PBackground-managed Actors can be opened for the wrong process
Categories
(Core :: Networking, task, P2)
Tracking
()
People
(Reporter: nika, Assigned: kershaw)
References
Details
(Keywords: csectype-sandbox-escape, sec-want, Whiteboard: [necko-triaged][necko-priority-queue][adv-main119-])
Attachments
(6 files, 3 obsolete files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review |
Since bug 1503834 and bug 1603420, we've been creating the PBackground actor between not just a content and parent process, but also between content & socket or socket & parent processes. For each of these different connections, a different subset of the managed actors and messages on PBackground are actually supported, and the others should never be used.
Unfortunately, there appear to be no checks in the individual Recv and Alloc methods on BackgroundParentImpl confirming that the source process is as expected (https://searchfox.org/mozilla-central/rev/7f1db1d2c556b82114b62f5aa4aa29397ad5bce4/ipc/glue/BackgroundParentImpl.cpp), and producing an error if it is not. This could theoretically allow a compromised content process to open actors which normally are only supposed to be connected between a different process pair to the parent or socket processes.
Methods should be added to help check that the process connection is of each of the relevant types, and checks should probably be added to every method in BackgroundParentImpl to prevent opening an actor in the wrong process when sent an invalid message, in order to reduce the potential untested attack surface.
Alternatively, we could switch away from using PBackground with the socket process, and use a different toplevel actor, giving us static guarantees about which methods are actually available between each process pair.
|
||
Updated•4 years ago
|
|
||
Comment 1•4 years ago
•
|
||
Since the stuff from Friday relating to access to webgpu this scares me... more... than it might otherwise have done. Is that reasonable or am I just being overly paranoid? If it's not just me, I guess let's find out how hard it would be to do something here?
|
||
Comment 2•4 years ago
|
||
Is that reasonable or am I just being overly paranoid?
I think the timing of this bug being filed is not a coincidence ;-)
| Comment hidden (obsolete) |
|
|
||
Comment 4•4 years ago
|
||
Oops, I thought I was posting in another bug. Yes, this came out of me mentioning the WebGPU issue to Nika.
| Comment hidden (obsolete) |
|
||
Comment 6•4 years ago
|
||
(In reply to :Gijs (he/him) from comment #5)
(In reply to Andrew McCreight [:mccr8] from comment #3)
Unfortunately it does feel like it could be a big project, unless we can somehow reuse Chrome's work. I'm not sure we can afford to do this, but I'm not sure we can afford to not do this.
Can you elaborate a little on this? I'm not terribly familiar with our ipdl stuff - but I would have hoped that we could enforce having certain annotations on the interfaces that describe what process the parent/child is meant to run in, and then enforce those when the actors get instantiated. Does it not work that way? comment #0 mentions having to add checks in every method; is checking on instantiation not sufficient / possible?
mccr8's comment was for a different bug (Bug 1758522).
My general understanding of IPC is that top-level actors (i.e. ones without a manages line) should not be able to be created for a process they should not exist in. i.e. a Parent <-> GPU Actor can't be created by a Content Process between either Content <-> GPU or Content <-> Parent. I haven't seen an example of this being bypassed but I never understood the mechanism that prevented it. (This is what Nika meant by static guarantees I believe.)
However if an actor is a child actor, and its manager actor exists, then the process can request the child actor be created (unless there is an explicit process check that prevents it, but that's prone to omission.) That's the focus of this bug; that PBackground is being used for different types of process connections (e.g. Content <-> Parent, Content <-> Socket). Only some of the methods (and child actors) should be used for each of those types.
While annotations could help here; it really feels like the answer is separating Top-Level Actors by process type.
It might also be necessary to allow child actors to have two managers, so that messages in common for Parent <-> Socket and Content <-> Socket will live once, on a single child actor, managed by separate top-level actors for each type of process.
|
Reporter | |
Comment 7•4 years ago
|
||
What :tjr said is roughly correct. We do have strong guarantees about what processes toplevel actors etc. can be created in, and that propagates out to everything which uses them. The problem here is specifically that when the socket process was introduced, rather than introducing a new toplevel actor for the socket process' connections, the PBackground protocol was re-used for the new actors. This probably simplified implementation, especially at the time when implementing new toplevel protocols was quite painful, but meant that we didn't get the structural checks preventing this kind of mistake for these new process types.
I think the best approach here would be to split the PBackground actor into different actors. PBackground would stay for {content,parent} -> parent connections, and a new actor would need to be added for content -> socket connections and socket -> parent connections.
If we can't do that, we should probably at least go through all implemented methods on PBackground and add a check for the type of PBackground actor they're acting on to perform the relevant check dynamically.
|
||
Comment 8•4 years ago
|
||
Calling this "sec-moderate" because we don't know of specific badness, but the pattern is bad and could well escalate to a sec-high or sec-critical if we do find a specific abusable instance.
|
||
Comment 9•4 years ago
|
||
The severity field is not set for this bug.
:jld, could you have a look please?
For more information, please visit auto_nag documentation.
|
||
Updated•4 years ago
|
|
||
Comment 10•3 years ago
|
||
(In reply to Nika Layzell [:nika] (ni? for response) from comment #7)
I think the best approach here would be to split the PBackground actor into different actors.
PBackgroundwould stay for {content,parent} -> parent connections, and a new actor would need to be added for content -> socket connections and socket -> parent connections.
I think that is reasonable. Thank you for bringing this up.
|
|
||
Updated•3 years ago
|
|
Assignee | |
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 11•3 years ago
|
||
|
|
Assignee | |
Comment 12•3 years ago
|
||
Depends on D167227
|
|
Assignee | |
Comment 13•3 years ago
|
||
Depends on D167228
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 14•2 years ago
|
||
|
|
Assignee | |
Comment 15•2 years ago
|
||
Depends on D182995
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 16•2 years ago
|
||
Depends on D182996
|
|
Assignee | |
Comment 17•2 years ago
|
||
Depends on D185031
|
||
Comment 18•2 years ago
|
||
|
||
Comment 19•2 years ago
|
||
Backed out for causing build bustages in NetworkConnectivityService.cpp:
https://hg.mozilla.org/integration/autoland/rev/4624b75883dcdffc153eb7c168709962a46c71b7
Push with failures
Failure log
netwerk/base/NetworkConnectivityService.cpp(50,3): error: use of undeclared identifier 'ClearOnShutdown'
followed by more failure lines.
|
|
Assignee | |
Comment 20•2 years ago
|
||
Apparently, MOZ_WEBRTC is not defined on some platforms and it looks like the IPDL parser doesn't like an empty IPDL file.
This patch adds an Dummy IPC message to make the compiler happy.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 21•2 years ago
|
||
|
|
||
Comment 22•2 years ago
|
||
|
|
||
Comment 23•2 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/cae68edb7ea6
https://hg.mozilla.org/mozilla-central/rev/629d45b0c814
https://hg.mozilla.org/mozilla-central/rev/e8c4fe7a2819
https://hg.mozilla.org/mozilla-central/rev/247891c73bc5
https://hg.mozilla.org/mozilla-central/rev/bdcde8c620b4
https://hg.mozilla.org/mozilla-central/rev/75efbbfb861e
|
||
Comment 24•2 years ago
|
||
FWIW, this will need rebasing for both Beta and ESR.
|
|
||
Comment 25•2 years ago
|
||
The patch landed in nightly and beta is affected.
:kershaw, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval. Also, don't forget to request an uplift for the patches in the regression caused by this fix.
- If no, please set
status-firefox118towontfix.
For more information, please visit BugBot documentation.
|
|
||
Comment 27•2 years ago
|
||
We'd like to figure out some solution for ESR115 - nika suggested adding manual checks to each method on PBackground if that seems easier and less risky than rebasing.
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 28•2 years ago
|
||
(In reply to Tom Ritter [:tjr] (Back 9/5) from comment #27)
We'd like to figure out some solution for ESR115 - nika suggested adding manual checks to each method on PBackground if that seems easier and less risky than rebasing.
I filed bug 1851989 for this.
if the patches in this bug cause no regression, we could consider just uplifting them.
|
|
||
Comment 29•2 years ago
|
||
IIUC, ESR won't be getting the changes from this bug in favor of bug 1851989.
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 30•2 years ago
|
||
Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter
Description
•