Stack-Based-Buffer Overflow when parsing specific URLs in Firefox 68.0
Categories
(Core :: Networking, defect, P1)
Tracking
()
People
(Reporter: parzel, Assigned: CuveeHsu)
References
Details
(Keywords: csectype-dos, Whiteboard: [sg:dos][reporter-external] [client-bounty-form] [verif?][necko-triaged])
Attachments
(4 files)
While testing I copied a lot of URLs into the address bar and noticed an immediate crash in Firefox 68.0 64 bit on Arch Linux. I created a small POC which I have attached to this bug report which crashes the current Firefox version downloaded from here: https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64&lang=en-US
The exploitable gdb plugin (https://github.com/jfoote/exploitable) states:
Description: Stack overflow Short description: StackOverflow (11/22) Hash: 92f47cab494c8674ca62d91d4fac2c8f.bde238e9b5ba53d3ab19877af7a7d7a8 Exploitability Classification: PROBABLY_EXPLOITABLE Explanation: The target crashed on an access violation where the faulting ins truction's mnemonic and the stack pointer seem to indicate a stack overflow. Other tags: AccessViolation (21/22)
Comment 2•5 years ago
|
||
This is crashing on the socket thread, and I'm guessing URI parsing is involved, so I'm moving this to networking.
There's no stack, so it is hard to tell what is going on.
For what it is worth, the test case didn't crash for me on Firefox 70 on OSX.
Thanks for the quick response. Should I change the title? I based it on the assumptions the plugin is working correct but in this case I should probably change it. I also could not replicate the crash on the Nightly.
Comment 4•5 years ago
|
||
I'll update the title to be a little shorter. Usually we don't treat stack overflow as serious security issues without a more specific indication of a threat.
Dragana, do you know who might look at this URI parsing issue while Valentin is on PTO? Thanks. It looks like whatever this is got fixed at some point, so I'm not sure how much investigation is needed.
Comment 5•5 years ago
|
||
Junior can you take a look? Thanks.
Assignee | ||
Comment 6•5 years ago
|
||
Yes I can reproduce in linux.
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Comment 7•5 years ago
|
||
Thoughts:
(a) I've fixed the root cause which is stack overflow by recursion. Upload patch soon.
(b) I worry about TRRService::TRRBlacklist
which might be stack overflow in the future. Not easy to rewrite the recursion to iteration.
(c) Another approach is: When we resolve DNS, the length should be limit by 255 (RFC 1035 2.3.4) or 253 for excluding root label [1]
However, our UI doesn't reflect the failure in [2], which ease the crash but is still confused. (no error shows)
On the other hand, Chrome seems not blocking the DNS resolution for long host.
cc :annevk for the spec part
[1] https://www.unicode.org/reports/tr46/#ToASCII
[2] https://searchfox.org/mozilla-central/rev/22b330ecb3edba1536a54887060cbdd09db21c59/netwerk/dns/nsDNSService2.cpp#748
Assignee | ||
Comment 8•5 years ago
|
||
Updated•5 years ago
|
Comment 9•5 years ago
|
||
"StackOverflow" is not the same as "Stack Buffer Overflow". The former is typically not exploitable -- it means the stack ran out of space so the OS killed the process. Recursion (as here) is a common culprit. Whether this testcase crashes for people is going to depend on how much memory they have, so it'll be easier to crash on a consumer machine than one of our beefy developer machines.
Comment 10•5 years ago
|
||
This appears to be a stack-overflow (recursion issue) not a stack buffer overflow.
Comment 11•5 years ago
|
||
I can reproduce on this m-c.
BuildID=20190717093640
SourceStamp=29e9dde37bd231a94959394554154ede52670c65
I did need to increase the size of the URL in the test case to reproduce with an ASan build on Linux.
Comment 12•5 years ago
|
||
Pushed by juhsu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/14d39d1a41bc rewrite trr exclusion algorithm to iteration r=mayhemer
Comment 13•5 years ago
|
||
bugherder |
Comment 14•5 years ago
|
||
This seems like a fix that can ride the trains, but feel free to nominate for uplift if you feel strongly otherwise.
Comment 15•5 years ago
|
||
Unfortunately this bug does not qualify for the security bug bounty.
Updated•5 years ago
|
Comment 16•5 years ago
|
||
I reproduced this issue using Ubuntu 18.04 LTS and Windows 10 x64 on Fx 68.0. I can confirm this issue is fixed, I verified using Fx 70.0b5 on Windows 10 x64, Ubuntu 18.04 and macOS 10.13.6.
Description
•