Closed Bug 1524214 Opened 5 years ago Closed 5 years ago

Could be use-after-free of `capturingContent` in PresShell::HandleEvent()

Categories

(Core :: DOM: UI Events & Focus Handling, defect)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox-esr60 66+ fixed
firefox65 --- wontfix
firefox66 + fixed
firefox67 + fixed

People

(Reporter: masayuki, Assigned: masayuki)

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [adv-main66+][adv-esr60.6+])

Attachments

(2 files)

Bug 1524214 - Grab caching capturing content with local variable
47 bytes, text/x-phabricator-request
abillings
: sec-approval+
Details | Review
Bug 1524214 - Grab caching capturing content with local variable (for beta, release and esr60)
47 bytes, text/x-phabricator-request
abillings
: approval-mozilla-beta+
RyanVM
: approval-mozilla-release-
RyanVM
: approval-mozilla-esr60+
Details | Review

While I'm working on bug 1466208, I found this bug.

Here is nsIContent* variable:
https://searchfox.org/mozilla-central/rev/78cd247b5d7a08832f87d786541d3e2204842e8e/layout/base/PresShell.cpp#6523-6527

And this will be referred here:
https://searchfox.org/mozilla-central/rev/78cd247b5d7a08832f87d786541d3e2204842e8e/layout/base/PresShell.cpp#6645-6648

However, immediately before that, some script may be run with a call of Document::UnlockPointer() and a call of FlushThrottledStyles().

https://searchfox.org/mozilla-central/rev/78cd247b5d7a08832f87d786541d3e2204842e8e/layout/base/PresShell.cpp#6616,6620-6624,6645-6648

So, capturingContent should be nsCOMPtr<nsIContent>.

I don't know whether this causes actual security issue or not, though.

Comment on attachment 9040384 [details]
Bug 1524214 - Grab caching capturing content with local variable

Security Approval Request

How easily could an exploit be constructed based on the patch?

I guess that just to make crash the user's browser, it might be easy to do that with removing the DOM node from script which is kicked by flushing animation. However, it might be no problem if somebody else grabs the DOM node with a strong pointer, though.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No

Which older supported branches are affected by this flaw?

ESR60

If not all supported branches, which bug introduced the flaw?

None

Do you have backports for the affected branches?

Yes

If not, how different, hard to create, and risky will they be?

How likely is this patch to cause regressions; how much testing does it need?

Won't cause any regressions due to switching a raw pointer variable to a strong pointer variable. But the patch is too simple. Therefore, I have no idea to hide the change from commit message. So, it might make the attackers realize what is problem.

Attachment #9040384 - Flags: sec-approval?

Comment on attachment 9040385 [details]
Bug 1524214 - Grab caching capturing content with local variable (for beta, release and esr60)

Security Approval Request

How easily could an exploit be constructed based on the patch?

I guess that just to make crash the user's browser, it might be easy to do that with removing the DOM node from script which is kicked by flushing animation. However, it might be no problem if somebody else grabs the DOM node with a strong pointer, though.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No

Which older supported branches are affected by this flaw?

ESR60

If not all supported branches, which bug introduced the flaw?

None

Do you have backports for the affected branches?

Yes

If not, how different, hard to create, and risky will they be?

How likely is this patch to cause regressions; how much testing does it need?

Won't cause any regressions due to switching a raw pointer variable to a strong pointer variable. But the patch is too simple. Therefore, I have no idea to hide the change from commit message. So, it might make the attackers realize what is problem.

Attachment #9040385 - Flags: sec-approval?

Comment on attachment 9040385 [details]
Bug 1524214 - Grab caching capturing content with local variable (for beta, release and esr60)

Beta/Release Uplift Approval Request

Feature/Bug causing the regression

None

User impact if declined

Potential use-after-free risk at handling most events. After caching the pointing device capturing DOM node, some DOM events may be fired and then, we refer the cached node.

Is this code covered by automated tests?

No

Has the fix been verified in Nightly?

No

Needs manual test from QE?

No

If yes, steps to reproduce

List of other uplifts needed

None

Risk to taking this patch

Low

Why is the change risky/not risky? (and alternatives if risky)

Just switching a raw pointer to a strong pointer.

String changes made/needed

none.

ESR Uplift Approval Request

If this is not a sec:{high,crit} bug, please state case for ESR consideration

This is sec-high.

User impact if declined

See request for Beta/Release Uplift Approval Request.

Fix Landed on Version

Risk to taking this patch

Low

Why is the change risky/not risky? (and alternatives if risky)

See request for Beta/Release Uplift Approval Request.

String or UUID changes made by this patch

none.

Attachment #9040385 - Flags: approval-mozilla-release?
Attachment #9040385 - Flags: approval-mozilla-esr60?
Attachment #9040385 - Flags: approval-mozilla-beta?

Comment on attachment 9040384 [details]
Bug 1524214 - Grab caching capturing content with local variable

sec-approval+ for trunk.

I'm not sure why approval for release has been requested. I'll approve for beta as well.

Attachment #9040384 - Flags: sec-approval? → sec-approval+
Attachment #9040385 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

I'm not sure why approval for release has been requested. I'll approve for beta as well.

I meant it for dot release because of really safe fix.

Group: core-security → dom-core-security
Attachment #9040385 - Flags: sec-approval?

https://hg.mozilla.org/integration/autoland/rev/e53f607940cb5e1db1bb7eeb3c5c0bc6f4b0d608
https://hg.mozilla.org/mozilla-central/rev/e53f607940cb

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67

Comment on attachment 9040385 [details]
Bug 1524214 - Grab caching capturing content with local variable (for beta, release and esr60)

I don't think we need to go out of our way to ship this in a dot release. Let's let it ride with 66/60.6esr.

Attachment #9040385 - Flags: approval-mozilla-release? → approval-mozilla-release-
Flags: qe-verify-

Comment on attachment 9040385 [details]
Bug 1524214 - Grab caching capturing content with local variable (for beta, release and esr60)

Sec-high fix. Approved for 60.6esr.

Attachment #9040385 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
Component: Event Handling → User events and focus handling
Whiteboard: [adv-main66+][adv-esr60.6+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: