Closed
Bug 1810536
Opened 3 years ago
Closed 3 years ago
Crashes in Http/3 code
Categories
(Core :: Networking: HTTP, defect, P1)
Core
Networking: HTTP
Tracking
()
RESOLVED
FIXED
111 Branch
People
(Reporter: kershaw, Assigned: valentin)
Details
(Keywords: csectype-uaf, sec-high, Whiteboard: [necko-triaged] [necko-priority-queue][adv-main110+r][adv-esr102.8+r])
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr102+
tjr
:
sec-approval+
|
Details | Review |
According to this search, we have some UAF crashes in our Http/3 code.
|
Assignee | |
Comment 1•3 years ago
|
||
Crash report: https://crash-stats.mozilla.org/report/index/bdd3b5ee-9b94-40ae-b7cc-8998f0230110
Reason: EXCEPTION_ACCESS_VIOLATION_WRITE
Top 10 frames of crashing thread:
9 xul.dll core::mem::drop(neqo_glue::NeqoHttp3Conn*) /rustc/897e37553bba8b42751c67658967889d11ecd120/library/core/src/mem/mod.rs:988 inlined
9 xul.dll neqo_glue::neqo_http3conn_release(neqo_glue::NeqoHttp3Conn*) netwerk/socket/neqo_glue/src/lib.rs:212 cfi
10 xul.dll mozilla::net::NeqoHttp3Conn::Release() netwerk/socket/neqo_glue/NeqoHttp3Conn.h:112 inlined
10 xul.dll mozilla::RefPtrTraits<mozilla::net::NeqoHttp3Conn>::Release(mozilla::net::NeqoHttp3Conn*) mfbt/RefPtr.h:50 inlined
10 xul.dll RefPtr<mozilla::net::NeqoHttp3Conn>::ConstRemovingRefPtrTraits<mozilla::net::NeqoHttp3Conn>::Release(mozilla::net::NeqoHttp3Conn*) mfbt/RefPtr.h:381 inlined
10 xul.dll RefPtr<mozilla::net::NeqoHttp3Conn>::~RefPtr() mfbt/RefPtr.h:81 inlined
10 xul.dll mozilla::net::Http3Session::~Http3Session() netwerk/protocol/http/Http3Session.cpp:299 cfi
11 xul.dll mozilla::net::Http3Session::Release() netwerk/protocol/http/Http3Session.cpp:58 cfi
12 xul.dll mozilla::RefPtrTraits<mozilla::net::Http3Session>::Release(mozilla::net::Http3Session*) mfbt/RefPtr.h:50 inlined
12 xul.dll RefPtr<mozilla::net::Http3Session>::ConstRemovingRefPtrTraits<mozilla::net::Http3Session>::Release(mozilla::net::Http3Session*) mfbt/RefPtr.h:381 inlined
12 xul.dll RefPtr<mozilla::net::Http3Session>::assign_assuming_AddRef(mozilla::net::Http3Session*) mfbt/RefPtr.h:69 inlined
12 xul.dll RefPtr<mozilla::net::Http3Session>::operator=(void*) mfbt/RefPtr.h:168 inlined
12 xul.dll mozilla::net::HttpConnectionUDP::CloseTransaction(mozilla::net::nsAHttpTransaction*, nsresult, bool) netwerk/protocol/http/HttpConnectionUDP.cpp:496 cfi
13 xul.dll mozilla::net::HttpConnectionUDP::OnQuicTimeoutExpired() netwerk/protocol/http/HttpConnectionUDP.cpp:527 cfi
I think we might have a problem here:
if (!mTimer ||
NS_FAILED(mTimer->InitWithNamedFuncCallback(
&HttpConnectionUDP::OnQuicTimeout, mUdpConn, aTimeout,
nsITimer::TYPE_ONE_SHOT, "net::HttpConnectionUDP::OnQuicTimeout"))) {
NS_DispatchToCurrentThread(
NewRunnableMethod("net::HttpConnectionUDP::OnQuicTimeoutExpired",
mUdpConn, &HttpConnectionUDP::OnQuicTimeoutExpired));
}
InitWithNamedFuncCallback takes a pointer to mUdpConn.
By the time we call the timer, mUdpConn might have been released.
Keywords: csectype-uaf,
sec-high
|
|
Assignee | |
Updated•3 years ago
|
Assignee: nobody → valentin.gosu
|
|
Assignee | |
Comment 2•3 years ago
|
||
|
|
Assignee | |
Comment 3•3 years ago
|
||
Comment on attachment 9312479 [details]
Bug 1810536 - Use NS_NewTimerWithCallback to create timer r=#necko
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Not trivial but I think this is exploitable.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Grafts cleanly to esr102
- How likely is this patch to cause regressions; how much testing does it need?: There is a small risk of regressions: while the patch is relatively simple, it does keep a ref to the HttpConnectionUDP for longer than before which can change the order in which objects get released.
- Is Android affected?: Yes
Attachment #9312479 -
Flags: sec-approval?
|
||
Comment 4•3 years ago
|
||
Comment on attachment 9312479 [details]
Bug 1810536 - Use NS_NewTimerWithCallback to create timer r=#necko
Approved to land and request uplift
Attachment #9312479 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Comment 5•3 years ago
|
||
Comment on attachment 9312479 [details]
Bug 1810536 - Use NS_NewTimerWithCallback to create timer r=#necko
Beta/Release Uplift Approval Request
- User impact if declined: Potential UAF crash with HTTP/3 when a timeout occurs
- Is this code covered by automated tests?: Unknown
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): While the patch is relatively simple, it does keep a ref to the HttpConnectionUDP for longer than before which can change the order in which objects get released.
- String changes made/needed:
- Is Android affected?: Yes
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high
- User impact if declined: Potential UAF crash with HTTP/3 when a timeout occurs
- Fix Landed on Version: 111
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): While the patch is relatively simple, it does keep a ref to the HttpConnectionUDP for longer than before which can change the order in which objects get released.
Attachment #9312479 -
Flags: approval-mozilla-esr102?
Attachment #9312479 -
Flags: approval-mozilla-beta?
|
||
Comment 6•3 years ago
|
||
Use NS_NewTimerWithCallback to create timer r=necko-reviewers,kershaw
https://hg.mozilla.org/integration/autoland/rev/417a22f77ccaf71d33ffd2f6f54c387667808c9f
https://hg.mozilla.org/mozilla-central/rev/417a22f77cca
Group: network-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox111:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch
|
||
Comment 7•3 years ago
|
||
Comment on attachment 9312479 [details]
Bug 1810536 - Use NS_NewTimerWithCallback to create timer r=#necko
Approved for 110 beta 5, thanks.
Attachment #9312479 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 8•3 years ago
|
||
| uplift | ||
status-firefox110:
--- → fixed
|
||
Updated•3 years ago
|
status-firefox109:
--- → wontfix
status-firefox-esr102:
--- → affected
tracking-firefox110:
--- → +
tracking-firefox111:
--- → +
tracking-firefox-esr102:
--- → 110+
|
|
||
Comment 9•3 years ago
|
||
Comment on attachment 9312479 [details]
Bug 1810536 - Use NS_NewTimerWithCallback to create timer r=#necko
Approved for 102.8esr.
Attachment #9312479 -
Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
|
|
||
Comment 10•3 years ago
|
||
| uplift | ||
|
|
||
Updated•3 years ago
|
Whiteboard: [necko-triaged] [necko-priority-queue] → [necko-triaged] [necko-priority-queue][adv-main110+r]
|
|
||
Updated•3 years ago
|
Whiteboard: [necko-triaged] [necko-priority-queue][adv-main110+r] → [necko-triaged] [necko-priority-queue][adv-main110+r][adv-esr102.8+r]
|
||
Updated•3 years ago
|
QA Whiteboard: [post-critsmash-triage]
|
||
Updated•2 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•