Closed Bug 1830186 Opened 2 years ago Closed 2 years ago

Dangling Pointer in GridLines::SetLineInfo

Categories

(Core :: Layout: Grid, defect)

Product:
Core
Component:
Layout: Grid
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
114 Branch
Tracking Flags:
Tracking Status
firefox-esr102 113+ fixed
firefox112 --- wontfix
firefox113 + fixed
firefox114 + fixed

People

(Reporter: alaskanemily, Assigned: alaskanemily)

Details

(Keywords: sec-moderate, Whiteboard: [adv-main113+r][adv-ESR102.11+r])

Attachments

(2 files)

Bug 1830186 - Use local variable instead of temporary in GridLines::SetLineInfo
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr102+
Details | Review
toy program to illustrate why this is an issue (proving that the temporary doesn't get lifetime-extended)
553 bytes, text/x-c++src
Details
No description provided.
Severity: -- → S2

SafeElementAt takes a reference to a default value. In this case, a temporary
array is constructed and passed as this reference. If this default value is
used, it is returned by reference. However, after the SafeElementAt call that
variable has gone out of scope. This will cause crashes or reading arbitrary
memory if the storage for that argument is written to.

Fortunately this is only a possibility when using the dev tools, and seems to
not actually be an issue currently, but this is a potential security bug.

Attachment #9330499 - Attachment description: Bug 1830186 - Fix dangling pointer in GridLines::SetLineInfo → Bug 1830186 - Use local variable instead of temporary in GridLines::SetLineInfo

(In reply to Emily McDonough [:alaskanemily] from comment #1)

Fortunately this is only a possibility when using the dev tools, and seems to
not actually be an issue currently, but this is a potential security bug.

Calling sec-moderate per above^

Keywords: sec-moderate

Comment on attachment 9330499 [details]
Bug 1830186 - Use local variable instead of temporary in GridLines::SetLineInfo

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: There is no known method to exploit this. At the very least, it would require the user opening the dev tools on a document using grid layout.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: Everything since Firefox 59
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: This should apply cleanly to all supported branches.
  • How likely is this patch to cause regressions; how much testing does it need?: The change should be safe, and is unlikely to cause any regressions. Because no actual exploit or crash is known, no testing can validate it.
  • Is Android affected?: Yes
Attachment #9330499 - Flags: sec-approval?

Comment on attachment 9330499 [details]
Bug 1830186 - Use local variable instead of temporary in GridLines::SetLineInfo

Beta/Release Uplift Approval Request

  • User impact if declined: Potential crashes or possibly a security issue when using dev tools on content with grid layout. No example of this crash has been found, but it is still a possibility.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change is extremely simple, and is at worst just a tiny refactor.
  • String changes made/needed:
  • Is Android affected?: Unknown
Attachment #9330499 - Flags: approval-mozilla-beta?

Comment on attachment 9330499 [details]
Bug 1830186 - Use local variable instead of temporary in GridLines::SetLineInfo

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: The change is very small and prevents a potential security flaw.
  • User impact if declined: Potential crashes or possibly a security issue when using dev tools on content with grid layout. No example of this crash has been found, but it is still a possibility.
  • Fix Landed on Version: 114 pending sec approval
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change is extremely simple, and is at worst just a tiny refactor.
Attachment #9330499 - Flags: approval-mozilla-esr102?

For folks like me who look at the old code and think to themselves, "hey wait, doesn't C++ say that temporaries get lifetime-extended if you capture them in a const reference something something": that didn't actually happen in this case.

Here's a trivial program (a simplified version of the actual code involved here) to prove this. If I compile with g++ and run this program, I get the following output:

In Logger constructor for 0x7fff48c2260f
Entering GetMeALogger
In Logger destructor for 0x7fff48c2260f
After the call to GetMeALogger
In DoStuff for 0x7fff48c2260f

Note that the destructor does get invoked right after the call to GetMeALogger, i.e. the temporary variable does not get its lifetime extended, and the subsequent usage (DoStuff) is potentially crashy/risky.

(In reply to Emily McDonough [:alaskanemily] from comment #3)

  • Which older supported branches are affected by this flaw?: Everything since Firefox 59

[adding detail] specifically, this was introduced by this change for bug 1423378, I think, where we switched from copying the about-to-be-destructed-temporary into a local variable [which is fine] to capturing it in a reference [which is not-fine]:
https://hg.mozilla.org/mozilla-central/rev/60d0c815b98047ab945bf8b7d2c235bc260ba8ac#l1.12

Once we're ready to open this bug up (once the patch has reached all supported releases), we should probably mark it as a regression from bug 1423378.

Comment on attachment 9330499 [details]
Bug 1830186 - Use local variable instead of temporary in GridLines::SetLineInfo

Given that this is a sec-moderate, it doesn't technically require sec-approval to land. That said, I do appreciate you checking anyway given how late we are in the cycle. I'm OK uplifting this to Beta & ESR ahead of our RC builds next week given the very low risk of the patch, so go ahead and land this.

Flags: needinfo?(emcdonough)
Attachment #9330499 - Flags: sec-approval?

Use local variable instead of temporary in GridLines::SetLineInfo r=dholbert
https://hg.mozilla.org/integration/autoland/rev/a6dc276798192dc33f392b55de4abcd4ebf7e603
https://hg.mozilla.org/mozilla-central/rev/a6dc27679819

Group: layout-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox114: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 114 Branch

Comment on attachment 9330499 [details]
Bug 1830186 - Use local variable instead of temporary in GridLines::SetLineInfo

Approved for 113.0rc1 and 102.11esr.

Flags: needinfo?(emcdonough)
Attachment #9330499 - Flags: approval-mozilla-esr102?
Attachment #9330499 - Flags: approval-mozilla-esr102+
Attachment #9330499 - Flags: approval-mozilla-beta?
Attachment #9330499 - Flags: approval-mozilla-beta+
Whiteboard: [adv-main113+r]
Whiteboard: [adv-main113+r] → [adv-main113+r][adv-ESR102.11+]
Whiteboard: [adv-main113+r][adv-ESR102.11+] → [adv-main113+r][adv-ESR102.11+r]
Flags: qe-verify-
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: