Closed Bug 1668514 (CVE-2020-15254) Opened 4 years ago Closed 4 years ago

Update crossbeam-channel.

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox81 --- wontfix
firefox82 --- fixed
firefox83 --- fixed

People

(Reporter: emilio, Assigned: emilio)

References

Details

(Keywords: sec-high, Whiteboard: [sec-survey][adv-main82+][post-critsmash-triage])

Attachments

(2 files, 1 obsolete file)

Bug 1668514 - Update crossbeam-channel. r=jrmuizel,janerik
47 bytes, text/x-phabricator-request
jcristau
: approval-mozilla-beta+
tjr
: sec-approval+
Details | Review
advisory.txt
720 bytes, text/plain
Details

I don't know if this can be causing issues for our users, see incoming patch.

It's used by both webrender and fog, and it contains a subtle soundness
issue which may affect us, see:

Quoting for posterity:

There is a 0.4.4 on a branch and it contains a reversion for the UB
mentioned in https://github.com/crossbeam-rs/crossbeam/pull/533.

This was causing corruption of jemalloc structures (and ultimately a
deadlock) for us.

Update the crate resolving the issue.

I've been looking at the patch, the conversations on Twitter / GitHub and talked to Emilio on Slack.
It looks like there are no obvious pointers for how to turn that into a crash (or even an exploit).
The risk if this was exploited is sec-high (memory corruption), but I can hardly see us 0day ourselves here.
I'd suggest rating this sec-high as a precaution but also allowing for speedy sec-approval.

Tom, would you agree?

Flags: needinfo?(tom)
Keywords: sec-moderate

Your analysis sounds reasonable, I don't want to hold this up, so I'll defer to you =)

Flags: needinfo?(tom)

Comment on attachment 9178973 [details]
Bug 1668514 - Update crossbeam-channel. r=jrmuizel,janerik

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: pretty hard, it's not clear if possible even.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: 81,82
  • If not all supported branches, which bug introduced the flaw?: Bug 1648405
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Trivial, not risky.
  • How likely is this patch to cause regressions; how much testing does it need?: not very risky.

Beta/Release Uplift Approval Request

  • User impact if declined: Potential weird crashes (unclear if possible)
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Simple dependency update to fix UB that can end up in memory corruption in some cases.
  • String changes made/needed: none
Attachment #9178973 - Flags: sec-approval?
Attachment #9178973 - Flags: approval-mozilla-beta?

(In reply to Frederik Braun [:freddy] from comment #2)

...
I'd suggest rating this sec-high as a precaution but also allowing for speedy sec-approval.

I set the wrong flag, oops.

Keywords: sec-moderatesec-high

Ping for sec-approval?

Flags: needinfo?(tom)

Comment on attachment 9178973 [details]
Bug 1668514 - Update crossbeam-channel. r=jrmuizel,janerik

Approved, sorry

Flags: needinfo?(tom)
Attachment #9178973 - Flags: sec-approval? → sec-approval+

https://hg.mozilla.org/integration/autoland/rev/a853e285286d8d273b7bde64dcdca92474ce21c6
https://hg.mozilla.org/mozilla-central/rev/a853e285286d

Group: core-security → core-security-release
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox83: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch

Comment on attachment 9178973 [details]
Bug 1668514 - Update crossbeam-channel. r=jrmuizel,janerik

approved for 82.0b9

Attachment #9178973 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(emilio)
Whiteboard: [sec-survey]

Done!

Flags: needinfo?(emilio)
Whiteboard: [sec-survey] → [sec-survey][adv-main82+]
Flags: qe-verify-
Whiteboard: [sec-survey][adv-main82+] → [sec-survey][adv-main82+][post-critsmash-triage]
Alias: CVE-2020-15254
Attached file advisory.txt (obsolete) —

Mostly copied their advisory, cleaned up grammar.

Attached file advisory.txt
Attachment #9181766 - Attachment is obsolete: true
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: