1623920 - Assertion failure: foundDefaultSrc (about: page must contain a CSP including default-src), at /builds/worker/checkouts/gecko/dom/security/nsContentSecurityUtils.cpp:698

Status: RESOLVED FIXED

(Core :: DOM: Security, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 32d6a3f1f83c (built with --enable-debug). Testcase must be served via HTTP.

Assertion failure: foundDefaultSrc (about: page must contain a CSP including default-src), at /builds/worker/checkouts/gecko/dom/security/nsContentSecurityUtils.cpp:698

rax = 0x0000555988227380   rdx = 0x0000000000000000
rcx = 0x00007fa5f70afd24   rbx = 0x00007fff9e8e07e0
rsi = 0x00007fa602ba78b0   rdi = 0x00007fa602ba6680
rbp = 0x00007fff9e8e08b0   rsp = 0x00007fff9e8e07a0
r8 = 0x00007fa602ba78b0    r9 = 0x00007fa603d0d780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x0000000000000000   r13 = 0x0000000000000000
r14 = 0x0000000000000000   r15 = 0x00007fa5f8dd4990
rip = 0x00007fa5f2f9dbc4
OS|Linux|0.0.0 Linux 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsContentSecurityUtils::AssertAboutPageHasCSP(mozilla::dom::Document*)|hg:hg.mozilla.org/mozilla-central:dom/security/nsContentSecurityUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|699|0x2e
0|1|libxul.so|mozilla::dom::Document::EndLoad()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|7370|0x8
0|2|libxul.so|nsXMLContentSink::DidBuildModel(bool)|hg:hg.mozilla.org/mozilla-central:dom/xml/nsXMLContentSink.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|242|0x230
0|3|libxul.so|nsParser::DidBuildModel(nsresult)|hg:hg.mozilla.org/mozilla-central:parser/htmlparser/nsParser.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|440|0x3c
0|4|libxul.so|nsParser::Terminate()|hg:hg.mozilla.org/mozilla-central:parser/htmlparser/nsParser.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|522|0x66
0|5|libxul.so|nsParser::Tokenize(bool)|hg:hg.mozilla.org/mozilla-central:parser/htmlparser/nsParser.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1418|0x8
0|6|libxul.so|nsParser::ResumeParse(bool, bool, bool)|hg:hg.mozilla.org/mozilla-central:parser/htmlparser/nsParser.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|933|0xb2
0|7|libxul.so|nsParser::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:parser/htmlparser/nsParser.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1352|0x17
0|8|libxul.so|nsDocumentOpenInfo::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsURILoader.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|252|0x1a
0|9|libxul.so|nsJARChannel::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:modules/libjar/nsJARChannel.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1040|0xc
0|10|libxul.so|nsInputStreamPump::OnStateStop()|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|686|0x18
0|11|libxul.so|nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|434|0x8
0|12|libxul.so|nsInputStreamReadyEvent::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/io/nsStreamUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|93|0x6
0|13|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|1220|0xe
0|14|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|481|0x11
0|15|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|87|0xa
0|16|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|315|0x19
0|17|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|290|0x8
0|18|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|137|0xd
0|19|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|911|0x6
0|20|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|237|0x5
0|21|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|315|0x19
0|22|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:32d6a3f1f83cec54b8190f1993c7fa343406ce20|290|0x8
0|23|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|742|0xc
0|24|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|56|0x14
0|25|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|303|0x13
0|26|libc.so.6||||0x21b97
0|27|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:32d6a3f1f83cec54b8190f1993c7fa343406ce20|82|0x12
0|28|firefox-bin||||0x10b10
0|29|ld-linux-x86-64.so.2||||0x10733
0|30|libdl.so.2||||0x202d80
0|31|libpthread.so.0||||0x219bb0
0|32|firefox-bin||||0x10b10
0|33|firefox-bin|_start|||0x29

Comment 1

[Christoph Kerschbaumer [:ckerschb]]

Kind of curious why this would count as an about page - assigning to myself for investigation!

Comment 2

[Christoph Kerschbaumer [:ckerschb]]

Huh, this one is interesting; it seems we are loading about:neterror without a CSP applied.

Johann, I thought all about:neterror loads rely on aboutNetError.xhtml which have a CSP:
https://searchfox.org/mozilla-central/rev/c80fa7258c935223fe319c5345b58eae85d4c6ae/browser/base/content/aboutNetError.xhtml#22

Do you happen to know if there is any other way how we could load/generate an about:neterror page?

FWIW, the detailed load that does not have a CSP is:

about:neterror?e=unknownProtocolFound&u=a%3A&c=UTF-8&f=regular&d=Firefox%20doesn%E2%80%99t%20know%20how%20to%20open%20this%20address%2C%20because%20one%20of%20the%20following%20protocols%20%28a%29%20isn%E2%80%99t%20associated%20with%20any%20program%20or%20is%20not%20allowed%20in%20this%20context.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Comment 4

[Christoph Kerschbaumer [:ckerschb]]

Quick update on the severity of that bug:

This bug is not a regression or a particular problem in any case. We added that assertion to make sure "no" about page can be added to our tree without having a CSP including a default-src directive attached. It seems that doing some fuzzing magic can also trigger that assertion which is not particularly worrysome in the end.

Nevertheless I would still like to know/understand how a page could trigger that assertion.

Comment 5

[Johann Hofmann [:johannh]]

I don't think this issue is related to our CSP at all, but it's interesting and good that we find it that way. The testcase boils down to the following:

window.addEventListener('unload', (e) => e.currentTarget.stop(), true);

by using this any site can stop the next visited site from loading, which feels fishy. I'll hide this bug out of caution, though it may be fine to open it back up. So what ends up happening here is that we try to navigate to an "unknown protocol" error page but then immediately stop loading, which, for yet unexplored reasons, results in a yellow screen of death error page. However, document.documentURI of that YSOD page is about:neterror already, and so it looks like we're missing the CSP on that page. (When it just didn't load)

Fuzzers are weird.

Comment 6

[Johann Hofmann [:johannh]]

The issue doesn't seem to be present with Chrome or Safari. The above code does not prevent pages from loading (and obviously doesn't cause a YSOD either).

I think for security rating it's mostly interesting whether this gives the first site the ability to do a spoof or even a UXSS in some way. Looking into it.

Comment 7

[Christoph Kerschbaumer [:ckerschb]]

Just chatted with Johann on Slack, he will take a look at it - thanks!

Comment 8

[Johann Hofmann [:johannh]]

I couldn't find any obvious way to exploit this further from a quick look. We can probably fix the navigation issue by putting window.stop() behind nsDocShell::IsNavigationAllowed, which will also prevent any yet unknown exploits of this. It doesn't look like we're suffering from the same issue as bug 1263100, i.e. using setTimeout etc. will not work.

Comment 9

[Johann Hofmann [:johannh]]

Attachment: Bug 1623920 - Restrict window.stop with nsDocShell::IsNavigationAllowed. r=smaug

Comment 10

[Andreea Pavel [:apavel]]

Merged to central here: https://hg.mozilla.org/mozilla-central/rev/ab76cc7b6e177f83cadcd6f3dd2cd1569a9b0c0a