Closed Bug 1637430 Opened 5 years ago Closed 5 years ago

Bounds check ref.func function index in global initializers

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox76 --- unaffected
firefox77 --- disabled
firefox78 --- fixed

People

(Reporter: rhunt, Assigned: rhunt)

References

(Regression)

Details

(Keywords: csectype-bounds, regression, sec-high, Whiteboard: [post-critsmash-triage][sec-survey])

Attachments

(2 files)

Bug 1637430 - Validate ref.func indices in global initializers. r?lth
47 bytes, text/x-phabricator-request
Details | Review
Bug 1637430 - Add tests. r?lth
47 bytes, text/x-phabricator-request
Details | Review

The decoder for ref.func in wasm globals doesn't bounds check the function index and later code assumes that it's valid [1] [2].

Being a bit paranoid here, I'm not sure if this could be exploited. This code is nightly only and this is a recent regression.

[1] https://searchfox.org/mozilla-central/rev/0688ffdef223dac527c2fcdb25560118c4e4df51/js/src/wasm/WasmValidate.cpp#2309
[2] https://searchfox.org/mozilla-central/rev/0688ffdef223dac527c2fcdb25560118c4e4df51/js/src/wasm/WasmGenerator.cpp#401

Depends on D74970

Group: core-security → javascript-core-security

Set release status flags based on info from the regressing bug 1612804

status-firefox76: --- → unaffected
status-firefox77: --- → affected
status-firefox78: --- → affected
Attachment #9147791 - Attachment description: Bug 1637430 - Bounds check ref.func indices in global initializers. r?lth → Bug 1637430 - Validate ref.func indices in global initializers. r?lth

Being equally paranoid we'll call this sec-high. We should never ever trust wasm to be well formed.

Keywords: csectype-bounds, sec-high

https://hg.mozilla.org/integration/autoland/rev/51706a543abf9fd2ad8812eb145db67f81c39217
https://hg.mozilla.org/mozilla-central/rev/51706a543abf

Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox78: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(rhunt)
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][sec-survey]

Submitted.

Flags: needinfo?(rhunt)
Group: core-security-release

Test case has bitrotted: file moved from .../gc/... to .../ref-types/... and when suitably fixed it fails with a bunch of unrelated assertions, but this looks like it's localized to the test runner (conflicting definitions of globalSection). Will update and land.

Actually, Ryan - did this land, but without closing the patch? There's code at the bottom of ref-types/ref-func.js that looks a lot like this, but some of the names are changed.

Flags: needinfo?(rhunt)

I don't think this landed, which code are you looking at? This code [1] doesn't seem to be it.

Also, I can rebase the patch and land it now.

[1] https://searchfox.org/mozilla-central/rev/2a24205479519e70c0574929f45730d285141584/js/src/jit-test/tests/wasm/ref-types/ref-func.js#210

Flags: needinfo?(rhunt)

Ah, Cranelift uses a different failure message here and I didn't test on ARM64.

Flags: needinfo?(rhunt)
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: