Cherrypick use-after-free fix from upstream usrsctp
Categories
(Core :: WebRTC: Networking, defect, P1)
Tracking
()
People
(Reporter: dminor, Assigned: dminor)
References
Details
(Keywords: csectype-uaf, sec-high, Whiteboard: [sec-survey][adv-main82+][adv-esr78.4+])
Attachments
(2 files, 1 obsolete file)
|
47 bytes,
text/x-phabricator-request
|
dveditz
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr78+
dveditz
:
sec-approval+
|
Details | Review |
|
209 bytes,
text/plain
|
Details |
Use-after-free fix in the sctp stack landed here: https://github.com/sctplab/usrsctp/commit/ffed0925f27d404173c1e3e750d818f432d2c019. We should pick it up.
|
Assignee | |
Comment 1•4 years ago
|
||
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 2•4 years ago
|
||
Comment on attachment 9177202 [details]
Bug 1666570 - Cherrypick ffed0925f27d404173c1e3e750d818f432d2c019 from usrsctp; r=drno!
Security Approval Request
- How easily could an exploit be constructed based on the patch?: This patch has already been made public upstream, so hopefully not easily.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Same patch should apply with minimal modifications to all affected versions. The __FBSDID string change sometimes requires a manual merge.
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely to cause regressions, this patch is already present in Chromium.
|
||
Comment 3•4 years ago
|
||
Chrome is taking this fix, too. https://chromium.googlesource.com/chromium/src.git/+/4eef337a54cd51af5d2d12a1dd32f5581ef265d4
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
Sort of... "cherrypick" can raise eyebrows and the referenced upstream patch clearly says "use after free". Not sure we can do much better since anyone watching that closely probably already saw the upstream and would be happy to not see it in our commits.
|
|
||
Comment 4•4 years ago
|
||
Comment on attachment 9177202 [details]
Bug 1666570 - Cherrypick ffed0925f27d404173c1e3e750d818f432d2c019 from usrsctp; r=drno!
sec-approval+ and a=dveditz for beta uplift. We'll need to do ESR-78 later but no need to raise the profile of this that high right now.
|
||
Comment 5•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/ed2a659e965f27943d9b0c15d6e78d14e1ce9cb2
https://hg.mozilla.org/mozilla-central/rev/ed2a659e965f
|
||
Comment 6•4 years ago
|
||
Comment on attachment 9177202 [details]
Bug 1666570 - Cherrypick ffed0925f27d404173c1e3e750d818f432d2c019 from usrsctp; r=drno!
Approved for 78.4esr also.
|
||
Comment 7•4 years ago
|
||
| uplift | ||
|
||
Updated•4 years ago
|
|
|
||
Comment 8•4 years ago
|
||
| uplift | ||
|
||
Comment 9•4 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
|
|
Assignee | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Comment 10•4 years ago
|
||
Not many details about this bug, so the advisory is especially ambiguous.
|
|
||
Comment 11•4 years ago
|
||
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
Description
•