Closed Bug 1696159 Opened 3 years ago Closed 3 years ago

Web Authn transactions cancelable by other content process

Categories

(Core :: DOM: Web Authentication, defect)

Product:
Core
Component:
DOM: Web Authentication
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
88 Branch
Tracking Flags:
Tracking Status
firefox88 --- fixed

People

(Reporter: n.goeggi, Assigned: n.goeggi)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1696159 - Cut over PWebAuthnTransaction::RequestCancel to use IPC Tainting. r=tjr
48 bytes, text/x-phabricator-request
Details | Review

It seems that a compromised content process could cancel Web Authn transactions of another content process if it is able to guess the transaction ID. This is not severe and mainly caused by the cancellation IDs being stored globally across all origins. (https://searchfox.org/mozilla-central/rev/63fcc3f1a2cc73488d8986f4cf91fce2cd4b7564/dom/webauthn/WebAuthnTransactionParent.cpp#67, https://searchfox.org/mozilla-central/rev/63fcc3f1a2cc73488d8986f4cf91fce2cd4b7564/dom/webauthn/WinWebAuthnManager.cpp#741)

Assignee: nobody → ngogge
Status: NEW → ASSIGNED
Component: IPC → DOM: Web Authentication

Initially this only seemed to be a issue with WinWebAuthnManager but Tom pointed out on phabricator that the same issue exists with U2FTokenManager since mLastTransactionId is also guessable (https://searchfox.org/mozilla-central/rev/2b99ea2e97eef00a8a1c7e24e5fe51ab5304bc42/dom/webauthn/U2FTokenManager.cpp#471).

OS: Windows → Unspecified
Pushed by tritter@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/952a103a71fd
Cut over PWebAuthnTransaction::RequestCancel to use IPC Tainting. r=tjr
Assignee: ngogge → nobody
Status: ASSIGNED → NEW
Assignee: nobody → ngogge
Status: NEW → ASSIGNED

Backed out changeset 952a103a71fd (bug 1696159) for WebAuth related bustage.

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&fromchange=952a103a71fd7e7dc2efda187e27ccef22be1e45&searchStr=build&tochange=4e7fb823b247b310ac588627a8a02829fc13657f&selectedTaskRun=B92B0NmIRHiS_4vlcsrBeg.0

Backout link: https://hg.mozilla.org/integration/autoland/rev/4e7fb823b247b310ac588627a8a02829fc13657f

Failure log: https://treeherder.mozilla.org/logviewer?job_id=332709807&repo=autoland&lineNumber=16837

[task 2021-03-10T16:13:49.276Z] 16:13:49     INFO -  make[4]: Entering directory '/builds/worker/workspace/obj-build/dom/webauthn'
[task 2021-03-10T16:13:49.278Z] 16:13:49     INFO -  /builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang-cl -Xclang -std=c++17 -m32 -FoUnified_cpp_dom_webauthn0.obj -c  -I/builds/worker/workspace/obj-build/dist/stl_wrappers -Xclang -ftrivial-auto-var-init=pattern -guard:cf -DDEBUG=1 -DUNICODE -D_UNICODE -D_CRT_RAND_S -DCERT_CHAIN_PARA_HAS_EXTRA_FIELDS -D_SECURE_ATL -DCHROMIUM_BUILD -DU_STATIC_IMPLEMENTATION -DOS_WIN=1 -DWIN32 -D_WIN32 -D_WINDOWS -DWIN32_LEAN_AND_MEAN -DCOMPILER_MSVC -DWINAPI_NO_BUNDLED_LIBRARIES -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -DSTATIC_EXPORTABLE_JS_API -I/builds/worker/checkouts/gecko/dom/webauthn -I/builds/worker/workspace/obj-build/dom/webauthn -I/builds/worker/workspace/obj-build/ipc/ipdl/_ipdlheaders -I/builds/worker/checkouts/gecko/ipc/chromium/src -I/builds/worker/checkouts/gecko/ipc/glue -I/builds/worker/checkouts/gecko/dom/base -I/builds/worker/checkouts/gecko/dom/crypto -I/builds/worker/checkouts/gecko/security/manager/ssl -I/builds/worker/checkouts/gecko/third_party/rust -I/builds/worker/workspace/obj-build/dist/include -I/builds/worker/workspace/obj-build/dist/include/nspr -I/builds/worker/workspace/obj-build/dist/include/nss -MD -FI /builds/worker/workspace/obj-build/mozilla-config.h -DMOZILLA_CLIENT -Qunused-arguments -Qunused-arguments -fcrash-diagnostics-dir=/builds/worker/artifacts -TP -Zc:sizedDealloc- -D_HAS_EXCEPTIONS=0 -W3 -Gy -Zc:inline -arch:SSE2 -Gw -Wno-inline-new-delete -Wno-invalid-offsetof -Wno-microsoft-enum-value -Wno-microsoft-include -Wno-unknown-pragmas -Wno-ignored-pragmas -Wno-deprecated-declarations -Wno-invalid-noreturn -Wno-inconsistent-missing-override -Wno-implicit-exception-spec-mismatch -Wno-microsoft-exception-spec -Wno-unused-local-typedef -Wno-ignored-attributes -Wno-used-but-marked-unused -D_SILENCE_TR1_NAMESPACE_DEPRECATION_WARNING -GR- -Z7 -Xclang -load -Xclang /builds/worker/workspace/obj-build/build/clang-plugin/libclang-plugin.so -Xclang -add-plugin -Xclang moz-check -O2 -Oy- -Werror -Xclang -fexperimental-new-pass-manager  -Xclang -MP -Xclang -dependency-file -Xclang .deps/Unified_cpp_dom_webauthn0.obj.pp -Xclang -MT -Xclang Unified_cpp_dom_webauthn0.obj   Unified_cpp_dom_webauthn0.cpp
[task 2021-03-10T16:13:49.279Z] 16:13:49     INFO -  In file included from Unified_cpp_dom_webauthn0.cpp:29:
[task 2021-03-10T16:13:49.279Z] 16:13:49     INFO -  In file included from /builds/worker/checkouts/gecko/dom/webauthn/PublicKeyCredential.cpp:15:
[task 2021-03-10T16:13:49.280Z] 16:13:49     INFO -  /builds/worker/checkouts/gecko/dom/webauthn/WinWebAuthnManager.h(28,21): error: no template named 'Tainted'
[task 2021-03-10T16:13:49.280Z] 16:13:49     INFO -                const Tainted<uint64_t>& aTransactionId);
[task 2021-03-10T16:13:49.280Z] 16:13:49     INFO -                      ^
[task 2021-03-10T16:13:49.280Z] 16:13:49     INFO -  In file included from Unified_cpp_dom_webauthn0.cpp:119:
[task 2021-03-10T16:13:49.280Z] 16:13:49     INFO -  /builds/worker/checkouts/gecko/dom/webauthn/WinWebAuthnManager.cpp(733,26): error: out-of-line definition of 'Cancel' does not match any declaration in 'mozilla::dom::WinWebAuthnManager'
[task 2021-03-10T16:13:49.280Z] 16:13:49     INFO -  void WinWebAuthnManager::Cancel(PWebAuthnTransactionParent* aParent,
[task 2021-03-10T16:13:49.280Z] 16:13:49     INFO -                           ^~~~~~
[task 2021-03-10T16:13:49.280Z] 16:13:49     INFO -  2 errors generated.
[task 2021-03-10T16:13:49.280Z] 16:13:49    ERROR -  make[4]: *** [/builds/worker/checkouts/gecko/config/rules.mk:676: Unified_cpp_dom_webauthn0.obj] Error 1
[task 2021-03-10T16:13:49.280Z] 16:13:49     INFO -  make[4]: Leaving directory '/builds/worker/workspace/obj-build/dom/webauthn'
[task 2021-03-10T16:13:49.281Z] 16:13:49    ERROR -  make[3]: *** [/builds/worker/checkouts/gecko/config/recurse.mk:72: dom/webauthn/target-objects] Error 2
[task 2021-03-10T16:13:49.281Z] 16:13:49     INFO -  make[3]: *** Waiting for unfinished jobs....
Assignee: ngogge → nobody
Status: ASSIGNED → NEW
Flags: needinfo?(tom)
Assignee: nobody → ngogge
Status: NEW → ASSIGNED
Pushed by tritter@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/afb2d51caead
Cut over PWebAuthnTransaction::RequestCancel to use IPC Tainting. r=tjr

https://hg.mozilla.org/mozilla-central/rev/afb2d51caead

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox88: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
Flags: needinfo?(tom)
See Also: → 1819156
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: