Closed Bug 1566482 Opened 5 years ago Closed 5 years ago

Crash [@ CharAt] through [@ mozilla::net::nsHttpTransaction::SetHttpTrailers] with invalid read

Categories

(Core :: Networking: HTTP, defect, P1)

Product:
Core
Component:
Networking: HTTP
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- fixed

People

(Reporter: decoder, Assigned: decoder)

References

(Regression)

Details

(4 keywords, Whiteboard: [necko-triaged][post-critsmash-triage][adv-main70+][adv-main70+r])

Crash Data

Attachments

(4 files)

Detailed Crash Information
9.68 KB, text/plain
Details
Testcase
226 bytes, application/octet-stream
Details
Full log with nsFuzzing:5,nsFuzzingNecko:5,nsHttp:5,nsSocketTransport:5,sync
86.44 KB, text/plain
Details
Bug 1566482 - Properly calculate end in SetHttpTrailers. r?dragana
47 bytes, text/x-phabricator-request
Details | Review

The attached testcase crashes on mozilla-central revision 38aa0201f645+ (build with --enable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --enable-fuzzing --disable-debug).

For detailed crash information, see attachment.

To reproduce the issue, perform the following steps:

  1. Download the attached testcase, save as "test.bin".
  2. Apply the patch from bug 1566342 to get the required fuzzing target.
  3. Build with --enable-fuzzing (requires Clang and ASan, also build gtests using ./mach gtest dontruntests).
  4. Run MOZ_RUN_GTEST=1 LIBFUZZER=1 FUZZER=NetworkHttp2 objdir/dist/bin/firefox test.bin

This issue looks like an actional invalid/out-of-bounds read. I have not investigated yet what is going on, but I will attach a full log as a start. Marking sec-high based on the assumption that this is an invalid read of some sort.

Attached file Testcase 

    
  
Crash Signature: [@ CharAt] → [@ CharAt][@ mozilla::net::nsHttpTransaction::SetHttpTrailer]
Priority: -- → P1
Whiteboard: [necko-triaged]

    
    

    
  
So the problem here is the out-of-bounds access aTrailers[newline - 1] while newline is 0. This looks like an easy fix, confirmed that the patch attached fixes the problem.


I also think this might not be exploitable because end only flows into the creation of an nsDependentCSubstring and nsTDependentSubstring<T>::Rebind checks that start and end are within bounds of the string's length (this would otherwise be a problem if an attacker could get the \r condition right and set end to -1).



    
  
Keywords: sec-highsec-other

    
    

    
  
:decoder, since this bug is a regression, could you fill (if possible) the regressed_by field?

For more information, please visit auto_nag documentation.


Flags: needinfo?(choller)
Assignee: nobody → choller
Type: -- → defect

    
  
Flags: needinfo?(choller)
Regressed by: 1429973
Group: core-security → network-core-security

    
    

    
  
https://hg.mozilla.org/integration/autoland/rev/6c522d98565a3b9829be1e79c0a9fc5cdd777cd9

https://hg.mozilla.org/mozilla-central/rev/6c522d98565a


Group: network-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago

          status-firefox70:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

    
    

    
  
Given the age of the bug and the lack of reports from in the wild, I'm assuming we can let this fix ride the trains.



          status-firefox68:
          --- → wontfix

          status-firefox69:
          --- → wontfix

          status-firefox-esr60:
          --- → wontfix

          status-firefox-esr68:
          --- → wontfix
Flags: qe-verify-
Whiteboard: [necko-triaged] → [necko-triaged][post-critsmash-triage]
Whiteboard: [necko-triaged][post-critsmash-triage] → [necko-triaged][post-critsmash-triage][adv-main70+][adv-main70-rollup]
Whiteboard: [necko-triaged][post-critsmash-triage][adv-main70+][adv-main70-rollup] → [necko-triaged][post-critsmash-triage][adv-main70+][adv-main70+r]
Group: core-security-release
Has Regression Range: --- → yes

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: