Closed Bug 1770048 (CVE-2022-1529) Opened 9 months ago Closed 9 months ago

Top-Level Await must not rely on Array.prototype

Categories

(Core :: JavaScript Engine, defect, P1)

defect

Tracking

()

VERIFIED FIXED
102 Branch
Tracking Status
firefox-esr91 100+ verified
firefox100 + verified
firefox101 + verified
firefox102 + verified

People

(Reporter: tcampbell, Assigned: iain)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-priv-escalation, sec-critical)

Attachments

(5 files, 1 obsolete file)

The TLA self-hosting code uses a bare [] internally and then uses std_Array_push which may be affected by polluted prototypes.

Attached file jsshell PoC
Assignee: nobody → iireland
Status: NEW → ASSIGNED
Group: core-security → javascript-core-security

Depends on D146745

Attachment #9277202 - Attachment is obsolete: true
Flags: in-testsuite?

Comment on attachment 9277224 [details]
Bug 1770048: Improve self-hosted new_List r=jandem,tcampbell

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Harder than the more narrowly targeted patch we abandoned (https://phabricator.services.mozilla.com/D146745). The important thing about this patch from a security perspective is that we create array objects with a null proto, but the patch doesn't draw attention to that, and it's not obvious which of the half-dozen cases we modified is the exploitable one.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: The effect of the patch is to create array objects without prototypes for internal use in self-hosted code. We do our best to avoid looking up methods on the prototype in self-hosted code anyway, so it should not cause problems. The shell test suites pass locally.
  • Is Android affected?: Yes
Attachment #9277224 - Flags: sec-approval?
Attachment #9277244 - Flags: sec-approval?

I'm going to mark this as csectype-priv-escalation, because self-hosted code is kind of like privileged code, and the exploit is tricking it into doing something unintended.

Comment on attachment 9277224 [details]
Bug 1770048: Improve self-hosted new_List r=jandem,tcampbell

Approved to move forward

Attachment #9277224 - Flags: sec-approval? → sec-approval+
Blocks: sm-security
Severity: -- → S1
Type: task → defect
Priority: -- → P1
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch

Comment on attachment 9277224 [details]
Bug 1770048: Improve self-hosted new_List r=jandem,tcampbell

Beta/Release Uplift Approval Request

  • User impact if declined: An internal ModuleObject can be leaked to content code and used to gain code execution in the content process.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The patch is straightforward. The only risk I can think of is that we missed another exploitable case, and we draw attention to it, but we've already landed this patch in nightly so uplifting it doesn't add any risk.
  • String changes made/needed:
  • Is Android affected?: Yes
Attachment #9277224 - Flags: approval-mozilla-release?
Attachment #9277224 - Flags: approval-mozilla-esr91?
Attachment #9277224 - Flags: approval-mozilla-esr102?
Attachment #9277224 - Flags: approval-mozilla-beta?

Comment on attachment 9277244 [details]
Bug 1770048: Improve self-hosted new_List (ESR) r=jandem,tcampbell

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Sec-crit bug
  • User impact if declined: An internal ModuleObject can be leaked to content code and used to gain code execution in the content process.
  • Fix Landed on Version: 102
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The patch is straightforward. The only risk I can think of is that we missed another exploitable case, and we draw attention to it, but we've already landed this patch in nightly so uplifting it doesn't add any risk.
Attachment #9277244 - Flags: approval-mozilla-esr91?
Attachment #9277244 - Flags: approval-mozilla-esr102?
Attachment #9277224 - Flags: approval-mozilla-esr91?
Attachment #9277224 - Flags: approval-mozilla-esr102?
Attachment #9277244 - Flags: approval-mozilla-esr102?

Comment on attachment 9277244 [details]
Bug 1770048: Improve self-hosted new_List (ESR) r=jandem,tcampbell

Approved for 91.9.1esr

Attachment #9277244 - Flags: sec-approval?
Attachment #9277244 - Flags: approval-mozilla-esr91?
Attachment #9277244 - Flags: approval-mozilla-esr91+

Comment on attachment 9277224 [details]
Bug 1770048: Improve self-hosted new_List r=jandem,tcampbell

Approved for 100.0.2
Approved for 101.0b9

Attachment #9277224 - Flags: approval-mozilla-release?
Attachment #9277224 - Flags: approval-mozilla-release+
Attachment #9277224 - Flags: approval-mozilla-beta?
Attachment #9277224 - Flags: approval-mozilla-beta+
Alias: CVE-2022-1529
Attached file Browser PoC

Use a local HTTP server such as python3 -m http.server and visit the localhost URL it loads and visit the HTML page. Test will report PASS or FAIL. If nothing is reported, you probably tried to used a file:// path instead of a local server. Chrome will show PASS for this test.

Flags: qe-verify+

Verified as fixed on macOS 11.6, Windows 10 x64 and on Ubuntu 20.04 x64.

Hi,

Verified as fixed, on all the following builds the testing result = PASS using a Google Pixel 3a (Android 11) on the following builds:
• Firefox 100.3.0 🎬 Video
• Firefox 101.0.0 Beta 6 🎬 Video
• Firefox Focus RC 100.3.0 🎬 Video
• Firefox Focus Beta 101.0.0-beta.6 🎬 Video

Summary:
Used Python 2 as a simple HTTP Server to serve the files from directory.
Due to he fact that localhost, refers to the device used to access that very hostname (e.g. laptop or workstation) I had to use a complementary tool called ngrok which generates secure public URLs for localhost endpoints, allowing you to test localhost on mobile devices.

P.S. Just to be 100% everything works properly, tested the page on previous Firefox/Focus RC and Beta builds and in all cases the result was FAIL.

Thanks Andrei. Good tip on ngrok, especially for mobile.

Group: core-security-release

Backed out for causing SM bustages

Flags: needinfo?(iireland)
Attachment #9277203 - Attachment description: Bug 1770048: Add testcase r=tcampbell → Bug 1770048: Add testcase r=tcampbell!
Flags: needinfo?(iireland)
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.