Closed Bug 1836550 Opened 2 years ago Closed 2 years ago

Potential Integer Overflow from malicious content process

Categories

(Core :: DOM: Copy & Paste and Drag & Drop, defect)

Product:
Core
Component:
DOM: Copy & Paste and Drag & Drop
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox-esr102 115+ fixed
firefox114 --- wontfix
firefox115 + fixed
firefox116 + fixed

People

(Reporter: tjr, Assigned: edgar)

References

Details

(Keywords: csectype-intoverflow, csectype-sandbox-escape, sec-high, Whiteboard: [adv-main115+r][adv-esr102.13+r])

Attachments

(2 files)

Bug 1836550 - Validate image data received from IPC; r?NeilDeakin!
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
tjr
: sec-approval+
Details | Review
[esr102] Bug 1836550 - Validate image data received from IPC; r=NeilDeakin!
1.44 KB, patch
dmeehan
: approval-mozilla-esr102+
Details | Diff | Splinter Review

In BrowserParent::RecvInvokeDragSession( we have the following code:

mozilla::ipc::IPCResult BrowserParent::RecvInvokeDragSession(
    nsTArray<IPCTransferableData>&& aTransferables, const uint32_t& aAction,
    Maybe<BigBuffer>&& aVisualDnDData, const uint32_t& aStride,
    const gfx::SurfaceFormat& aFormat, const LayoutDeviceIntRect& aDragRect,
    nsIPrincipal* aPrincipal, nsIContentSecurityPolicy* aCsp,
    const CookieJarSettingsArgs& aCookieJarSettingsArgs,
    const MaybeDiscarded<WindowContext>& aSourceWindowContext,
    const MaybeDiscarded<WindowContext>& aSourceTopWindowContext) {
  
  ...

  if (aVisualDnDData && aVisualDnDData->Size() >= aDragRect.height * aStride) {
    dragStartData->SetVisualization(gfx::CreateDataSourceSurfaceFromData(
        gfx::IntSize(aDragRect.width, aDragRect.height), aFormat,
        aVisualDnDData->Data(), aStride));
  }

aDragRect.height * aStride are attacker controlled, so they ought to be able to overflow, so aVisualDnDData->Size() >= aDragRect.height * aStride can be true even if aStride is very large and aVisualDnDData->Size() is small. If that is the case, we will eventually wind up with a raw pointer and a corresponding stride that is too large which will probably result in a buffer overread or overwrite somewhere.

I'm not certain this is an issue, but I'm doing some code inspection based on patterns of previous sandbox escapes, so I'd appreciate another set of eyes confirming this is or isn't an issue.

See Also: → 1837450

Edgar, please help take a look, thanks.

Flags: needinfo?(echen)
Severity: -- → S2

Sure thing!

Assignee: nobody → echen
Flags: needinfo?(echen)

(In reply to Tom Ritter [:tjr] from comment #0)

so I'd appreciate another set of eyes confirming this is or isn't an issue.

Yes, this is an issue. We should validate the image data received from IPC.

We should look into using IPCImage for this instead.

(In reply to Tom Schuster (MoCo) from comment #5)

We should look into using IPCImage for this instead.

Yes, I have filed bug 1782043 for this.

Comment on attachment 9339573 [details]
Bug 1836550 - Validate image data received from IPC; r?NeilDeakin!

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: I don't think it is easy.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: should be applied cleanly.
  • How likely is this patch to cause regressions; how much testing does it need?: Not likely, it just validates IPC image data.
  • Is Android affected?: Yes
Attachment #9339573 - Flags: sec-approval?

Comment on attachment 9339573 [details]
Bug 1836550 - Validate image data received from IPC; r?NeilDeakin!

Approved to request uplift and land

Attachment #9339573 - Flags: sec-approval? → sec-approval+

Comment on attachment 9339573 [details]
Bug 1836550 - Validate image data received from IPC; r?NeilDeakin!

Beta/Release Uplift Approval Request

  • User impact if declined: potential integer overflow from malicious content process
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce: None
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Should be low, it just validates IPC image data.
  • String changes made/needed: None
  • Is Android affected?: Yes
Attachment #9339573 - Flags: approval-mozilla-beta?

(In reply to Tom Ritter [:tjr] from comment #0)

In BrowserParent::RecvInvokeDragSession()
aDragRect.height * aStride are attacker controlled, so they ought to be able to overflow, so aVisualDnDData->Size() >= aDragRect.height * aStride can be true even if aStride is very large and aVisualDnDData->Size() is small. If that is the case, we will eventually wind up with a raw pointer and a corresponding stride that is too large which will probably result in a buffer overread or overwrite somewhere.

Hi Christian, do you know if this is IPC fuzzing detectable? Thanks!

Flags: needinfo?(choller)

Validate image data received from IPC; r=NeilDeakin
https://hg.mozilla.org/integration/autoland/rev/f2602b49e28a4ec7acfef8cd19566af364c489f8
https://hg.mozilla.org/mozilla-central/rev/f2602b49e28a

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox116: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch

Comment on attachment 9339573 [details]
Bug 1836550 - Validate image data received from IPC; r?NeilDeakin!

Approved for 115.0b9.

Attachment #9339573 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

:edgar could you add an esr102 uplfit request on this? It will need a patch based on esr102

Flags: needinfo?(echen)

Comment on attachment 9340479 [details] [diff] [review]
[esr102] Bug 1836550 - Validate image data received from IPC; r=NeilDeakin!

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is a sec-high bug
  • User impact if declined: Potential integer overflow from malicious content process
  • Fix Landed on Version: 116
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Should be low, it just validates IPC image data.
Attachment #9340479 - Flags: approval-mozilla-esr102?
Attachment #9339573 - Flags: approval-mozilla-esr102?
Attachment #9339573 - Flags: approval-mozilla-esr102?

Comment on attachment 9340479 [details] [diff] [review]
[esr102] Bug 1836550 - Validate image data received from IPC; r=NeilDeakin!

Approved for 102.13esr.

Attachment #9340479 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+

(In reply to Edgar Chen [:edgar] from comment #11)

(In reply to Tom Ritter [:tjr] from comment #0)

In BrowserParent::RecvInvokeDragSession()

Hi Christian, do you know if this is IPC fuzzing detectable? Thanks!

It could be and I want to give it a try in a targeted way. However, I found out that this method has no test coverage, is that possible?

See also https://coverage.moz.tools/#revision=latest&path=dom%2Fipc%2FBrowserParent.cpp&view=file&line=3825

Flags: needinfo?(choller) → needinfo?(echen)
Whiteboard: [adv-main115+r]
Whiteboard: [adv-main115+r] → [adv-main115+r][adv-esr102.13+r]
QA Whiteboard: [post-critsmash-triage]
Group: core-security-release

(In reply to Christian Holler (:decoder) from comment #20)

I found out that this method has no test coverage, is that possible?

Yes, It is hard to test drag and drop on test framework.

Flags: needinfo?(echen)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: