Closed Bug 1700895 Opened 5 years ago Closed 5 years ago

Crash in [@ mozilla::net::nsStandardURL::Release]

Categories

(Core :: Networking: HTTP, defect, P1)

defect

Tracking

()

RESOLVED FIXED
91 Branch
Tracking Status
firefox-esr78 90+ fixed
firefox89 --- wontfix
firefox90 + fixed
firefox91 + fixed

People

(Reporter: valentin, Assigned: valentin)

References

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [necko-triaged][sec-survey][adv-main90+r][adv-esr78.12+r])

Crash Data

Attachments

(1 file)

+++ This bug was initially created as a clone of Bug #1675540 +++

bp-d8ec6330-74b5-4680-8cb7-7ebd80210325

Crash Signature: [@ mozilla::net::nsStandardURL::Release] → [@ mozilla::net::nsStandardURL::Release] [@ mozilla::net::nsStandardURL::SanityCheck ]

My Necko colleagues suggested that we might convert the release asserts to telemetry events so that we might find out how the offsets are wrong, given that the dumps do not show the memory containing the URL or offsets.
I did so and after that I looked into writing a test - which led me to the deserialization code. Looking at the crash reports, most of them are when releasing principals. That means a principal deserialization is what generated the wrong URL, and it explains why the sanity checks only fail being called from nsStandardURL::Release.

I'll implement a more thorough deserialization check, and land that.

We return an error code if the serialization isn't valid, and also clear the
URL segments so we don't trigger the sanity checks when the URL is released.

Comment on attachment 9224689 [details]
Bug 1700895 - Check if deserialized URL is valid r=#necko

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: An exploit also requires the ability to change serialized data or IPC messages.
    The good news is that this is not a UAF in the URL code.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Easy
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely to cause regressions.
Attachment #9224689 - Flags: sec-approval?

Comment on attachment 9224689 [details]
Bug 1700895 - Check if deserialized URL is valid r=#necko

Approved to land and uplift.

Attachment #9224689 - Flags: sec-approval?
Attachment #9224689 - Flags: sec-approval+
Attachment #9224689 - Flags: approval-mozilla-esr78+
Attachment #9224689 - Flags: approval-mozilla-beta+
Group: network-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(valentin.gosu)
Whiteboard: [necko-triaged] → [necko-triaged][sec-survey]
Flags: needinfo?(valentin.gosu)
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [necko-triaged][sec-survey] → [necko-triaged][sec-survey][adv-main90+r]
Whiteboard: [necko-triaged][sec-survey][adv-main90+r] → [necko-triaged][sec-survey][adv-main90+r][adv-esr78.12+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: