Closed Bug 1550498 Opened 5 years ago Closed 5 years ago

Clone connection info object with unprotected mHashKey when sending it between threads on more places

Categories

(Core :: Networking: HTTP, defect, P1)

Product:
Core
Component:
Networking: HTTP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 68+ fixed
firefox67 --- wontfix
firefox68 + fixed

People

(Reporter: mayhemer, Assigned: mayhemer)

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [necko-triaged][post-critsmash-triage][adv-main68+][adv-esr60.8+])

Attachments

(2 files)

Bug 1550498, r=kershaw
47 bytes, text/x-phabricator-request
abillings
: sec-approval+
Details | Review
esr60
1.43 KB, patch
RyanVM
: approval-mozilla-esr60+
Details | Diff | Splinter Review
Assignee: nobody → honzab.moz
Status: NEW → ASSIGNED

(In reply to Honza Bambas (:mayhemer) from comment #0)

+++ This bug was initially created as a clone of Bug #1548822 +++

There are more places to fix by cloning CI:

I rather moved this to nsHttpHandler::SpeculativeConnect, other callers already provide a stable clone

I'm thinking of making the connection info object imutable (similarly to how we handle uris these days) to make this really safe and clear, but that is for a followup.

Attached file Bug 1550498, r=kershaw

Comment on attachment 9063803 [details]
Bug 1550498, r=kershaw

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Please see https://bugzilla.mozilla.org/show_bug.cgi?id=1548822#c6, the approval comment is exactly the same as should be for this bug.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?:
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?:
Attachment #9063803 - Flags: sec-approval?

Comment on attachment 9063803 [details]
Bug 1550498, r=kershaw

sec-approval+ for trunk.

Attachment #9063803 - Flags: sec-approval? → sec-approval+
Keywords: checkin-needed

https://hg.mozilla.org/mozilla-central/rev/7bfe542574a9

Group: network-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

Please rebase this for ESR60 and nominate it for approval when you get a chance.

status-firefox67: --- → wontfix
status-firefox-esr60: --- → affected
tracking-firefox68: --- → +
tracking-firefox-esr60: --- → 68+
Flags: needinfo?(honzab.moz)

Will do.

Flags: needinfo?(honzab.moz)
Flags: qe-verify-
Whiteboard: [necko-triaged] → [necko-triaged][post-critsmash-triage]

Please proceed with that ESR60 rebase and approval request :)

Flags: needinfo?(honzab.moz)
Attached patch esr60Splinter Review

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: UAF
  • Fix Landed on Version: 68
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): trivial patch
  • String or UUID changes made by this patch:
Flags: needinfo?(honzab.moz)
Attachment #9075168 - Flags: approval-mozilla-esr60?
Comment on attachment 9075168 [details] [diff] [review]
esr60

Fixes a Necko sec bug. Approved for 60.8esr.
Attachment #9075168 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
Whiteboard: [necko-triaged][post-critsmash-triage] → [necko-triaged][post-critsmash-triage][adv-main68+][adv-esr60.8+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: