Closed Bug 1643437 (CVE-2020-12420) Opened 1 year ago Closed 1 year ago

Crash in [@ nr_ice_component_process_incoming_check]

Categories

(Core :: WebRTC: Networking, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla79
Tracking Status
firefox-esr68 78+ fixed
firefox-esr78 78+ fixed
firefox77 --- wontfix
firefox78 + fixed
firefox79 + fixed

People

(Reporter: bwc, Assigned: bwc)

References

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [adv-main78+r][adv-esr68.10+r][sec-survey])

Crash Data

Attachments

(1 file)

This bug is for crash report bp-54620aeb-8b4a-4d7d-ac49-122e50200604.

Top 10 frames of crashing thread:

0 xul.dll nr_ice_component_process_incoming_check media/mtransport/third_party/nICEr/src/ice/ice_component.c:905
1 xul.dll nr_ice_component_stun_server_cb media/mtransport/third_party/nICEr/src/ice/ice_component.c:1003
2 xul.dll nr_stun_server_process_request media/mtransport/third_party/nICEr/src/stun/stun_server_ctx.c:327
3 xul.dll nr_ice_socket_readable_cb media/mtransport/third_party/nICEr/src/ice/ice_socket.c:120
4 xul.dll mozilla::NrUdpSocketIpc::recv_callback_s media/mtransport/nr_socket_prsock.cpp:1594
5 xul.dll static std::_Invoker_pmf_pointer::_Call<void  
6 xul.dll mozilla::runnable_args_memfn<RefPtr<mozilla::NrUdpSocketIpc>, void  media/mtransport/runnable_utils.h:121
7 xul.dll mozilla::detail::runnable_args_base<mozilla::detail::NoResult>::Run media/mtransport/runnable_utils.h:41
8 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1211
9 xul.dll NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:501

Seems to be happening on all release channels.

Group: core-security → media-core-security

It is a little hard to determine what is going on here, since it looks like the stack is not quite complete, but one possibility is that |pair| is a dangling pointer.

Filed cover bug 1644477.

Depends on: 1644477

Includes removing an error code for a function that never fails, and removing
an error return when the function successfully did what it said it would.

Comment on attachment 9155334 [details]
Bug 1643437: (Copy of patch on cover bug) Make candidate pair insertion code easier to read/understand.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Probably pretty difficult, since it does not look like a sec-bug fix.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Pretty easy.
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely to cause regressions.
Attachment #9155334 - Flags: sec-approval?

Comment on attachment 9155334 [details]
Bug 1643437: (Copy of patch on cover bug) Make candidate pair insertion code easier to read/understand.

sec-approval+

Attachment #9155334 - Flags: sec-approval? → sec-approval+

Looks like cover bug landed successfully. Please nominate it for Beta and ESR68 approval when you get a chance. It grafts cleanly to both as-landed.

Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(docfaraday)
Resolution: --- → FIXED
Target Milestone: --- → mozilla79

Done.

Flags: needinfo?(docfaraday)

I am not sure that this is fixed just yet; we'll have to wait and see whether bug 1644477 solved the problem.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

The patch landed in nightly and beta is affected.
:bwc, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(docfaraday)

Flags are being set in other bugs.

Flags: needinfo?(docfaraday)

It looks like bug 1644477 probably solved this, yes. I'm going to mark this fixed for now.

Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
Resolution: --- → FIXED
Whiteboard: [adv-main78+r] → [adv-main78+r][adv-esr68.10+r]
See Also: → 1643446

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(docfaraday)
Whiteboard: [adv-main78+r][adv-esr68.10+r] → [adv-main78+r][adv-esr68.10+r][sec-survey]
Flags: needinfo?(docfaraday)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.