Crash in [@ mozilla::net::nsStandardURL::Release]
Categories
(Core :: Networking: HTTP, defect, P1)
Tracking
()
People
(Reporter: valentin, Assigned: valentin)
References
Details
(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [necko-triaged][sec-survey][adv-main90+r][adv-esr78.12+r])
Crash Data
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
tjr
:
approval-mozilla-beta+
tjr
:
approval-mozilla-esr78+
tjr
:
sec-approval+
|
Details | Review |
+++ This bug was initially created as a clone of Bug #1675540 +++
| Assignee | ||
Updated•5 years ago
|
| Assignee | ||
Comment 1•5 years ago
|
||
My Necko colleagues suggested that we might convert the release asserts to telemetry events so that we might find out how the offsets are wrong, given that the dumps do not show the memory containing the URL or offsets.
I did so and after that I looked into writing a test - which led me to the deserialization code. Looking at the crash reports, most of them are when releasing principals. That means a principal deserialization is what generated the wrong URL, and it explains why the sanity checks only fail being called from nsStandardURL::Release.
I'll implement a more thorough deserialization check, and land that.
| Assignee | ||
Comment 2•5 years ago
|
||
We return an error code if the serialization isn't valid, and also clear the
URL segments so we don't trigger the sanity checks when the URL is released.
| Assignee | ||
Comment 3•5 years ago
|
||
Comment on attachment 9224689 [details]
Bug 1700895 - Check if deserialized URL is valid r=#necko
Security Approval Request
- How easily could an exploit be constructed based on the patch?: An exploit also requires the ability to change serialized data or IPC messages.
The good news is that this is not a UAF in the URL code. - Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Easy
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely to cause regressions.
Comment 4•5 years ago
|
||
Comment on attachment 9224689 [details]
Bug 1700895 - Check if deserialized URL is valid r=#necko
Approved to land and uplift.
Comment 5•5 years ago
•
|
||
Check if deserialized URL is valid r=necko-reviewers,dragana
https://hg.mozilla.org/integration/autoland/rev/411686723027a23bfac7d3612956131a6dc08bef
Comment 6•5 years ago
|
||
Comment 7•5 years ago
|
||
| uplift | ||
Comment 8•5 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
| Assignee | ||
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Comment 9•5 years ago
|
||
| uplift | ||
Updated•4 years ago
|
Description
•