Web Crypto ImportKey crashes tab
Categories
(Core :: DOM: Web Crypto, defect)
Tracking
()
People
(Reporter: goras.francesco, Assigned: keeler)
Details
(Keywords: sec-low, Whiteboard: [adv-main110+][adv-esr102.8+])
Attachments
(3 files)
57.74 KB,
image/png
|
Details | |
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
pascalc
:
approval-mozilla-esr102+
|
Details | Review |
168 bytes,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Steps to reproduce:
Import an SPKI RSA Public Key but specify the type of the key as ECDSA P-256.
try {
await crypto.subtle.importKey(
"spki",
Buffer.from(pem, 'base64'),
{
name: "ECDSA",
namedCurve: curve
},
false,
["verify"]
);
} catch (err) {
console.error(err);
}
Contents of the pem
variable:
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs6kchlNLKPbvVTJrAhPP
B+b1JMODYEmVLS6jBBltlN4asrVzUIxstVzbmhElDBkWnqM0VsCqrgTGK/iCu4Hd
/Io8oABQlWvH+M/2Pync7HBtvXZcGCz9RXRTBaTlpAe8eR6CJjT0YmQOOFUXxUsf
95/hLOf2hSryelC+kIf0nCRCkHEUqpNdc8YUXDLnzoMWyClfsisn0lwmVWweWIuK
3CjmiDUP5O9zh7fiZpCRerr3emYCYjLtZfw3qeweDclSmVwErS2qPXgQw4L8DV5D
8oZZT01ckLZGIs3OTYxiUDvsHxLaNdmN0WnbsDiKBcqj7A3uMN6MkrWW/2d0uEwN
swIDAQAB
Actual results:
The tab crashed (as per screenshot).
Expected results:
I understand that this is caused by a misuse of the Webcrypto library.
However I believe an Error or Exception should be thrown instead of a crash.
Reporter | ||
Updated•1 year ago
|
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 1•1 year ago
|
||
Comment 2•1 year ago
|
||
webcrypto: check decoded key type before using r=jschanck
https://hg.mozilla.org/integration/autoland/rev/8bd422f4177126ef4249894d0124c40a34f1b022
https://hg.mozilla.org/mozilla-central/rev/8bd422f41771
Comment 3•1 year ago
|
||
Is the S1 severity on this bug correct? From the docs:
(Catastrophic) Blocks development/testing, may impact more than 25% of users, causes data loss, likely dot release driver, and no workaround available
Also, please nominate this for uplift if this is something you thing we need to fix across other branches as well. It grafts cleanly.
Assignee | ||
Comment 4•1 year ago
|
||
No - I set that out of an abundance of caution. Somewhere between S2/3 is appropriate - it's mostly a denial-of-service issue, although there's a slight chance it could be exploited for something more serious, like an attacker reading memory they're not supposed to be able to.
Assignee | ||
Comment 5•1 year ago
|
||
Comment on attachment 9315250 [details]
Bug 1813424 - webcrypto: check decoded key type before using r?jschanck
Beta/Release Uplift Approval Request
- User impact if declined: Mostly looks like a potential denial-of-service (crashing tabs). There's a possibility it could be used to read memory that otherwise wouldn't be accessible.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The changes are very minimal, localized, and fairly clearly correct.
- String changes made/needed: none
- Is Android affected?: Yes
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Mostly looks like a potential denial-of-service (crashing tabs). There's a possibility it could be used to read memory that otherwise wouldn't be accessible.
- User impact if declined: ^
- Fix Landed on Version: 111
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The changes are very minimal, localized, and fairly clearly correct.
Comment 6•1 year ago
|
||
Comment on attachment 9315250 [details]
Bug 1813424 - webcrypto: check decoded key type before using r?jschanck
Approved for our last 110 beta, thanks.
Comment 7•1 year ago
|
||
uplift |
Comment 8•1 year ago
|
||
Comment on attachment 9315250 [details]
Bug 1813424 - webcrypto: check decoded key type before using r?jschanck
Approved for ESR 102.8.0, thanks.
Comment 9•1 year ago
|
||
uplift |
Comment 10•1 year ago
|
||
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Updated•6 months ago
|
Description
•