Closed Bug 1739421 Opened 3 years ago Closed 3 years ago

Ensure access to mITimer is done under lock in nsTimerImpl

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
96 Branch
Tracking Flags:
Tracking Status
firefox-esr91 95+ fixed
firefox94 --- wontfix
firefox95 + fixed
firefox96 + fixed

People

(Reporter: jesup, Assigned: jesup)

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [sec-survey][adv-main95+r][adv-ESR91.4.0+r])

Attachments

(1 file)

Bug 1739421: Use kungFuDeathGrip when firing a timer r=bwc
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr91+
tjr
: sec-approval+
Details | Review

In nsTimerImpl::Fire(), we call callbackDuringFire.match() and pass a number of lambdas with references to mITimer... but we're not under the mutex.

See near the top of the function where we grab stuff under mutex, including kungFuDeathGrip on mITimer, which tells me that something else can null out mITimer once the lock is dropped.

Just using the kungFuDeathGrip should resolve this safely

Group: core-security → dom-core-security

Comment on attachment 9249256 [details]
Bug 1739421: Use kungFuDeathGrip when firing a timer r=bwc

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Pretty darn hard, perhaps not impossible
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Trivial, no risk
  • How likely is this patch to cause regressions; how much testing does it need?: No regressions likely
Attachment #9249256 - Flags: sec-approval?

Comment on attachment 9249256 [details]
Bug 1739421: Use kungFuDeathGrip when firing a timer r=bwc

Approved to land and request uplift

Attachment #9249256 - Flags: sec-approval? → sec-approval+

Use kungFuDeathGrip when firing a timer r=bwc
https://hg.mozilla.org/integration/autoland/rev/786dcb2d210d3662928497544f3e2b1e51a0e771
https://hg.mozilla.org/mozilla-central/rev/786dcb2d210d

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox96: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch

Can you suggest a security rating for this bug?

status-firefox94: --- → wontfix
status-firefox95: --- → affected
status-firefox-esr91: --- → affected
tracking-firefox95: --- → +
tracking-firefox96: --- → +
tracking-firefox-esr91: --- → 95+
Flags: needinfo?(rjesup)

sec-high because of potential for UAF; no indication that this actually has occurred

Flags: needinfo?(rjesup)
Keywords: csectype-uaf, sec-high

The patch landed in nightly and beta is affected.
:jesup, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(rjesup)

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(rjesup)
Whiteboard: [sec-survey]

I don't think this needs an uplift, it's a proactive fix for something seen with static analysis

Flags: needinfo?(rjesup)

On second thought, while it should only be nullable (via Cancel), that unlocked write would be a potential TSAN violation, and this is a very, very safe patch, so let's uplift

Comment on attachment 9249256 [details]
Bug 1739421: Use kungFuDeathGrip when firing a timer r=bwc

Beta/Release Uplift Approval Request

  • User impact if declined: Possible TSAN violation
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): We already held the timer in a kungfudeathgrip, so using that instead of mITimer is super-low-risk
  • String changes made/needed: none
Attachment #9249256 - Flags: approval-mozilla-beta?

Comment on attachment 9249256 [details]
Bug 1739421: Use kungFuDeathGrip when firing a timer r=bwc

Approved for 95 beta 9, thanks.

Attachment #9249256 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9249256 [details]
Bug 1739421: Use kungFuDeathGrip when firing a timer r=bwc

Also approved for 91.4esr.

Attachment #9249256 - Flags: approval-mozilla-esr91+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [sec-survey] → [sec-survey][adv-main95+r][adv-ESR91.4.0+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: