Closed Bug 1794622 (CVE-2023-25730) Opened 3 years ago Closed 3 years ago

requestFullscreen without fullscreen notification toast with unresponsive script and navigate to another website

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
111 Branch
Tracking Flags:
Tracking Status
firefox-esr102 110+ verified
firefox109 --- wontfix
firefox110 + verified
firefox111 + verified

People

(Reporter: sourc7, Assigned: edgar)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-high, Whiteboard: [adv-esr102.8+][adv-main110+][reporter-external] [client-bounty-form] [verif?])

Attachments

(5 files, 1 obsolete file)

testcase.bundle.html
1.10 KB, text/html
Details
Firefox - requestFullscreen without fullscreen notification toast with unresponsive script + navigate to another website.mp4
1.59 MB, video/mp4
Details
Bug 1794622; r?smaug
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
tjr
: sec-approval+
Details | Review
[ESR102] Bug 1794622; r=smaug
8.13 KB, text/plain
RyanVM
: approval-mozilla-esr102+
Details
advisory.txt
273 bytes, text/plain
Details
Attached file testcase.bundle.html

When invoke requestFullscreen then run unresponsive script that blocking the main thread or freeze the page then simultaneously navigate to another website, interestingly the browser goes fullscreen without fullscreen notification toast on another website.

When in the fullscreen mode the page is still responsive and interactable as usual, the browser will stays in full screen mode as long as the unresponsive script is running in the background, when unresponsive script is over the browser will exit the full screen mode.

Tested on:

  • Firefox 105.0.3 (64-bit) on Arch Linux
  • Firefox 105.0.3 (64-bit) on Windows 11
  • Firefox Nightly 107.0a1 (2022-10-11) (64-bit) on Arch Linux
  • Firefox Nightly 107.0a1 (2022-10-11) (64-bit) on Windows 11

Steps to reproduce:

  1. Visit attached testcase.bundle.html
  2. Click "Launch"
  3. Click anywhere on the page
  4. Browser goes fullscreen without fullscreen notification toast
Flags: sec-bounty?
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core
Severity: -- → S2
Flags: needinfo?(echen)

It's interesting that we were able to show the transition to black but not the toast. Are those drawn by two separate processes?

Keywords: csectype-spoof, sec-high

They are both drawn by parent process, the notification happens later when content process notify the parent process that web content has been in fullscreen mode, but content process is busy on executing script. Bug 1795139 could help that. But I think the core issue is that the we don't exit fullscreen mode while page navigates away, and it is also because of content process is busy on executing script, maybe we should detect that in native code (in parent process?), instead of relying on the status of JSActor.

Assignee: nobody → echen
Flags: needinfo?(echen)

Update - as comment 3, bug 1795139 helped some part of this issue. There are some navigation errors that Edgar is still working on.

Attached file Bug 1794622; r?smaug

Update - after this patch, now parent process will exit fullscreen on chrome document once remote document is navigating away, but this patch make a fullscreen test fail, I am still working on figuring what's happen there.

With some investigation, so far there are two things that might cause the test fails with the patch here,

  • The test browser_fullscreen-document-mutation.js itself isn't robust enough, the patch here changes some timing and cause the flaws much easy to reproduce.
  • The way we tracking the fullscreen events has some potential racing problems, the current intermittent failures (bug 1785951 and bug 1785951) seems like the same root cause. The timing changes in this bug seems cause the flaws worse. It's probably fine in practice, as they are corner cases and we ends up rejecting the fullscreen request which won't cause security problems. But it would be nice if we could fix that to have reliable fullscreen tests.
Depends on: 1800207
Depends on: 1800482
Depends on: 1800895
Blocks: 1800895
No longer depends on: 1800895
Attachment #9301748 - Attachment description: Bug 1794622; → Bug 1794622; r?smaug
Depends on: 1801391
Attached file Bug 1794622; r?smaug (obsolete) —

Original Revision: https://phabricator.services.mozilla.com/D161133

Attachment #9309348 - Attachment is obsolete: true

Comment on attachment 9301748 [details]
Bug 1794622; r?smaug

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Patch clearly shows the issue is related to fullscreen, but I don't think it is trivial to know what the exact problem is.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: This patch makes the existing intermittent failures on some fullscreen tests worse due to timing of exiting fullscreen is changed. We would need to uplift bug 1800482, bug 1801391 and bug 1800207 to solve the intermittent failures.
  • How likely is this patch to cause regressions; how much testing does it need?: Should be safe as patch only affects when page navigates.
  • Is Android affected?: No
Attachment #9301748 - Flags: sec-approval?

Comment on attachment 9301748 [details]
Bug 1794622; r?smaug

Approved to land and uplift. It sounds like we may just want to disable some tests on ESR instead of uplifting...

Attachment #9301748 - Flags: sec-approval? → sec-approval+

r=smaug
https://hg.mozilla.org/integration/autoland/rev/7dbd6ad926bea4689a45a74c4ec2ea30d9362369
https://hg.mozilla.org/mozilla-central/rev/7dbd6ad926be

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox111: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch

The patch landed in nightly and beta is affected.
:edgar, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox110 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(echen)

Comment on attachment 9301748 [details]
Bug 1794622; r?smaug

Beta/Release Uplift Approval Request

  • User impact if declined: After bug 1795139, we are no longer having issue on showing fullscreen notification, but browser don't exit fullscreen mode while page navigates away if oop iframe is busy on executing script, which is still confusing the user.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: Follow steps in https://bugzilla.mozilla.org/show_bug.cgi?id=1794622#c0
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Should be safe as patch only affects when page navigates. And the bugs that improves the intermittent failures (bug 1800482, bug 1801391 and bug 1800207) are already in beta.
  • String changes made/needed: None
  • Is Android affected?: No
Flags: needinfo?(echen)
Attachment #9301748 - Flags: approval-mozilla-beta?
Flags: qe-verify+

(I am working on preparing a backport for esr)

Flags: needinfo?(echen)
Flags: needinfo?(echen)

Comment on attachment 9313636 [details]
[ESR102] Bug 1794622; r=smaug

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is a sec-high bug.
  • User impact if declined: After bug 1795139, we are no longer having issue on showing fullscreen notification, but browser don't exit fullscreen mode while page navigates away if oop iframe is busy on executing script, which is still confusing the user.
  • Fix Landed on Version: 111
  • Risk to taking this patch: Medium
  • Why is the change risky/not risky? (and alternatives if risky): Should be safe as patch only affects when page navigates. But this patch makes the existing intermittent failures on some fullscreen tests worse, we might need to disable those tests if thing goes too bad as we probably don't want to uplift other improving bugs.
Attachment #9313636 - Flags: approval-mozilla-esr102?
Attachment #9301748 - Flags: approval-mozilla-esr102?
Attachment #9301748 - Flags: approval-mozilla-esr102?
Flags: sec-bounty? → sec-bounty+
QA Whiteboard: [qa-triaged]

I have reproduced this issue with STR from comment 0, on an affected Nightly build (2020-10-11) running macOS 11.

The issue is verified as fixed on latest Nightly 111.0a1, across platforms: Win 10 x64, macOS 11 and Ubuntu 18.04 x64.

status-firefox111: fixedverified
Flags: qe-verify+

Comment on attachment 9301748 [details]
Bug 1794622; r?smaug

Approved for 110 beta 6, thanks.

Attachment #9301748 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

This is also verified as fixed on 110.0b6 under macOS 11, Ubuntu 18.04 x64 and Win 10 x64.

status-firefox110: fixedverified

Comment on attachment 9313636 [details]
[ESR102] Bug 1794622; r=smaug

Approved for 102.8esr.

Attachment #9313636 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+

I have also verified this as fixed on 102.8esr with Win 7 x64, macOS 11 and Ubuntu 18.04 x64.

Status: RESOLVED → VERIFIED
status-firefox-esr102: fixedverified
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [adv-main110+][reporter-external] [client-bounty-form] [verif?]
Whiteboard: [adv-main110+][reporter-external] [client-bounty-form] [verif?] → [adv-esr102.8+][adv-main110+][reporter-external] [client-bounty-form] [verif?]
Alias: CVE-2023-25730
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: