AddressSanitizer: global-buffer-overflow [@ nsRoleMapEntry::IsOfType] with READ of size 4
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
People
(Reporter: decoder, Assigned: Jamie)
References
Details
(4 keywords, Whiteboard: [post-critsmash-triage][adv-main112+r][adv-esr102.10+r])
Attachments
(2 files)
4.71 KB,
text/plain
|
Details | |
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-release+
diannaS
:
approval-mozilla-esr102+
tjr
:
sec-approval+
|
Details | Review |
In experimental IPC fuzzing, we found the following crash on mozilla-central revision f14ed3bab724+ (fuzzing-asan-nyx-opt build):
=================================================================
==1960==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7ffff0933c24 at pc 0x7fffe589adfa bp 0x7ffffffd9ba0 sp 0x7ffffffd9b98
READ of size 4 at 0x7ffff0933c24 thread T0
#0 0x7fffe589adf9 in nsRoleMapEntry::IsOfType(mozilla::a11y::AccGenericType) const accessible/base/ARIAMap.h:152:12
#1 0x7fffe58da343 in mozilla::a11y::Accessible::HasGenericType(mozilla::a11y::AccGenericType) const accessible/basetypes/Accessible.cpp:110:41
#2 0x7fffe577240d in mozilla::a11y::Accessible::IsHyperText() const objdir-ff-aflpp/dist/include/mozilla/a11y/Accessible.h:477:37
#3 0x7fffe576b5ae in GetInterfacesForProxy(mozilla::a11y::RemoteAccessible*) accessible/atk/AccessibleWrap.cpp:956:15
#4 0x7fffe576b418 in mozilla::a11y::ProxyCreated(mozilla::a11y::RemoteAccessible*) accessible/atk/AccessibleWrap.cpp:997:30
#5 0x7fffe59dc031 in mozilla::a11y::DocAccessibleParent::AddSubtree(mozilla::a11y::RemoteAccessible*, nsTArray<mozilla::a11y::AccessibleData> const&, unsigned int, unsigned int) accessible/ipc/DocAccessibleParent.cpp:197:5
#6 0x7fffe59dafb4 in mozilla::a11y::DocAccessibleParent::RecvShowEvent(mozilla::a11y::ShowEventData const&, bool const&) accessible/ipc/DocAccessibleParent.cpp:133:23
#7 0x7fffe59dca20 in non-virtual thunk to mozilla::a11y::DocAccessibleParent::RecvShowEvent(mozilla::a11y::ShowEventData const&, bool const&) accessible/ipc/DocAccessibleParent.cpp:0:0
#8 0x7fffe5b1e147 in mozilla::a11y::PDocAccessibleParent::OnMessageReceived(IPC::Message const&) objdir-ff-aflpp/ipc/ipdl/PDocAccessibleParent.cpp:9386:52
#9 0x7fffda9eff7a in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) objdir-ff-aflpp/ipc/ipdl/PContentParent.cpp:6661:32
#10 0x7fffcd8540e6 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) ipc/glue/MessageChannel.cpp:1800:25
[...]
#33 0x5555557ea39a in main browser/app/nsBrowserApp.cpp:423:16
This local fuzzing crash is the result of new experimental setups with the IPC fuzzer.
On the experiments we are performing here is targeted fuzzing of a specific actor/method, in this case we are targeting mozilla::a11y::DocAccessibleParent::RecvShowEvent
by loading a Mochitest into the fuzzing VM that triggers this method, then snapshot and start fuzzing.
Because of this experimental setup, we cannot provide a testcase yet. But I did some preliminary investigation:
It looks like we are creating a RemoteAccessible
here: https://searchfox.org/mozilla-central/rev/7bb059f2e81636e0db20acbf2afe67d49508489b/accessible/ipc/DocAccessibleParent.cpp#200
The roleMapIndex
comes from here https://searchfox.org/mozilla-central/rev/7bb059f2e81636e0db20acbf2afe67d49508489b/accessible/ipc/DocAccessibleParent.cpp#189
and AddSubtree
is called here https://searchfox.org/mozilla-central/rev/7bb059f2e81636e0db20acbf2afe67d49508489b/accessible/ipc/DocAccessibleParent.cpp#133 in mozilla::a11y::DocAccessibleParent::RecvShowEvent
.
Could it be that we just send this index through IPC without bounds-checking it, and then we go out of bounds later in nsRoleMapEntry::IsOfType
?
Reporter | ||
Comment 1•1 year ago
|
||
Assignee | ||
Comment 2•1 year ago
|
||
Yeah, I'd say it's very likely a missing bounds check. We should enforce that before we create the RemoteAccessible.
Assignee | ||
Updated•1 year ago
|
Reporter | ||
Comment 3•1 year ago
|
||
I also suggest to perform a careful audit of this API. We are passing in untrusted AccessibleData
which contains much more than just the roleMapIndex
. We should revisit the code with the explicit assumption that all of this data is malicious.
The impact of this specific bug is also not fully clear to me yet. Being able to spoof a different type here through nsRoleMapEntry::IsOfType
might lead to other issues later on that require a more complex testcase but might actually grant oob write or worse. So this might well be a sec-high, in which case it should be elevated to S2.
Updated•1 year ago
|
Updated•1 year ago
|
Comment 4•1 year ago
|
||
The severity field for this bug is set to S3. However, the bug is flagged with the sec-high
keyword.
:Jamie, could you consider increasing the severity of this security bug?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 5•1 year ago
|
||
Updated•1 year ago
|
Comment 6•1 year ago
|
||
Is the plan to uplift this to 112, or is riding the 113 train?
Assignee | ||
Comment 7•1 year ago
|
||
:decoder, do you think this needs an uplift? I'm not really sure how to assess the severity of IPC exploits as far as whether a beta/ESR uplift is required.
Reporter | ||
Comment 8•1 year ago
|
||
I recommend uplifting, if you think the risk of breakage is reasonably low. IPC exploits in general are to be considered severe, though it is unclear how severe this particular instance is. However, in doubt, we should err on the side of caution and fix this if esp. if it is a smaller fix.
Assignee | ||
Comment 9•1 year ago
|
||
In that case, :diannaS, I intend to uplift this if we get the review comments sorted out in time.
Assignee | ||
Comment 10•1 year ago
|
||
Comment on attachment 9325094 [details]
Bug 1820389: Gracefully handle unknown ARIA roles.
Security Approval Request
- How easily could an exploit be constructed based on the patch?: The addition of a validity check does hint at a bounds issue in the handling of an IPDL message. I'm not sure how easy it'd be to exploit that, though.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: beta, ESR
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Should apply cleanly or be easy to create.
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely; just a bounds check.
- Is Android affected?: Yes
Comment 11•1 year ago
|
||
Comment on attachment 9325094 [details]
Bug 1820389: Gracefully handle unknown ARIA roles.
Approved to land, relman indicated they would take this
Updated•1 year ago
|
Comment 12•1 year ago
|
||
Backed out for causing build bustages at DocAccessibleParent.cpp
Backout link: https://hg.mozilla.org/integration/autoland/rev/f82efcc9e720e3e1670e7897604a0b8c67c2a4a8
Failure log: https://treeherder.mozilla.org/logviewer?job_id=410961506&repo=autoland&lineNumber=6817
Comment 13•1 year ago
|
||
Hybrid builds notably are non-unified. Missing include most likely?
Assignee | ||
Comment 14•1 year ago
|
||
Comment on attachment 9325094 [details]
Bug 1820389: Gracefully handle unknown ARIA roles.
Beta/Release Uplift Approval Request
- User impact if declined: Crash, potential IPC bounds exploit.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Just validates an input parameter.
- String changes made/needed:
- Is Android affected?: Yes
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: Crash, potential IPC bounds exploit.
- Fix Landed on Version: 113 shortly
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Just validates an input parameter.
Assignee | ||
Comment 15•1 year ago
|
||
Note that I'm requesting beta/ESR approval before this fully lands on central as asked by RyanVM due to the proximity to rc.
Comment 16•1 year ago
|
||
Comment on attachment 9325094 [details]
Bug 1820389: Gracefully handle unknown ARIA roles.
Approved for 112.0rc1 and 102.10esr
Comment 17•1 year ago
|
||
Gracefully handle unknown ARIA roles. r=eeejay,decoder
https://hg.mozilla.org/integration/autoland/rev/d0c10cfe124c46f355177d08196f1e04e437140b
https://hg.mozilla.org/mozilla-central/rev/d0c10cfe124c
Comment 18•1 year ago
|
||
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Updated•6 months ago
|
Description
•