Closed Bug 1806974 Opened 1 year ago Closed 1 year ago

AddressSanitizer: heap-use-after-free [@ get] through [@ mozilla::net::Http2Session::RecvGoAway] with READ of size 8

Categories

(Core :: Networking: HTTP, defect, P1)

Product:
Core
Component:
Networking: HTTP
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
110 Branch
Tracking Flags:
Tracking Status
firefox-esr102 109+ fixed
firefox108 --- wontfix
firefox109 + fixed
firefox110 + fixed

People

(Reporter: decoder, Assigned: kershaw)

References

Details

(4 keywords, Whiteboard: [necko-triaged][necko-priority-queue][post-critsmash-triage][adv-main109+r][adv-esr102.7+r])

Attachments

(3 files, 1 obsolete file)

Detailed Crash Information
19.20 KB, text/plain
Details
Testcase
2.02 KB, application/octet-stream
Details
Bug 1806974 - Avoid manipulating the queue inside the loop, r=#necko
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr102+
tjr
: sec-approval+
Details | Review

The attached testcase crashes on mozilla-central revision 20221219-91a9bbbe6bea (non-debug fuzzing ASan build).

For detailed crash information, see attachment.

To reproduce the issue, perform the following steps:

  1. Download the attached testcase, save as "test.bin".
    2a. Build with --enable-fuzzing (requires Clang and ASan, also build gtests using ./mach gtest dontruntests).
    2b. Alternatively you can download builds from TC using python -mfuzzfetch -a --fuzzing --target firefox gtest (see https://github.com/MozillaSecurity/fuzzfetch).
  2. Run FUZZER=NetworkHttp2ProxyHttp2 objdir/dist/bin/firefox test.bin

I reproduced this locally and it crashes consistently.

Attached file Testcase 

    
  
Group: core-security → network-core-security
Keywords: csectype-uaf, 
          
            sec-high

    
  
Severity: -- → S2
Priority: -- → P1
Whiteboard: [necko-triaged][necko-priority-queue]

    
  
Assignee: nobody → kershaw

    
    

    
  
Comment on attachment 9309913 [details]

Bug 1806974 - Avoid manipulating the queue inside the loop, r=#necko


Security Approval Request


    

  • How easily could an exploit be constructed based on the patch?: Probably quite easy.
    • 

  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
    • 

  • Which older supported branches are affected by this flaw?: all
    • 

  • If not all supported branches, which bug introduced the flaw?: None
    • 

  • Do you have backports for the affected branches?: Yes
    • 

  • If not, how different, hard to create, and risky will they be?:
    • 

  • How likely is this patch to cause regressions; how much testing does it need?: Low, since the behavior is not changed.
    • 

  • Is Android affected?: Yes
    • 




        Attachment #9309913 -
        Flags: sec-approval?

    
    

    
  
Comment on attachment 9309913 [details]

Bug 1806974 - Avoid manipulating the queue inside the loop, r=#necko


Approved to land and request uplift



        Attachment #9309913 -
        Flags: sec-approval? → sec-approval+

        Attachment #9310522 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 9309913 [details]

Bug 1806974 - Avoid manipulating the queue inside the loop, r=#necko


Beta/Release Uplift Approval Request


    

  • User impact if declined: Possible crash due to UAF
    • 

  • Is this code covered by automated tests?: No
    • 

  • Has the fix been verified in Nightly?: Yes
    • 

  • Needs manual test from QE?: No
    • 

  • If yes, steps to reproduce:
    • 

  • List of other uplifts needed: None
    • 

  • Risk to taking this patch: Low
    • 

  • Why is the change risky/not risky? (and alternatives if risky): This patch is straightforward and doesn't change the behavior.
    • 

  • String changes made/needed: N/A
    • 

  • Is Android affected?: Yes
    • 



ESR Uplift Approval Request


    

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
    • 

  • User impact if declined: Possible crash due to UAF
    • 

  • Fix Landed on Version: 111
    • 

  • Risk to taking this patch: Low
    • 

  • Why is the change risky/not risky? (and alternatives if risky): This patch is straightforward and doesn't change the behavior.
    • 




        Attachment #9309913 -
        Flags: approval-mozilla-esr102?

        Attachment #9309913 -
        Flags: approval-mozilla-beta?

    
    

    
  
Avoid manipulating the queue inside the loop, r=necko-reviewers,valentin

https://hg.mozilla.org/integration/autoland/rev/39c4e552181d90707621d0cde92401acca2ebde5

https://hg.mozilla.org/mozilla-central/rev/39c4e552181d


Group: network-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago

          status-firefox110:
          affectedfixed
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 9309913 [details]

Bug 1806974 - Avoid manipulating the queue inside the loop, r=#necko


Approved for 109.0b9.



        Attachment #9309913 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

    
    

    
  
Comment on attachment 9309913 [details]

Bug 1806974 - Avoid manipulating the queue inside the loop, r=#necko


Approved for 102.7esr.



        Attachment #9309913 -
        Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
Flags: qe-verify-
Whiteboard: [necko-triaged][necko-priority-queue] → [necko-triaged][necko-priority-queue][post-critsmash-triage]
Whiteboard: [necko-triaged][necko-priority-queue][post-critsmash-triage] → [necko-triaged][necko-priority-queue][post-critsmash-triage][adv-main109+r][adv-esr102.7+r]
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: