Cherry-pick recent upstream security fix 1992: usersctp: out-of-bounds reads in sctp_load_addresses_from_init
Categories
(Core :: Networking, defect)
Tracking
()
People
(Reporter: jib, Assigned: dminor)
Details
(Keywords: csectype-bounds, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main74+][adv-esr68.6+])
Attachments
(3 files, 1 obsolete file)
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr68+
tjr
:
sec-approval+
|
Details | Review |
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr68+
tjr
:
sec-approval+
|
Details | Review |
|
369 bytes,
text/plain
|
Details |
See https://bugs.chromium.org/p/project-zero/issues/detail?id=1992 and
https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467
It looks like we haven't applies this yet: https://searchfox.org/mozilla-central/rev/3811b11b5773c1dccfe8228bfc7143b10a9a2a99/netwerk/sctp/src/netinet/sctp_auth.c#1458
|
Reporter | |
Comment 1•5 years ago
|
||
Upstream bug is now publicly visible as 90 day disclosure deadline has expired.
|
||
Updated•5 years ago
|
|
||
Comment 2•5 years ago
|
||
Not the same bug, but is this a security fix, too?
https://github.com/sctplab/usrsctp/commit/0d166efa09c02d3d20d6379d31e7193178a620dc
|
|
||
Comment 3•5 years ago
|
||
How old is our copy of sctp? I can't find a version in a header file, but seems quite out of date according to https://searchfox.org/mozilla-central/source/netwerk/sctp/sctp_update.log#19
bug 1400563 might have been the last change we made to this code (Sept 2019).
|
|
||
Comment 4•5 years ago
|
||
I don't see any recent (post 2018) sctp bugfixes that the Chrome team flagged as security issues:
https://bugs.chromium.org/p/chromium/issues/list?q=component%3ABlink%3EWebRTC%20sctp%20type%3DBug-security&can=1&sort=-m
On the other hand these separate libraries are fuzzed and fixed independently and then uplifted to Chrome and sometimes don't communicate all the things that are actually fixed.
|
Assignee | |
Comment 5•5 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #3)
How old is our copy of sctp? I can't find a version in a header file, but seems quite out of date according to https://searchfox.org/mozilla-central/source/netwerk/sctp/sctp_update.log#19
bug 1400563 might have been the last change we made to this code (Sept 2019).
I was actually surprised we had updated that recently (2017). I filed Bug 1613889 to track doing a new update, but I'll do the cherry pick here, because we'll need to figure out resourcing and prioritization for doing an update.
|
|
Assignee | |
Comment 6•5 years ago
|
||
|
|
Assignee | |
Comment 7•5 years ago
|
||
Depends on D62071
|
||
Comment 8•5 years ago
|
||
Updates are generally pretty easy for SCTP; I would only update to a known-good version, preferably one also being used by the chrome team.
I can help is needed
|
|
Assignee | |
Comment 9•5 years ago
|
||
Comment on attachment 9125119 [details]
Bug 1613765 - Cherry pick upstream sctp revision 0d166e; r=ng!
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Unfortunately these patches are already public on the upstream repo so this question is moot.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: I expect the same patch to apply cleanly.
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely since these are cherry picks from upstream.
|
|
Assignee | |
Updated•5 years ago
|
|
||
Comment 10•5 years ago
|
||
Comment on attachment 9125119 [details]
Bug 1613765 - Cherry pick upstream sctp revision 0d166e; r=ng!
Approved to land and request uplift.
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 11•5 years ago
|
||
Comment on attachment 9125119 [details]
Bug 1613765 - Cherry pick upstream sctp revision 0d166e; r=ng!
Beta/Release Uplift Approval Request
- User impact if declined: Potential security problems.
- Is this code covered by automated tests?: Unknown
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Low risk, this has already landed upstream.
- String changes made/needed: None
|
|
Assignee | |
Updated•5 years ago
|
|
|
||
Comment 12•5 years ago
•
|
||
Are these patches going to land on m-c also or are we going straight to bug 1613889 there? I think the former is preferable, FWIW.
|
|
Assignee | |
Comment 13•5 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #12)
Are these patches going to land on m-c also or are we going straight to bug 1613889 there? I think the former is preferable, FWIW.
Sorry, I forgot to land these! Thanks for catching that.
|
||
Comment 14•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/efae21ce39a548a2ff2bb3849677628953046b1c
https://hg.mozilla.org/integration/autoland/rev/ecc0e7770308d4818efc63070d704d0de4a2a51c
https://hg.mozilla.org/mozilla-central/rev/efae21ce39a5
https://hg.mozilla.org/mozilla-central/rev/ecc0e7770308
|
|
||
Comment 15•5 years ago
|
||
Comment on attachment 9125118 [details]
Bug 1613765 - Cherry pick upstream sctp revision 790a7a2; r=ng!
Fixes a publicly-disclosed sec bug in sctp. Approved for 74.0b5.
|
|
||
Updated•5 years ago
|
|
|
||
Comment 16•5 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/23240642f474
https://hg.mozilla.org/releases/mozilla-beta/rev/ea4d832cdde2
Does this need an ESR68 approval request too? Both patches graft cleanly.
|
|
Assignee | |
Comment 17•5 years ago
|
||
Comment on attachment 9125119 [details]
Bug 1613765 - Cherry pick upstream sctp revision 0d166e; r=ng!
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Fixes publicly disclosed vulnerability in libsctp.
- User impact if declined: Potential crashes / security problems.
- Fix Landed on Version: 75
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This is a cherry pick of an upstream fix.
- String or UUID changes made by this patch: None
|
|
Assignee | |
Updated•5 years ago
|
|
|
||
Comment 18•5 years ago
|
||
Comment on attachment 9125118 [details]
Bug 1613765 - Cherry pick upstream sctp revision 790a7a2; r=ng!
Approved for 68.6esr.
|
|
||
Updated•5 years ago
|
|
|
||
Comment 19•5 years ago
|
||
| uplift | ||
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Comment 20•5 years ago
|
||
|
|
||
Comment 21•5 years ago
|
||
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
Description
•