Closed Bug 1634923 Opened 5 years ago Closed 5 years ago

Remove ESR version spoofing case for Firefox version < 78

Categories

(Core :: DOM: Security, task, P3)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox75 --- unaffected
firefox76 --- wontfix
firefox77 --- wontfix
firefox78 --- fixed

People

(Reporter: cpeterson, Assigned: cpeterson)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 files)

Bug 1634923 - Remove ESR version spoofing's special case for Firefox versions < 78. r?ethan
47 bytes, text/x-phabricator-request
Details | Review
Bug 1634923 - GetSpoofedVersion() should always return a valid ESR version. r?ethan
47 bytes, text/x-phabricator-request
Details | Review

When the Fx78 Nightly cycle starts next week, we can remove ESR version spoofing's special case for Firefox versions < 78 (added in Fx76 by bug 1599188). Fx78 will be the next ESR version.

Status: NEW → ASSIGNED
Whiteboard: [domsecurity-active]
Pushed by cpeterson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fbceeeb4aa7d Remove ESR version spoofing's special case for Firefox versions < 78. r=ethan

Backed out for assertion failures on nsRFPService.cpp

backout: https://hg.mozilla.org/integration/autoland/rev/c31fffdb52a74cc35387d8112c7519cd1cb0e482

push: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=fbceeeb4aa7d64c7f99a8c722233aa1161397577&searchStr=xpcshell&selectedTaskRun=JUbU0xLCSpeduKQURnI5GA-0

failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=302052551&repo=autoland&lineNumber=3466

[task 2020-05-13T04:58:40.955Z] 04:58:40 INFO - PID 20936 | Assertion failure: spoofedVersion >= kKnownEsrVersion && spoofedVersion <= firefoxVersion && (spoofedVersion - kKnownEsrVersion) % 13 == 0, at /builds/worker/checkouts/gecko/toolkit/components/resistfingerprinting/nsRFPService.cpp:707
[task 2020-05-13T04:58:40.963Z] 04:58:40 INFO - Initializing stack-fixing for the first stack frame, this may take a while...
[task 2020-05-13T04:58:49.847Z] 04:58:49 INFO - PID 20936 | #01: mozilla::net::nsHttpHandler::Init() [netwerk/protocol/http/nsHttpHandler.cpp:486]
[task 2020-05-13T04:58:49.849Z] 04:58:49 INFO - PID 20936 | #02: mozilla::net::nsHttpHandler::GetInstance() [netwerk/protocol/http/nsHttpHandler.cpp:180]
[task 2020-05-13T04:58:49.849Z] 04:58:49 INFO - PID 20936 | #03: already_AddRefed<nsISupports> mozCreateComponent<mozilla::net::nsHttpHandler>() [netwerk/build/nsNetModule.cpp:61]
[task 2020-05-13T04:58:49.850Z] 04:58:49 INFO - PID 20936 | #04: mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) [s3:gecko-generated-sources:2bac65a488711040f9115b54e1202e6a8921b3fb59de30c0aee89af29f8c899b1f273243e98a4340bd9f7e913e9be7347ba0f317869590207dd6dd4f148cf33d/xpcom/components/StaticComponents.cpp::8689]
[task 2020-05-13T04:58:49.850Z] 04:58:49 INFO - PID 20936 | #05: nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) [xpcom/components/nsComponentManager.cpp:1372]
[task 2020-05-13T04:58:49.850Z] 04:58:49 INFO - PID 20936 | #06: nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) [xpcom/components/nsComponentManager.cpp:1559]
[task 2020-05-13T04:58:49.851Z] 04:58:49 INFO - PID 20936 | #07: <name omitted> [xpcom/components/nsComponentManagerUtils.cpp:244]
[task 2020-05-13T04:58:49.852Z] 04:58:49 INFO - PID 20936 | #08: nsCOMPtr<nsIProtocolHandler>::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) [xpcom/base/nsCOMPtr.h:1222]
[task 2020-05-13T04:58:49.853Z] 04:58:49 INFO - PID 20936 | #09: mozilla::net::nsHttpsHandler::Init() [netwerk/protocol/http/nsHttpHandler.cpp:2577]
[task 2020-05-13T04:58:49.853Z] 04:58:49 INFO - PID 20936 | #10: already_AddRefed<nsISupports> mozCreateComponent<mozilla::net::nsHttpsHandler>() [netwerk/build/nsNetModule.cpp:67]
[task 2020-05-13T04:58:49.853Z] 04:58:49 INFO - PID 20936 | #11: mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) [s3:gecko-generated-sources:2bac65a488711040f9115b54e1202e6a8921b3fb59de30c0aee89af29f8c899b1f273243e98a4340bd9f7e913e9be7347ba0f317869590207dd6dd4f148cf33d/xpcom/components/StaticComponents.cpp::9162]
[task 2020-05-13T04:58:49.854Z] 04:58:49 INFO - PID 20936 | #12: nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) [xpcom/components/nsComponentManager.cpp:1372]
[task 2020-05-13T04:58:49.854Z] 04:58:49 INFO - PID 20936 | #13: nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) [xpcom/components/nsComponentManager.cpp:1559]
[task 2020-05-13T04:58:49.855Z] 04:58:49 INFO - PID 20936 | #14: mozilla::net::nsIOService::GetProtocolHandler(char const*, nsIProtocolHandler**) [netwerk/base/nsIOService.cpp:820]
[task 2020-05-13T04:58:49.856Z] 04:58:49 INFO - PID 20936 | #15: mozilla::net::nsIOService::ProtocolHasFlags(nsIURI*, unsigned int, bool*) [netwerk/base/nsIOService.cpp:1656]
[task 2020-05-13T04:58:49.856Z] 04:58:49 INFO - PID 20936 | #16: mozilla::net::nsIOService::URIChainHasFlags(nsIURI*, unsigned int, bool*) [netwerk/base/nsIOService.cpp:1667]
[task 2020-05-13T04:58:49.857Z] 04:58:49 INFO - PID 20936 | #17: NS_URIChainHasFlags(nsIURI*, unsigned int, bool*) [netwerk/base/nsNetUtil.cpp:2297]
[task 2020-05-13T04:58:49.857Z] 04:58:49 INFO - PID 20936 | #18: mozilla::BasePrincipal::CreateContentPrincipal(nsIURI*, mozilla::OriginAttributes const&, nsTSubstring<char> const&) [caps/BasePrincipal.cpp:988]
[task 2020-05-13T04:58:49.858Z] 04:58:49 INFO - PID 20936 | #19: mozilla::BasePrincipal::CreateContentPrincipal(nsIURI*, mozilla::OriginAttributes const&) [caps/BasePrincipal.cpp:0]
[task 2020-05-13T04:58:49.858Z] 04:58:49 INFO - PID 20936 | #20: mozilla::(anonymous namespace)::GetPrincipalFromOrigin(nsTSubstring<char> const&, bool, nsIPrincipal**) [extensions/permissions/PermissionManager.cpp:263]
[task 2020-05-13T04:58:49.859Z] 04:58:49 INFO - PID 20936 | #21: mozilla::PermissionManager::ImportLatestDefaults() [extensions/permissions/PermissionManager.cpp:3381]
[task 2020-05-13T04:58:49.859Z] 04:58:49 INFO - PID 20936 | #22: mozilla::PermissionManager::EnsureReadCompleted() [extensions/permissions/PermissionManager.cpp:3224]
[task 2020-05-13T04:58:49.860Z] 04:58:49 INFO - PID 20936 | #23: mozilla::detail::RunnableFunction<mozilla::PermissionManager::InitDB(bool)::$_3::operator()() const::{lambda()#1}>::Run() [xpcom/threads/nsThreadUtils.h:575]
[task 2020-05-13T04:58:49.860Z] 04:58:49 INFO - PID 20936 | #24: nsThread::ProcessNextEvent(bool, bool*) [xpcom/threads/nsThread.cpp:1211]
[task 2020-05-13T04:58:49.861Z] 04:58:49 INFO - PID 20936 | #25: NS_ProcessNextEvent(nsIThread*, bool) [xpcom/threads/nsThreadUtils.cpp:501]
[task 2020-05-13T04:58:49.861Z] 04:58:49 INFO - PID 20936 | #26: nsThreadManager::SpinEventLoopUntilInternal(nsINestedEventLoopCondition*, bool) [xpcom/threads/nsThreadManager.cpp:693]
[task 2020-05-13T04:58:49.862Z] 04:58:49 INFO - PID 20936 | #27: ??? [/builds/worker/workspace/build/application/firefox/libxul.so + 0x10fac9a]
[task 2020-05-13T04:58:49.863Z] 04:58:49 INFO - PID 20936 | #28: CallMethodHelper::Call() [js/xpconnect/src/XPCWrappedNative.cpp:1175]
[task 2020-05-13T04:58:49.863Z] 04:58:49 INFO - PID 20936 | #29: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) [js/xpconnect/src/XPCWrappedNative.cpp:1141]
[task 2020-05-13T04:58:49.864Z] 04:58:49 INFO - PID 20936 | #30: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) [js/xpconnect/src/XPCWrappedNativeJSOps.cpp:946]
[task 2020-05-13T04:58:49.864Z] 04:58:49 INFO - PID 20936 | #31: CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) [js/src/vm/Interpreter.cpp:493]
[task 2020-05-13T04:58:49.865Z] 04:58:49 INFO - PID 20936 | #32: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) [js/src/vm/Interpreter.cpp:585]
[task 2020-05-13T04:58:49.865Z] 04:58:49 INFO - PID 20936 | #33: Interpret(JSContext*, js::RunState&) [js/src/vm/Interpreter.cpp:0]
[task 2020-05-13T04:58:49.866Z] 04:58:49 INFO - PID 20936 | #34: js::RunScript(JSContext*, js::RunState&) [js/src/vm/Interpreter.cpp:465]
[task 2020-05-13T04:58:49.867Z] 04:58:49 INFO - PID 20936 | #35: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) [js/src/vm/Interpreter.cpp:620]
[task 2020-05-13T04:58:49.867Z] 04:58:49 INFO - PID 20936 | #36: js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) [js/src/jit/BaselineIC.cpp:2990]
[task 2020-05-13T04:58:49.868Z] 04:58:49 INFO - PID 20936 | #37: ??? (???:???)
[task 2020-05-13T04:58:49.868Z] 04:58:49 INFO - PID 20936 | ExceptionHandler::GenerateDump cloned child 20949
[task 2020-05-13T04:58:49.868Z] 04:58:49 INFO - PID 20936 | ExceptionHandler::SendContinueSignalToChild sent continue signal to child
[task 2020-05-13T04:58:49.869Z] 04:58:49 INFO - PID 20936 | ExceptionHandler::WaitForContinueSignal waiting for continue signal...
[task 2020-05-13T04:58:49.869Z] 04:58:49 INFO - <<<<<<<

Also crashes on [@ mozilla::nsRFPService::GetSpoofedUserAgent(nsTSubstring<char>&, bool)]

Flags: needinfo?(cpeterson)

[task 2020-05-13T04:58:40.955Z] 04:58:40 INFO - PID 20936 | Assertion failure: spoofedVersion >= kKnownEsrVersion && spoofedVersion <= firefoxVersion && (spoofedVersion - kKnownEsrVersion) % 13 == 0, at /builds/worker/checkouts/gecko/toolkit/components/resistfingerprinting/nsRFPService.cpp:707

The problem is that some add-on tests reset the Firefox version to 1:

https://searchfox.org/mozilla-central/rev/9f074fab9bf905fad62e7cc32faf121195f4ba46/browser/components/extensions/test/xpcshell/test_ext_chrome_settings_overrides_update.js#17,20

Which causes the spoofedVersion logic's unsigned int subtraction to wrap around to 4294967287, which fails the spoofedVersion <= firefoxVersion assertion:

https://searchfox.org/mozilla-central/rev/9f074fab9bf905fad62e7cc32faf121195f4ba46/toolkit/components/resistfingerprinting/nsRFPService.cpp#709-710,713

This spoofedVersion wraparound was a silent, preexisting problem. It was caught here because I added a version range check assertion (in bug 1599188) and then removed the spoofedVersion lower bound in this patch.

Flags: needinfo?(cpeterson)

(In reply to Chris Peterson [:cpeterson] from comment #4)

This spoofedVersion wraparound was a silent, preexisting problem. It was caught here because I added a version range check assertion (in bug 1599188) and then removed the spoofedVersion lower bound in this patch.

I don't know why the MOZ_ASSERT(((firefoxVersion % 8) == 4) assertion didn't fail previously in the ESR 68 builds for firefoxVersion == 1. (1 % 8 == 1, not 4.) Are these add-ons tests not run on the ESR channel?

https://searchfox.org/mozilla-central/diff/37555789488d7bcfbf283abe7c2ef62a6b6404ea/toolkit/components/resistfingerprinting/nsRFPService.cpp#674-677

We need to retain a check for low Firefox versions after all to avoid spoofed version assertion failures (I added in another bug). Some add-on tests set the Firefox version to low numbers like 1 or 42, which causes the spoofed version calculation's unsigned int subtraction to wrap around zero to Firefox versions like 4294967287. This function should always return an ESR version, so return kKnownEsrVersion for those cases. Replace ESR version spoofing's hardcoded Firefox versions 68 and 78 with kKnownEsrVersion.

Pushed by cpeterson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6e3ec75f2e31 GetSpoofedVersion() should always return a valid ESR version. r=ethan

https://hg.mozilla.org/mozilla-central/rev/6e3ec75f2e31

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox78: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: