Closed Bug 1791296 Opened 2 years ago Closed 2 years ago

UAF in sctp_reset_clear_pending in TSAN run of web-platform test webrtc/RTCDataChannel-close.html

Categories

(Core :: WebRTC: Networking, defect)

Product:
Core
Component:
WebRTC: Networking
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
108 Branch
Tracking Flags:
Tracking Status
firefox-esr102 109+ fixed
firefox107 --- wontfix
firefox108 --- fixed

People

(Reporter: jesup, Assigned: bwc)

References

(
URL
)

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [adv-main108-][adv-esr102.7-])

Attachments

(1 file)

uaf
6.61 KB, text/plain
Details

UAF in sctp_reset_clear_pending during a TSAN run. No patches that should affect this. The only change that even theoretically could affect it was reversing the list of cleanup in the testharness.js for wpt tests.

It was freed when we called SendOutgoingStreamReset() which did a usrsctp_setsockopt() which ended up freeing this data.

It's not a race between conninput() and the setsockopt(), since both were called on the same thread.

Attached file uaf
Group: core-security → layout-core-security
Group: layout-core-security → media-core-security

This may be solved by switching to Google's new lib once they feel confident about shipping it. TBD on level of effort to integrate with that. We'll figure that in in Q4.

Severity: -- → S2
Depends on: CVE-2022-46871

Hey Byron -- Is this likely to be addressed by the sctp library update? If not, is there anything we can investigate here, or is this stalled? Thanks!

Flags: needinfo?(docfaraday)

Closing this out, please file a new bug if we see it again.

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(docfaraday)
Resolution: --- → FIXED
Group: media-core-security → core-security-release
status-firefox107: --- → wontfix
status-firefox108: --- → fixed
status-firefox-esr102: --- → wontfix
Target Milestone: --- → 108 Branch
Whiteboard: [adv-main108+]

Advisory will go in Bug 1795697

Whiteboard: [adv-main108+] → [adv-main108-]

Bug 1795697 grafts cleanly to ESR102. Given that it was rated sec-high, should we consider doing the backport still? It'd be too late for 102.6esr at this point, but we could possibly do so for 102.7.

Assignee: nobody → docfaraday
Flags: needinfo?(docfaraday)

Let me run some tests; this code is a bit deadlock-prone.

Flags: needinfo?(docfaraday)

FYI, we're not going to be able to get this backported to ESR in time for next week's release, but we're aiming to do so for 102.7.

status-firefox-esr102: wontfixaffected
tracking-firefox-esr102: --- → 109+
Flags: needinfo?(tom)

sgtm

Flags: needinfo?(tom)

Advisory for 102.7 ESR uplift will also go in 1795697 and reuse the advisory Tom wrote there

Whiteboard: [adv-main108-] → [adv-main108-][adv-esr102.7-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: