Closed Bug 1833681 Opened 2 years ago Closed 2 years ago

Subtypes can leak through block params and results

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
115 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox113 --- disabled
firefox114 --- disabled
firefox115 --- fixed

People

(Reporter: bvisness, Assigned: bvisness)

Details

(Keywords: sec-high)

Attachments

(2 files)

Bug 1833681: Fix checkTopTypeMatches. r=rhunt
48 bytes, text/x-phabricator-request
Details | Review
Bug 1833681: Add tests for wasm stack rewriting. r=rhunt
48 bytes, text/x-phabricator-request
Details | Review

When exiting a block, we verify that the stack matches the block's result type, but we do not actually replace the stack with the block's result type. Now that subtyping has been introduced to wasm, more specific types can leak out of blocks and allow code to validate that shouldn't.

Assignee: nobody → bvisness
Status: NEW → ASSIGNED
Group: core-security → javascript-core-security

I assume this is an old problem and not a recent regresion? Will we need to fix ESR?

status-firefox115: --- → affected
Keywords: sec-high

This is a latent issue in our type checking code that the introduction of subtyping in the wasm function-references and GC proposals exposed. It should not be triggerable without these features enabled. Neither of those proposals are enabled on any version yet though, so we should not need to uplift this.

Severity: -- → S3
Priority: -- → P1

From looking at this code with Ben, this also affects block params in addition to results.

Summary: Subtypes can leak out of block results → Subtypes can leak through block params and results
Attachment #9334641 - Attachment description: Bug 1833681: Rewrite the stack with block result types. r=rhunt → Bug 1833681: Fix checkTopTypeMatches. r=rhunt

Depends on D178346

https://hg.mozilla.org/mozilla-central/rev/86c7006980d3

Going off blame, it looks like this goes back to at least 107 (bug 1784276). As a sec-high affecting more than just Nightly, this should have gotten sec-approval prior to landing. Please request approval on that retroactively so we can assess the next steps.

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox113: --- → wontfix
status-firefox114: --- → affected
status-firefox115: affectedfixed
status-firefox-esr102: --- → ?
Flags: needinfo?(bvisness)
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch

This bug is only triggerable with the non-standard wasm-gc extension enabled. It's never been enabled by default on any version, including nightly.

My understanding is that this makes it less severe than the "B. The bug is a recent regression on mozilla-central" branch of approval process, which is why I recommended we land it without approval. Is sec-high appropriate for issues that would be sec-high if the feature was enabled, but is not enabled by default anywhere?

Flags: needinfo?(bvisness)

I'll redirect to Dan on that. But regardless, comment 2 asked for clarification before this landed as well.

Flags: needinfo?(dveditz)

If this requires some disabled feature, then it is okay to land without sec-approval. Comment 3 does mention that the feature it affects is disabled.

We give things security ratings as though they were enabled. Part of the idea here is that it helps keep it on people's radars so they don't forget about it before being enabled, but it can be a bit of a hassle for people who are working on projects that spend a long period being disabled.

status-firefox113: wontfixdisabled
status-firefox114: affecteddisabled
status-firefox-esr102: ?disabled
Flags: needinfo?(dveditz)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: