Closed Bug 1694727 (CVE-2021-24001) Opened 3 years ago Closed 3 years ago

ContentParent::RecvSessionHistoryUpdate should not work outside of automation

Categories

(Core :: DOM: Navigation, defect, P2)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
88 Branch
Project Flags:
Fission Milestone M7a
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox86 --- wontfix
firefox87 --- wontfix
firefox88 --- fixed

People

(Reporter: mccr8, Assigned: smaug)

References

(Blocks 1 open bug)

Details

(Keywords: sec-moderate, Whiteboard: [post-critsmash-triage][adv-main88+])

Attachments

(2 files)

Bug 1694727, remove the testing only code for history.length handling, r=peterv
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
314 bytes, text/plain
Details

I noticed that there's a PContent message SessionHistoryUpdate with the comment "This is a temporary way to pass index and length through parent process. Used for testing." It looks like what this does is reflect the session history update being sent from the child process back to other children in the same browsing context group, which may not be in the same process.

This seems potentially bad in the case where a child process gets taken over. I haven't found any particular place where this could cause an out of bounds memory access, but maybe manipulating the session history is enough. It also is probably not good that this session history update information coming from the parent needs to be treated as potentially hostile, which people reading code might not expect.

I'm not exactly sure how this could be addressed. Maybe enough time has passed that this message can be removed, or maybe we can have it be ignored (and not sent) when we're not in a testing environment?

Flags: needinfo?(bugs)

That code will go away. It was added to test the new setup for async index and length handling. But I can't see where it could cause any issues.

Flags: needinfo?(bugs)
Assignee: nobody → bugs
Severity: -- → N/A
Priority: -- → P3

But I can't see where it could cause any issues.

That depends on what the value is used for, and what it could do if a compromised child passed a crafted value back to the parent.

The processes being sent to are in the same browsing context group, so I guess in the worst case imaginable (say, the message magically allows arbitrary execution) it won't have any real impact on non-Fission, and only make Fission as bad as non-Fission, so I'm not sure what the right rating would be.

Tracking this with the rest of fission sessionHistory work. Let's fix this by Fission M7a.

Blocks: fission-history
Fission Milestone: ? → M7a
Severity: N/A → S2
Status: NEW → ASSIGNED
Priority: P3 → P2

remove the testing only code for history.length handling, r=peterv
https://hg.mozilla.org/integration/autoland/rev/c47401d2b91a5e59b34aa6a97d0f6995687dfff3
https://hg.mozilla.org/mozilla-central/rev/c47401d2b91a

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox88: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main88+]
Alias: CVE-2021-24001
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: