Closed Bug 1737009 Opened 3 years ago Closed 3 years ago

nsTextFragment::SetTo should check given string length

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
96 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox-esr91 95+ fixed
firefox93 --- wontfix
firefox94 --- wontfix
firefox95 + fixed
firefox96 + fixed

People

(Reporter: masayuki, Assigned: masayuki)

References

Details

(Keywords: csectype-bounds, sec-high, Whiteboard: [sec-survey][adv-main95+r][adv-ESR91.4.0+r])

Attachments

(2 files)

Bug 1737009 - Make `nsTextFragment::SetTo()` check given string length first r=smaug!
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
tjr
: sec-approval+
Details | Review
Bug 1737009 - Make `nsTextFragment::SetTo()` check given string length first r=smaug!
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-release-
RyanVM
: approval-mozilla-esr91+
tjr
: sec-approval+
Details | Review
No description provided.

Oh, some callers don't check the length before calling.

Group: core-security

For the other branches, I need to create a patch because of bug 1729170.

(Sorry, before I realized that this is a security bug, I blocked a bug which depends on this bug and I pushed try server with bug#)

Group: core-security → dom-core-security

Comment on attachment 9247049 [details]
Bug 1737009 - Make nsTextFragment::SetTo() check given string length first r=smaug!

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: It's easy to reproduce this because the changed points are explicitly touch setter of text of character data modes (text, comment, cdata nodes).
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: esr78
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: The patch makes too long text cause throwing exception. So this patch could rarely break existing web which set text to character data node whose length is over 0x1FFFFFFF. However, that means that at least 540 MB string. So it won't break non-malicious web apps.
Attachment #9247049 - Flags: sec-approval?
Attachment #9247062 - Flags: sec-approval?

Changing the priority to p2 as the bug is tracked by a release manager for the current nightly.
See What Do You Triage for more information

Priority: P3 → P2

Comment on attachment 9247049 [details]
Bug 1737009 - Make nsTextFragment::SetTo() check given string length first r=smaug!

Approved to land and request uplift

Attachment #9247049 - Flags: sec-approval? → sec-approval+
Attachment #9247062 - Flags: sec-approval? → sec-approval+

Comment on attachment 9247049 [details]
Bug 1737009 - Make nsTextFragment::SetTo() check given string length first r=smaug!

Beta/Release Uplift Approval Request

  • User impact if declined: May cause crash or allow attckers to access out of array (but requires too big memory space)

This is for m-c and beta. The other is for release and esr.

  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just adding boundary check before creating unexpected length array.
  • String changes made/needed:
Attachment #9247049 - Flags: approval-mozilla-release?
Attachment #9247049 - Flags: approval-mozilla-beta?
Attachment #9247062 - Flags: approval-mozilla-release?
Attachment #9247062 - Flags: approval-mozilla-beta?
Attachment #9247049 - Flags: approval-mozilla-release?
Attachment #9247062 - Flags: approval-mozilla-beta?

Comment on attachment 9247062 [details]
Bug 1737009 - Make nsTextFragment::SetTo() check given string length first r=smaug!

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: May cause crash or allow attackers to access out of array.
  • Fix Landed on Version: 96
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just adding boundary check before creating unexpected length array.
  • String or UUID changes made by this patch:
Attachment #9247062 - Flags: approval-mozilla-esr91?

Should I land it to autoland before getting uplift approvals? Or wait it for reducing the risk of 0-day attack?

(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900) from comment #11)

Should I land it to autoland before getting uplift approvals? Or wait it for reducing the risk of 0-day attack?

The idea of sec-approval is that once you have it, it is okay to land it on autoland. Our release cycles are pretty short now, so as long as we're not in the very end when we're not uplifting things, the window won't be too large.

Thank you for the explanation!

Make nsTextFragment::SetTo() check given string length first r=smaug
https://hg.mozilla.org/integration/autoland/rev/9140a2ea2c5a27e74e6b290caaea789b8cd0631d
https://hg.mozilla.org/mozilla-central/rev/9140a2ea2c5a

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox96: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch

Comment on attachment 9247062 [details]
Bug 1737009 - Make nsTextFragment::SetTo() check given string length first r=smaug!

Based on the information given in the bug, it doesn't sound like we need to expedite this into a 94 dot release. Let's ship it in 95/91.4esr per usual practice.

Attachment #9247062 - Flags: approval-mozilla-release? → approval-mozilla-release-

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(masayuki)
Whiteboard: [sec-survey]

Done.

Flags: needinfo?(masayuki)

Comment on attachment 9247049 [details]
Bug 1737009 - Make nsTextFragment::SetTo() check given string length first r=smaug!

Approved for 95.0b6

Attachment #9247049 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9247062 [details]
Bug 1737009 - Make nsTextFragment::SetTo() check given string length first r=smaug!

Approved for 91.4esr.

Attachment #9247062 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [sec-survey] → [sec-survey][adv-main95+][adv-ESR91.4.0+]
Whiteboard: [sec-survey][adv-main95+][adv-ESR91.4.0+] → [sec-survey][adv-main95+r][adv-ESR91.4.0+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: