Closed Bug 1666570 (CVE-2020-15969) Opened 1 year ago Closed 1 year ago

Cherrypick use-after-free fix from upstream usrsctp

Categories

(Core :: WebRTC: Networking, defect, P1)

defect

Tracking

()

RESOLVED FIXED
83 Branch
Tracking Status
firefox-esr78 82+ fixed
firefox81 --- wontfix
firefox82 + fixed
firefox83 + fixed

People

(Reporter: dminor, Assigned: dminor)

References

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [sec-survey][adv-main82+][adv-esr78.4+])

Attachments

(2 files, 1 obsolete file)

Use-after-free fix in the sctp stack landed here: https://github.com/sctplab/usrsctp/commit/ffed0925f27d404173c1e3e750d818f432d2c019. We should pick it up.

Comment on attachment 9177202 [details]
Bug 1666570 - Cherrypick ffed0925f27d404173c1e3e750d818f432d2c019 from usrsctp; r=drno!

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: This patch has already been made public upstream, so hopefully not easily.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Same patch should apply with minimal modifications to all affected versions. The __FBSDID string change sometimes requires a manual merge.
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely to cause regressions, this patch is already present in Chromium.
Attachment #9177202 - Flags: sec-approval?

Chrome is taking this fix, too. https://chromium.googlesource.com/chromium/src.git/+/4eef337a54cd51af5d2d12a1dd32f5581ef265d4

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No

Sort of... "cherrypick" can raise eyebrows and the referenced upstream patch clearly says "use after free". Not sure we can do much better since anyone watching that closely probably already saw the upstream and would be happy to not see it in our commits.

Comment on attachment 9177202 [details]
Bug 1666570 - Cherrypick ffed0925f27d404173c1e3e750d818f432d2c019 from usrsctp; r=drno!

sec-approval+ and a=dveditz for beta uplift. We'll need to do ESR-78 later but no need to raise the profile of this that high right now.

Attachment #9177202 - Flags: sec-approval?
Attachment #9177202 - Flags: sec-approval+
Attachment #9177202 - Flags: approval-mozilla-beta+
Group: media-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch

Comment on attachment 9177202 [details]
Bug 1666570 - Cherrypick ffed0925f27d404173c1e3e750d818f432d2c019 from usrsctp; r=drno!

Approved for 78.4esr also.

Attachment #9177202 - Flags: approval-mozilla-esr78+
Flags: qe-verify-

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(dminor)
Whiteboard: [sec-survey]
Flags: needinfo?(dminor)
Whiteboard: [sec-survey] → [sec-survey][adv-main82+]
Attached file advisory.txt (obsolete) —

Not many details about this bug, so the advisory is especially ambiguous.

Whiteboard: [sec-survey][adv-main82+] → [sec-survey][adv-main82+][adv-esr78.4+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.