Closed Bug 1725172 Opened 3 years ago Closed 3 years ago

Out of bounds access in StorageDBThread::Get while processing specifically crafted IPC message

Categories

(Core :: Storage: localStorage & sessionStorage, task)

Product:
Core
Component:
Storage: localStorage & sessionStorage
Type:
task

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1723920

People

(Reporter: ftri2001, Unassigned)

References

Details

(Keywords: csectype-bounds, reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

patch-to-send-ipc-message.patch
2.39 KB, text/plain
Details
release-mozconfig
795 bytes, text/plain
Details

When the PBackgroundStorageConstructor message is processed by the parent process, the code doesn't check if privateBrowsingId exceeds the size of sStorageThread array. Thus compromised content process can construct IPC message with arbitrary large privateBrowsingId and later achieve out of bounds elements access in sStorageThread array [1].

The bug is located in "Core/IPC" component. I've tested if this bug can be reproduced using Ubuntu:20.04 with latest mozilla-beta, revision: a523e03955fe.

After playing some time with privateBrowsingId values, I was able to achieve PC control (privateBrowsingId = 13, 8). As far as I can tell, this memory corruption bug can be used to escape the sandox.

How to reproduce:

  1. Clone mozilla beta: hg clone https://hg.mozilla.org/releases/mozilla-beta/ mozilla-beta
    Used revision (hg parent): a523e03955fe

  2. Apply provided patch

  3. Build modified version of the browser using provided mozconfig release-mozconfig:
    export MOZBUILD_STATE_PATH=$(pwd)/.mozbuild
    export MOZCONFIG=release-mozconfig
    ./mach build && ./mach gtest dontruntests

  4. Run the browser as follows:
    MOZ_DEBUG_CHILD_PROCESS=1 DEBUGGER_WAIT_TIME=0 DISPLAY=:1 ./obj-release-x86_64-pc-linux-gnu/dist/bin/firefox --new-tab https://google.com

  5. Attach to the parent process using gdb: gdb --pid=<parent firefox process pid>

  6. Continue the process: continue

  7. Watch the firefox parent processcrashes

Links:

  1. https://hg.mozilla.org/releases/mozilla-beta/file/a523e03955fe9d578bd74dc5252610cabc1f7c19/dom/storage/StorageDBThread.cpp#l137
Flags: sec-bounty?

Here is the gdb stacktrace (privateBrowsingId = 0x41414141):

#0  0x00007fffef6aca60 in mozilla::dom::StorageDBThread::Get(unsigned int) (aPrivateBrowsingId=<optimized out>) at mozilla-beta/dom/storage/StorageDBThread.cpp:137
#1  mozilla::dom::StorageDBParent::Init() (this=0x7fffd40c8460) at mozilla-beta/dom/storage/StorageIPC.cpp:718
#2  0x00007fffef6af779 in mozilla::dom::RecvPBackgroundStorageConstructor(mozilla::dom::PBackgroundStorageParent*, nsTString<char16_t> const&, unsigned int const&) (aActor=0x7fffd400b280, aProfilePath=..., aPrivateBrowsingId=<error reading variable>) at mozilla-beta/dom/storage/StorageIPC.cpp:1497
#3  0x00007fffedd2acd1 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) (this=0x7fffd42a7000, msg__=...) at PBackgroundParent.cpp:4188
#4  0x00007fffeda6f55c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) (this=0x7fffd42a70c0, aProxy=0x7fffd4ffe360, aMsg=...) at mozilla-beta/ipc/glue/MessageChannel.cpp:2084
#5  0x00007fffeda6e739 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) (this=this@entry=0x7fffd42a70c0, aMsg=...) at mozilla-beta/ipc/glue/MessageChannel.cpp:2011
#6  0x00007fffeda6edd7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) (this=0x7fffd42a70c0, aTask=...) at mozilla-beta/ipc/glue/MessageChannel.cpp:1859
#7  0x00007fffeda6f0b2 in mozilla::ipc::MessageChannel::MessageTask::Run() (this=0x7fffd3d1e580) at mozilla-beta/ipc/glue/MessageChannel.cpp:1890
#8  0x00007fffed4fcdd3 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7fffe91e5820, aMayWait=<optimized out>, aResult=0x7fffe836abe7) at mozilla-beta/xpcom/threads/nsThread.cpp:1146
#9  0x00007fffed500a76 in NS_ProcessNextEvent(nsIThread*, bool) (aThread=0x7fffd400b280, aThread@entry=0x7fffe91e5820, aMayWait=0x0) at mozilla-beta/xpcom/threads/nsThreadUtils.cpp:466
#10 0x00007fffeda72008 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) (this=0x7fffe88c7740, aDelegate=0x7fffe836ac70) at mozilla-beta/ipc/glue/MessagePump.cpp:300
#11 0x00007fffeda285b8 in MessageLoop::RunInternal() (this=0x3e8) at mozilla-beta/ipc/chromium/src/base/message_loop.cc:331
#12 MessageLoop::RunHandler() (this=0x3e8) at mozilla-beta/ipc/chromium/src/base/message_loop.cc:324
#13 MessageLoop::Run() (this=0x3e8) at mozilla-beta/ipc/chromium/src/base/message_loop.cc:306
#14 0x00007fffed4fb0c9 in nsThread::ThreadFunc(void*) (aArg=0x7fffe88689a0) at mozilla-beta/xpcom/threads/nsThread.cpp:392
#15 0x00007ffff7a33e29 in _pt_root (arg=0x7fffe8fec5e0) at mozilla-beta/nsprpub/pr/src/pthreads/ptthread.c:201
#16 0x00007ffff7db6609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#17 0x00007ffff7b6d293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Attached file release-mozconfig
Group: firefox-core-security → dom-core-security
Component: Security → Storage: localStorage & sessionStorage
Product: Firefox → Core

This looks similar to bug 1723920. Possibly a dupe.

Flags: needinfo?(jvarga)
Keywords: csectype-bounds
Attachment #9235804 - Attachment mime type: text/x-patch → text/plain
See Also: → 1723920

There's a patch up in bug 1723920 so we can re-open this if that doesn't fix it.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(jvarga)
Flags: sec-bounty? → sec-bounty-
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: