Closed Bug 1607443 (CVE-2019-17026) Opened 5 years ago Closed 5 years ago

In-the-wild 0-day reported by Qihoo 360

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla74
Tracking Flags:
Tracking Status
firefox-esr68 72+ verified
firefox72 + verified
firefox73 + verified
firefox74 + verified

People

(Reporter: tjr, Assigned: jandem)

References

Details

(Keywords: csectype-jit, sec-critical, Whiteboard: [adv-main72.0.1+][adv-esr68.4.1+][sec-survey])

Crash Data

Attachments

(6 files, 1 obsolete file)

Reduced JS shell testcase
557 bytes, application/x-javascript
Details
More reduced and prettified shell testcase
435 bytes, application/x-javascript
Details
Bug 1607443 - Fix some alias sets. r?tcampbell!
47 bytes, text/x-phabricator-request
lizzard
: approval-mozilla-beta+
lizzard
: approval-mozilla-release+
lizzard
: approval-mozilla-esr68+
tjr
: sec-approval+
Details | Review
Simplified JS shell testcase with --no-threads --baseline-warmup-threshold=1 --ion-warmup-threshold=1 flags
275 bytes, application/x-javascript
Details
Hacky debug instrumentation
6.11 KB, patch
Details | Diff | Splinter Review
qa_bug1607443.html
780 bytes, application/octet-stream
Details
Attached file RAW-EXPLOIT-POC.html

We received an email to security@:

This is Ella from Qihoo 360 ATA team. We just caught a wild used 0day, and it's already been exploited in active attacks in the wild. It take advantage of PAC script engine and it is a remote cod execution issue.

 Attached is the POC for your reference.

Decrypted and attached, no analysis yet.

Attached file JS shell testcase (obsolete) —

Crashes a Nightly debug JS shell.

->  0x1a57593fe652: cmpq   %r11, (%r12)
    0x1a57593fe656: jne    0x1a57593fe665
    0x1a57593fe65c: cmovneq %rax, %r12
    0x1a57593fe660: jmp    0x1a57593fe67d
Target 0: (js) stopped.
(lldb) p/x $r12
(unsigned long) $0 = 0x1a1be5e5e5e5e5e5

With --no-threads I get "LoadSlot instruction returned object with unexpected type", suggesting it's a TI issue.

Attachment #9119088 - Attachment is obsolete: true

Mozregression indicates this goes back to 2016-05-23-ish

status-firefox72: --- → affected
status-firefox73: --- → affected
status-firefox74: --- → affected
status-firefox-esr68: --- → affected
tracking-firefox72: --- → ?
tracking-firefox73: --- → ?
tracking-firefox74: --- → ?
tracking-firefox-esr68: --- → ?
Group: core-security → javascript-core-security
Severity: normal → critical
tracking-firefox72: ?+
tracking-firefox73: ?+
tracking-firefox74: ?+
tracking-firefox-esr68: ?72+
Component: Security → JavaScript Engine: JIT
Priority: -- → P1
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
See Also: → 1607494

Hacky patch to try to catch this at runtime. It found a similar issue with MCreateThis on jsreftests (whitelisted in this patch to avoid fuzzing finding it too).

We should land a cleaned up version of this at some point.

Attachment #9119140 - Flags: feedback?(nth10sd)
Attachment #9119140 - Flags: feedback?(choller)

We should also fix the alias set for MCreateThis. The Ion specific optimizations for it seem fine. This change can be rolled into the same patch you have, Jan.

Update: We've looked at the MCreateThis case and while it is weird, it is not a sec concern and so we will leave it alone for this bug.

Comment on attachment 9119115 [details]
Bug 1607443 - Fix some alias sets. r?tcampbell!

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Active exploit
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Just formatting issues.
  • How likely is this patch to cause regressions; how much testing does it need?: Patch disables optimization. Very similar to a fix deployed 6 months ago.
Attachment #9119115 - Flags: sec-approval?

Comment on attachment 9119115 [details]
Bug 1607443 - Fix some alias sets. r?tcampbell!

Beta/Release Uplift Approval Request

  • User impact if declined: Active exploit
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: Will provide targeted test to verify shortly..
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Change is straightforward and is same approach used last year without fallout.
  • String changes made/needed: No
Attachment #9119115 - Flags: approval-mozilla-release?
Attachment #9119115 - Flags: approval-mozilla-beta?

Comment on attachment 9119115 [details]
Bug 1607443 - Fix some alias sets. r?tcampbell!

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: Active exploit
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
  • String or UUID changes made by this patch:
Attachment #9119115 - Flags: approval-mozilla-esr68?

Comment on attachment 9119115 [details]
Bug 1607443 - Fix some alias sets. r?tcampbell!

sec-approved for iterating with (e.g. landing to -central, sending to try, etc). I presume we won't land it on -release/-beta/-esr until we're ready to start those builds, I think it would look fishy if we landed a sec bug to -release in a non-stand way and then let it sit for a day....

Attachment #9119115 - Flags: sec-approval? → sec-approval+

We can start the builds after landing, there will just be a few hours as we wait for builds to finish/tests to pass before we start the build promotion.

Attachment #9119115 - Flags: approval-mozilla-release?
Attachment #9119115 - Flags: approval-mozilla-release+
Attachment #9119115 - Flags: approval-mozilla-esr68?
Attachment #9119115 - Flags: approval-mozilla-esr68+
Attachment #9119115 - Flags: approval-mozilla-beta?
Attachment #9119115 - Flags: approval-mozilla-beta+
Group: core-security → core-security-release
Attached file qa_bug1607443.html

Here is one of the simplified versions wrapped up to run in browser.

If tab crashes, the browser is affected. You should also set javascript.options.ion.offthread_compilation pref to false and restart browser to make this test more reliable.

Firefox for Android crashes at [@ SprintfLiteral<T> ] - bp-d2736fa0-2763-4edc-b4d2-df6e90200108

Firefox Preview will need an internal web server to run the testcase. Download the file, open a terminal and cd to the directory the file was downloaded, python -m http.server then connect to the computer running the python web server.

Crash Signature: [@ SprintfLiteral<T> ]
See Also: → 1607670

This stands for QA desktop verification.

I have managed to reproduce this issue using Firefox 73.0a1 (BuildId:20200105214143) on Windows 10 64bit with the help of the attached POC from comment 17.

This issue is verified fixed using Firefox 74.0a1 (BuildId:20200107215758), Firefox 73.0b2 (BuildId:20200107212705), Firefox 72.0.1 (BuildId:20200107212822) and Firefox 68.4.1esr (BuildId:20200107212959) on Windows 10 64bit, Ubuntu 18.04 64bit and macOS 10.14.

Updating the flags accordingly. Also pending for Mobile QA team to verify this fix as well before updating the Resolution.

status-firefox72: fixedverified
status-firefox73: fixedverified
status-firefox74: fixedverified
status-firefox-esr68: fixedverified
Alias: CVE-2019-17026
Whiteboard: [adv-main72.0.1+][adv-esr68.4.1+]

This stands for QA mobile verification.

We have managed to reproduce the crash on older Firefox for Android versions (Fennec ESR 68) and we confirm that now is fixed following the steps and file from comment 17.

Builds tested: RC Fennec 68.4.1 and Fennec 68.5b2.
Devices used:

  • Google Pixel 3 (Android Q)
  • Sony Xperia Z5 Premium (Android 7.1.1)
  • Google Pixel 3a(Android 9)
  • Xiaomi Mi Pad 2 (Android 5.1.1)- x86

Note that on Fenix (Firefox Preview) we were unable to check due to the fact that we don't have builds yet to verify. We will update/ add the testing results here once we have the Fenix build.

Alias: CVE-2019-17026
Whiteboard: [adv-main72.0.1+][adv-esr68.4.1+]
Alias: CVE-2019-17026
Whiteboard: [adv-main72.0.1+][adv-esr68.4.1+]

FYI: [@ SprintfLiteral<T>] is what all JIT crashes on android show these days due to oddities in the dump stack walker. Looking at dumps you will see top frame is just a number which is also a good sign it is a JIT crash.

Ted - is there any way to identify crashes matching this bug in crash-stats reports? We get thousands a day of SprintfLiteral<T>, but if there's something else in the signature (proto_signature?) that would identify this case we might be able to estimate how common it is. (Very possibly the answer is "no", but worth asking.) Might there be other problematic bugs lurking in the thousands of SprintfLiteral crashes per day?

Flags: needinfo?(tcampbell)

(In reply to Randell Jesup [:jesup] (needinfo me) from comment #23)

Ted - is there any way to identify crashes matching this bug in crash-stats reports? We get thousands a day of SprintfLiteral<T>, but if there's something else in the signature (proto_signature?) that would identify this case we might be able to estimate how common it is. (Very possibly the answer is "no", but worth asking.) Might there be other problematic bugs lurking in the thousands of SprintfLiteral crashes per day?

Fair question. The meta-bug for JIT crashes is Bug 858032. Occasionally we break down the numbers and look for specific bugs. We've not had much success in getting meaningful changes there. The signature casts a wide net and it is very hard to tell what is cause and what is effect.

(We are beginning to execute on our plans to overhaul major areas of the JITs in 2020 with improving security being a top-line item).

Flags: needinfo?(tcampbell)

Is there a bug open for the PAC script engine part of this?

Bug 1607494 in the see also list.

It sounds like the issue is some kind of incorrect JIT optimization, so I'm going to mark this csectype-jit.

Keywords: csectype-jit

Fenix 3.0.2 and Focus 8.0.25, GV 71.0.1-20200108003105 have been verified and no longer crash.
devices checked:
Pixel 3 (Android 10)
Nexus 5 (Android 6.0.1)
Xiaomi Mi Pad 2 (Android 5.1)
I will close and mark this as verified now.

Status: RESOLVED → VERIFIED

Hi,
Focus Beta 8.0.25 GV 71.0.1 - 20200108003105, build ID: 340092236, has been verified and does not crash. Checked with Google Pixel 3a (Android 9).

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(jdemooij)
Whiteboard: [adv-main72.0.1+][adv-esr68.4.1+] → [adv-main72.0.1+][adv-esr68.4.1+][sec-survey]
Blocks: 1611085
Flags: needinfo?(jdemooij)
Attachment #9119140 - Flags: feedback?(choller)
Group: core-security-release
See Also: → private-network-access
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: