Closed Bug 1677590 Opened 4 years ago Closed 3 years ago

stack-buffer-overflow in [@ sdp_parse_error]

Categories

(Core :: WebRTC: Signaling, defect, P1)

Product:
Core
Component:
WebRTC: Signaling
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
86 Branch
Tracking Flags:
Tracking Status
firefox-esr78 85+ fixed
firefox84 --- wontfix
firefox85 + fixed
firefox86 + fixed

People

(Reporter: tsmith, Assigned: drno)

References

Details

(Keywords: oss-fuzz, sec-high, Whiteboard: [disclosure 2021-02-15][adv-main85+r][adv-esr78.7+r][sec-survey])

Attachments

(3 files)

clusterfuzz-testcase-minimized-SdpParser-4737518792343552
602 bytes, application/octet-stream
Details
Bug 1677590: improved SDP parser error handling. r=ng
47 bytes, text/x-phabricator-request
jcristau
: approval-mozilla-beta+
tjr
: sec-approval+
Details | Review
bug1677590_esr78.patch
1.77 KB, patch
RyanVM
: approval-mozilla-esr78+
Details | Diff | Splinter Review

This was found via the SdpParser fuzzer in oss-fuzz.

==1==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd0befe390 at pc 0x55cc4f7da2d4 bp 0x7ffd0befd6b0 sp 0x7ffd0befce38
READ of size 257 at 0x7ffd0befe390 thread T0
    #0 0x55cc4f7da2d3 in firefox
    #1 0x7f2f167028dd in flex_string_vsprintf mozilla-central/third_party/sipcc/cpr_string.c:198:22
    #2 0x7f2f1674de80 in sdp_parse_error mozilla-central/third_party/sipcc/sdp_main.c:1361:5
    #3 0x7f2f16723f04 in sdp_parse_attr_cpar mozilla-central/third_party/sipcc/sdp_attr.c:2915:9
    #4 0x7f2f1670c47b in sdp_parse_attribute mozilla-central/third_party/sipcc/sdp_attr.c:185:14
    #5 0x7f2f1674e812 in sdp_parse mozilla-central/third_party/sipcc/sdp_main.c:1164:18
    #6 0x7f2f1f06128e in mozilla::SipccSdpParser::Parse(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) mozilla-central/dom/media/webrtc/sdp/SipccSdpParser.cpp:67:25
    #7 0x7f2f15d1a702 in RunSdpParserFuzzing(unsigned char const*, unsigned long) mozilla-central/dom/media/webrtc/tests/fuzztests/sdp_parser_libfuzz.cpp:25:20
    #1 0x55cc4f9ed4ae in firefox
    #2 0x55cc4f9dc3e4 in firefox
    #3 0x55cc4f9e0ac1 in firefox
    #11 0x7f2f24420770 in mozilla::FuzzerRunner::Run(int*, char***) mozilla-central/tools/fuzzing/interface/harness/FuzzerRunner.cpp:75:13
    #12 0x7f2f24354872 in XREMain::XRE_mainStartup(bool*) mozilla-central/toolkit/xre/nsAppRunner.cpp:4190:35
    #13 0x7f2f24365fea in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/nsAppRunner.cpp:5262:12
    #14 0x7f2f24366e40 in XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/nsAppRunner.cpp:5331:21
    #15 0x7f2f243808b0 in mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/Bootstrap.cpp:45:12
    #4 0x55cc4f868daa in firefox
    #17 0x7f2f3e78783f in __libc_start_main (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_firefox_6180546f5e5f1d75138bf6cea3784693af7a2aa9/revisions/lib/libc.so.6+0x2083f)
    #18 0x55cc4f7bbef8 in _start (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_firefox_6180546f5e5f1d75138bf6cea3784693af7a2aa9/revisions/firefox/firefox+0xb9ef8)

DEDUP_TOKEN: flex_string_vsprintf--sdp_parse_error
Address 0x7ffd0befe390 is located in stack of thread T0 at offset 304 in frame
    #0 0x7f2f1672393f in sdp_parse_attr_cpar mozilla-central/third_party/sipcc/sdp_attr.c:2853

DEDUP_TOKEN: sdp_parse_attr_cpar
  This frame has 2 object(s):
    [32, 36) 'result' (line 2855)
    [48, 304) 'tmp' (line 2859) <== Memory access at offset 304 overflows this variable

Is our copy of sipcc up to date wrt any recent security fixes?

Flags: needinfo?(drno)
Keywords: sec-high
Whiteboard: [disclosure early-mid Feb]
Whiteboard: [disclosure early-mid Feb] → [disclosure 2021-02-15]

(In reply to Daniel Veditz [:dveditz] from comment #1)

Is our copy of sipcc up to date wrt any recent security fixes?

Unfortunately sipcc was a one time code drop from Cisco and is not something we can sync from regularly. I'll see if I can find an owner for this.

Flags: needinfo?(drno)
Assignee: nobody → drno

Byron, what do you think about always terminating the output buffer: https://searchfox.org/mozilla-central/source/third_party/sipcc/sdp_utils.c#99 ?

Flags: needinfo?(docfaraday)

Seems reasonable.

Flags: needinfo?(docfaraday)

The severity field is not set for this bug.
:ng, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(na-g)
Severity: -- → S1
Priority: -- → P1

Comment on attachment 9190458 [details]
Bug 1677590: improved SDP parser error handling. r=ng

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: I think it is probably pretty easy to figure out that this patch is addressing missing zero termination.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: Highly unlikely as the issue is in part of the code which is not utilized for Firefox WebRTC functionality at all.
Attachment #9190458 - Flags: sec-approval?

Nils, are you saying that this code is not reachable in Firefox; and is just a fix so the fuzzer doesn't find and re-report it? If so, this can be changed to sec-other and sec-approval is not needed.

Flags: needinfo?(drno)

(In reply to Tom Ritter [:tjr] (ni? for response to sec-[advisories/bounties/ratings/cves]) from comment #9)

Nils, are you saying that this code is not reachable in Firefox; and is just a fix so the fuzzer doesn't find and re-report it? If so, this can be changed to sec-other and sec-approval is not needed.

SDP is a text blob which gets passed in via JS into our parser. Thus an attacker who knows about this issue can very easily craft an SDP text blob which triggers this bug. But unfortunately our SDP parser supports lots of tokens which are never used in WebRTC (because it was a one time gift from a different product which supported a lot more features then needed in WebRTC).
After parsing Firefox ignores these unused tokens. And no other browser will ever create these tokens. That is why it is highly unlikely that they will cause regressions.

Flags: needinfo?(drno)

Comment on attachment 9190458 [details]
Bug 1677590: improved SDP parser error handling. r=ng

Approved to land Jan 13th

Attachment #9190458 - Flags: sec-approval? → sec-approval+

https://hg.mozilla.org/integration/autoland/rev/cbe57264ea8bfa1537a7b425270939ca27baac91
https://hg.mozilla.org/mozilla-central/rev/cbe57264ea8b

Please submit the uplift requests.

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox86: affectedfixed
Flags: needinfo?(drno)
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch
Flags: needinfo?(na-g)

Comment on attachment 9190458 [details]
Bug 1677590: improved SDP parser error handling. r=ng

Beta/Release Uplift Approval Request

  • User impact if declined: Could potentially be abused to take over Firefox remotely.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This code never gets triggered in normal WebRTC calls. So it should only get executed when someone tries to find a problem in our parser, which unfortunately parses more then it needs to.
  • String changes made/needed: N/A
Flags: needinfo?(drno)
Attachment #9190458 - Flags: approval-mozilla-beta?

Comment on attachment 9191731 [details] [diff] [review]
bug1677590_esr78.patch

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high
  • User impact if declined: Could potentially be abused to take over Firefox remotely.
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This code never gets triggered in normal WebRTC calls. So it should only get executed when someone tries to find a problem in our parser, which unfortunately parses more then it needs to.
  • String or UUID changes made by this patch: N/A
Attachment #9191731 - Flags: approval-mozilla-esr78?

Comment on attachment 9190458 [details]
Bug 1677590: improved SDP parser error handling. r=ng

approved for 85.0b9

Attachment #9190458 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9191731 [details] [diff] [review]
bug1677590_esr78.patch

Approved for 78.7esr.

Attachment #9191731 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [disclosure 2021-02-15] → [disclosure 2021-02-15][adv-main85+r]
Whiteboard: [disclosure 2021-02-15][adv-main85+r] → [disclosure 2021-02-15][adv-main85+r][adv-esr78.7+r]

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(drno)
Whiteboard: [disclosure 2021-02-15][adv-main85+r][adv-esr78.7+r] → [disclosure 2021-02-15][adv-main85+r][adv-esr78.7+r][sec-survey]
Group: core-security-release
Flags: needinfo?(drno)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: