Closed Bug 1756056 Opened 4 years ago Closed 6 months ago

Filter eventDispatcher messages from content process

Categories

(GeckoView :: General, defect, P2)

Product:
GeckoView
Component:
General
Platform:
Unspecified
All
Type:
defect

Tracking

(firefox145 wontfix, firefox146 wontfix, firefox147 wontfix, firefox148+ fixed)

Status:
RESOLVED FIXED
Milestone:
148 Branch
Tracking Flags:
Tracking Status
firefox145 --- wontfix
firefox146 --- wontfix
firefox147 --- wontfix
firefox148 + fixed

People

(Reporter: agi, Assigned: owlish)

References

Details

(Keywords: csectype-sandbox-escape, sec-high, Whiteboard: [sandboxing] [group7][adv-main148+r])

Attachments

(1 file)

(secure)
48 bytes, text/x-phabricator-request
tjr
: sec-approval+
Details | Review

Currently, we don't check whether eventDispatcher messages originate in the content process or in the main process.

This is potentially a security problem, as it weakens the content process sandbox and it increases the security envelope allowing the content process to exploit a bug in any messages that the parent process listens to.

We should limit what messages we allow the content process to send to the minimum and discard any unexpected message.

While here, we could also limit to top-level frames when appropriate.

See also Bug 1610969.

Severity: -- → S3
Priority: -- → P2
Whiteboard: [fission:android:m2]
Whiteboard: [fission:android:m2] → [fission:android:m2] [geckoview:2022h2?]

This bug is more of a sandboxing bug than a Fission bug.

Type: task → enhancement
Summary: Filter eventDispatcher messages from content → Filter eventDispatcher messages from content process
Whiteboard: [fission:android:m2] [geckoview:2022h2?] → [geckoview:2022h2?] [sandboxing]

Moving [sandboxing] bugs to the new GeckoView::Sandboxing component.

Component: General → Sandboxing

Enhancements should have severity N/A.

Severity: S3 → N/A
Group: mobile-core-security

Without knowing exactly what's supported, this sounds like a straight up sandbox escape feature if a child content can send messages that should only have been sent from parent JS. That's not an "enhancement"; you could argue it's an unfinished feature "task" maybe

Type: enhancement → defect
Keywords: csectype-sandbox-escape, sec-high

nika: mccr8 said you had more specific examples or thoughts you could add here while it's still on your mind

Flags: needinfo?(nika)

(In reply to Daniel Veditz [:dveditz] from comment #5)

nika: mccr8 said you had more specific examples or thoughts you could add here while it's still on your mind

There are many different messages sent over the EventDispatcher bus which could be sent by an untrusted content process, which have various powers. Fortunately most of the really scary messages (like GeckoView:WebExtension:Install) are on the global event dispatcher, which doesn't appear to have a way for content processes to send messages on them.

I think the most notable ones are messages which the browser UI uses to control the session's state, such as GeckoView:LoadUri (https://searchfox.org/mozilla-central/rev/12ea2c521cdd071a6d25b0894f31f8f23b18b76a/mobile/android/modules/geckoview/GeckoViewNavigation.sys.mjs#171) to perform an arbitrary load on behalf of the user, with arbitrary load flags & headers, or GeckoView:RestoreState (https://searchfox.org/mozilla-central/rev/12ea2c521cdd071a6d25b0894f31f8f23b18b76a/mobile/android/modules/geckoview/GeckoViewContent.sys.mjs#233-235), which will effectively restore the current session to an arbitrarily specified sessionstore state, including doing things like performing navigations. There may be other APIs which are more powerful than I am immediately noticing though. I believe some features like permissions flags are also passed over these APIs.

The simplest fix here would be to remvoe these messages from GeckoViewActorChild/Parent and require the callers in the content process to instead send a message to the parent actor, which then in turn dispatches the message to the EventDispatcher. A non-exhaustive search (https://searchfox.org/mozilla-central/search?q=eventDispatcher&path=Child.sys.mjs&case=false&regexp=false) shows at least 8 actors which would need to be updated:

Flags: needinfo?(nika)
Assignee: nobody → bugzeeeeee
Severity: N/A → S2
Whiteboard: [geckoview:2022h2?] [sandboxing] → [geckoview:2022h2?] [sandboxing] [group1]
Whiteboard: [geckoview:2022h2?] [sandboxing] [group1] → [geckoview:2022h2?] [sandboxing] [group1] [s2-list25]
Assignee: bugzeeeeee → nobody
Whiteboard: [geckoview:2022h2?] [sandboxing] [group1] [s2-list25] → [sandboxing]

Jira issue: https://mozilla-hub.atlassian.net/browse/FXDROID-2046

Assignee: nobody → bugzeeeeee
Priority: P2 → P1
See Also: → https://mozilla-hub.atlassian.net/browse/FXDROID-2046
Whiteboard: [sandboxing] → [sandboxing] [group1]
Component: Sandboxing → General
Priority: P1 → P2

(In reply to Nika Layzell [:nika] (ooo, ni? for response) from comment #6)

The simplest fix here would be to remvoe these messages from GeckoViewActorChild/Parent and require the callers in the content process to instead send a message to the parent actor, which then in turn dispatches the message to the EventDispatcher.

Hey Nika, looking at this briefly - looks like we actually already do this: the child actors do not have an actual EventDispatcher; when a a child actor is initialized, this.eventDispatcher field is populated by calling EventDispatcher.forActor, which returns new ChildActorDispatcher(aActor) (and the aActor is the child actor). When this.eventDispatcher.sendRequest is called on a child actor, the ChildActorDispatcher communicates with the parent actor.

It looks like we need to implement a check for the origin of the message, and potentially its type, to make sure it was sent from a trusted place. You mentioned that mccr8 has been working on implementing a message schema, I understand it is Bug 1885221. Should this bug be blocked on that work, or can we implement our own check specifically for EventDispatcher messages (because that bug is about actor messages)?

Flags: needinfo?(nika)

As we discussed earlier, the problem is that it is possible for a content process to send any EventDispatcher message over the pipe. My suggestion of changing the code to remove ChildActorDispatcher would do this by requiring each actor to implement the forwarding from content to parent themselves. This in turn would mean that the content process could no longer dispatch arbitrary events onto the EventDispatcher bus, as the specific events would be dispatched by the parent process with hard-coded types.

Flags: needinfo?(nika) → needinfo?(bugzeeeeee)
Attached file (secure)
Whiteboard: [sandboxing] [group1] → [sandboxing] [group7]

Comment on attachment 9506783 [details]
(secure)

Security Approval Request

  • How easily could an exploit be constructed based on the patch?:
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?:
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?:
  • Is the patch ready to land after security approval is given?: Yes
  • Is Android affected?: Yes
Flags: needinfo?(bugzeeeeee)
Attachment #9506783 - Flags: sec-approval?

Comment on attachment 9506783 [details]
(secure)

How easily can the security issue be deduced from the patch?

  • I think fairly easily, if one is familiar with the messaging security

Do comments in the patch, the check-in comment, or tests included in
the patch paint a bulls-eye on the security problem?

  • I tried to be as vague as possible

Which older supported branches are affected by this flaw?

  • Not sure how to answer

If not all supported branches, which bug introduced the flaw?

  • The flaw was present from the start of GeckoView library

Do you have backports for the affected branches? If not, how
different, hard to create, and risky will they be?

  • Not sure how to answer

How likely is this patch to cause regressions; how much testing does
it need?

  • This is a risky change as far as potential regressions go.

Comment on attachment 9506783 [details]
(secure)

Approved to land. It sounds like there is not a known exploitation vector, and with the high risk of regressions, we probably want this to ride trains?

Attachment #9506783 - Flags: sec-approval? → sec-approval+
Pushed by amarc@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/d8f8717930c2 https://hg.mozilla.org/integration/autoland/rev/78c194369663 Revert "Bug 1756056 - Actor messaging improvements r=geckoview-reviewers,nika" for causing lint failures @ GeckoViewPrompterParent.sys.mjs

Backed out for causing lint failures

TEST-UNEXPECTED-ERROR | /builds/worker/checkouts/gecko/mobile/shared/actors/GeckoViewPrompterParent.sys.mjs:130:9 | Unreachable code. (no-unreachable)

Flags: needinfo?(bugzeeeeee)
Pushed by csabou@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/0ec838865c5d https://hg.mozilla.org/integration/autoland/rev/65d3aca3d43b Revert "Bug 1756056 - Actor messaging improvements r=geckoview-reviewers,nika" for causing lint failure on SelectionActionDelegateParent.sys.mjs

Backed out for causing lint failure on SelectionActionDelegateParent.sys.mjs

Push with failures

Failure log

Backout link

https://hg.mozilla.org/mozilla-central/rev/5ca5c93e707e

Group: mobile-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 months ago
status-firefox148: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 148 Branch

Is this wontfix for 147?

status-firefox147: affectedwontfix
tracking-firefox147: + → ---
Flags: needinfo?(bugzeeeeee)
QA Whiteboard: [sec] [qa-triage-done-c149/b148]
Whiteboard: [sandboxing] [group7] → [sandboxing] [group7][adv-main148+r]
See Also: → 1610969
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: