
Flags: needinfo?(dveditz)
Keywords: csectype-uaf, sec-high
Flags: needinfo?(abillings)

Comment on attachment 9039241 [details]
Bug 1522987 - Cleanup frames for areas properly.

Sec-approval for checkin on February 12, two weeks into the new cycle.

Whiteboard: [checkin on 2/12]
Attachment #9039241 - Flags: sec-approval? → sec-approval+

https://hg.mozilla.org/integration/autoland/rev/bac61e8bf3a1

Please request Beta approval on this when you get a chance. It grafts cleanly as-landed.

status-firefox67: --- → affected
tracking-firefox67: --- → +
Flags: needinfo?(emilio)
Whiteboard: [checkin on 2/12]

Comment on attachment 9039241 [details]
Bug 1522987 - Cleanup frames for areas properly.

Beta/Release Uplift Approval Request

Feature/Bug causing the regression

Shadow DOM

User impact if declined

Security-sensitive crashes.

Is this code covered by automated tests?

No

Has the fix been verified in Nightly?

No

Needs manual test from QE?

No

If yes, steps to reproduce

Can try the crashtest I attached to this bug if needed.

List of other uplifts needed

None

Risk to taking this patch

Low

Why is the change risky/not risky? (and alternatives if risky)

Very minor patch doing some cleanup more consistently.

String changes made/needed

none

Flags: needinfo?(emilio)
Attachment #9039241 - Flags: approval-mozilla-beta?

https://hg.mozilla.org/mozilla-central/rev/bac61e8bf3a1

Group: layout-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67

Do the follow up patches mean that you'd need something similar for beta uplift as well?

Flags: needinfo?(emilio)

Yeah, though the followup patch is just reducing an expected assertion count in a test.

Flags: needinfo?(emilio)

Comment on attachment 9039241 [details]
Bug 1522987 - Cleanup frames for areas properly.

Avoids a crash, let's uplift for beta 8.

Attachment #9039241 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]

Need to remember to land the crashtest.

Flags: in-testsuite?
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][qa-triaged]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:67.0) Gecko/20100101 Firefox/67.0
Build ID: 20190220040540

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:66.0) Gecko/20100101 Firefox/66.0
Build ID: 20190218131312

Verified as fixed on the latest Nightly build (v67) and on the latest Beta build (v66.0b9).

Status: RESOLVED → VERIFIED
status-firefox66: fixedverified
status-firefox67: fixedverified
Flags: qe-verify+
QA Whiteboard: [qa-triaged]
Whiteboard: [post-critsmash-triage][qa-triaged] → [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main66+]

Do you know if I can land the crashtest now that the fix is in all release channels?

Flags: needinfo?(abillings)

(In reply to Emilio Cobos Álvarez (:emilio) from comment #16)

Do you know if I can land the crashtest now that the fix is in all release channels?

Updates have barely started so most of our users are still affected. I'd suggest waiting another week and a half.

Flags: needinfo?(abillings)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: