Closed Bug 1565912 Opened 5 years ago Closed 5 years ago

Stack-Based-Buffer Overflow when parsing specific URLs in Firefox 68.0

Categories

(Core :: Networking, defect, P1)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- verified

People

(Reporter: parzel, Assigned: CuveeHsu)

References

Details

(Keywords: csectype-dos, Whiteboard: [sg:dos][reporter-external] [client-bounty-form] [verif?][necko-triaged])

Attachments

(4 files)

poc.html
3.16 KB, text/html
Details
crashtrace.txt
7.98 KB, text/plain
Details
Bug 1565912 - rewrite trr exclusion algorithm to iteration
47 bytes, text/x-phabricator-request
Details | Review
asan_log.txt
35.26 KB, text/plain
Details
Attached file poc.html

While testing I copied a lot of URLs into the address bar and noticed an immediate crash in Firefox 68.0 64 bit on Arch Linux. I created a small POC which I have attached to this bug report which crashes the current Firefox version downloaded from here: https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64&lang=en-US

The exploitable gdb plugin (https://github.com/jfoote/exploitable) states:

Description: Stack overflow Short description: StackOverflow (11/22) Hash: 92f47cab494c8674ca62d91d4fac2c8f.bde238e9b5ba53d3ab19877af7a7d7a8 Exploitability Classification: PROBABLY_EXPLOITABLE Explanation: The target crashed on an access violation where the faulting ins truction's mnemonic and the stack pointer seem to indicate a stack overflow. Other tags: AccessViolation (21/22)

Flags: sec-bounty?
Summary: Stack overflow through URL in Firefox 68.0 might lead to RCE → Suspected Stack-Based-Buffer Overflow when parsing specific URLs in Firefox 68.0 might lead to RCE
Attached file crashtrace.txt
Severity: normal → critical
Type: task → defect

This is crashing on the socket thread, and I'm guessing URI parsing is involved, so I'm moving this to networking.

There's no stack, so it is hard to tell what is going on.

For what it is worth, the test case didn't crash for me on Firefox 70 on OSX.

Group: firefox-core-security → network-core-security
Component: Security → Networking
Product: Firefox → Core

Thanks for the quick response. Should I change the title? I based it on the assumptions the plugin is working correct but in this case I should probably change it. I also could not replicate the crash on the Nightly.

I'll update the title to be a little shorter. Usually we don't treat stack overflow as serious security issues without a more specific indication of a threat.

Dragana, do you know who might look at this URI parsing issue while Valentin is on PTO? Thanks. It looks like whatever this is got fixed at some point, so I'm not sure how much investigation is needed.

status-firefox68: --- → affected
status-firefox69: --- → ?
status-firefox70: --- → unaffected
Flags: needinfo?(dd.mozilla)
Summary: Suspected Stack-Based-Buffer Overflow when parsing specific URLs in Firefox 68.0 might lead to RCE → Stack-Based-Buffer Overflow when parsing specific URLs in Firefox 68.0

Junior can you take a look? Thanks.

Flags: needinfo?(dd.mozilla) → needinfo?(juhsu)

Yes I can reproduce in linux.

Assignee: nobody → juhsu
Flags: needinfo?(juhsu)
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P1
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][necko-triaged]

Thoughts:
(a) I've fixed the root cause which is stack overflow by recursion. Upload patch soon.
(b) I worry about TRRService::TRRBlacklist which might be stack overflow in the future. Not easy to rewrite the recursion to iteration.
(c) Another approach is: When we resolve DNS, the length should be limit by 255 (RFC 1035 2.3.4) or 253 for excluding root label [1]
However, our UI doesn't reflect the failure in [2], which ease the crash but is still confused. (no error shows)
On the other hand, Chrome seems not blocking the DNS resolution for long host.

cc :annevk for the spec part

[1] https://www.unicode.org/reports/tr46/#ToASCII
[2] https://searchfox.org/mozilla-central/rev/22b330ecb3edba1536a54887060cbdd09db21c59/netwerk/dns/nsDNSService2.cpp#748

Attachment #9078542 - Attachment description: rewrite trr exclusion algorithm to iteration → Bug 1565912 - rewrite trr exclusion algorithm to iteration

"StackOverflow" is not the same as "Stack Buffer Overflow". The former is typically not exploitable -- it means the stack ran out of space so the OS killed the process. Recursion (as here) is a common culprit. Whether this testcase crashes for people is going to depend on how much memory they have, so it'll be easier to crash on a consumer machine than one of our beefy developer machines.

Group: network-core-security
Keywords: csectype-dos
Whiteboard: [reporter-external] [client-bounty-form] [verif?][necko-triaged] → [sg:dos][reporter-external] [client-bounty-form] [verif?][necko-triaged]
Attached file asan_log.txt

This appears to be a stack-overflow (recursion issue) not a stack buffer overflow.

I can reproduce on this m-c.
BuildID=20190717093640
SourceStamp=29e9dde37bd231a94959394554154ede52670c65

I did need to increase the size of the URL in the test case to reproduce with an ASan build on Linux.

status-firefox69: ?affected
status-firefox70: unaffectedaffected
status-firefox-esr68: --- → affected
Pushed by juhsu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/14d39d1a41bc
rewrite trr exclusion algorithm to iteration r=mayhemer

https://hg.mozilla.org/mozilla-central/rev/14d39d1a41bc

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox70: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Depends on: 1567346

This seems like a fix that can ride the trains, but feel free to nominate for uplift if you feel strongly otherwise.

status-firefox68: affectedwontfix
status-firefox69: affectedwontfix
status-firefox-esr68: affectedwontfix

Unfortunately this bug does not qualify for the security bug bounty.

Flags: sec-bounty? → sec-bounty-
Flags: qe-verify+

I reproduced this issue using Ubuntu 18.04 LTS and Windows 10 x64 on Fx 68.0. I can confirm this issue is fixed, I verified using Fx 70.0b5 on Windows 10 x64, Ubuntu 18.04 and macOS 10.13.6.

Status: RESOLVED → VERIFIED
status-firefox70: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: