Closed Bug 1837993 (CVE-2023-37209) Opened 1 years ago Closed 1 years ago

AddressSanitizer: heap-use-after-free [@ mozilla::dom::CanonicalBrowsingContext::NotifyOnHistoryReload] with READ of size 8

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox114 --- wontfix
firefox115 + fixed
firefox116 + fixed

People

(Reporter: decoder, Assigned: smaug)

References

(Regression)

Details

(6 keywords, Whiteboard: [adv-main115+])

Attachments

(3 files)

Detailed Crash Information
15.16 KB, text/plain
Details
Bug 1837993, ensure correct loadId is used when removing entry, r=peterv
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review
advisory.txt
327 bytes, text/plain
Details

The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 115.0a1-20230509215006-https://hg.mozilla.org/mozilla-central/rev/44770d5c9e91a75746e5d62aa1a933859292b77e.

For detailed crash information, see attachment.

This is an older report from mid-May that I missed earlier. Could be that we fixed this, but I'd like to double-check.

Component: General → DOM: Content Processes
Group: core-security → dom-core-security
Component: DOM: Content Processes → DOM: Navigation
Keywords: regressioncsectype-uaf, sec-high

Here's the older version of CanonicalBrowsingContext.cpp.

Both the use and the free are in NotifyOnHistoryReload. Based on the line numbers, it looks like this is what is happening:

// 1. We get a reference into mLoadingEntries.
const LoadingSessionHistoryEntry& loadingEntry =
    mLoadingEntries.LastElement();
// 2. This causes us to CreateLoadInfo, appending to mLoadingEntries and causing it to do a reallocation.
aLoadState.emplace(
    WrapMovingNotNull(RefPtr{CreateLoadInfo(loadingEntry.mEntry)})); 
aReloadActiveEntry.emplace(false);
if (aForceReload) {
  // 3. Now we use the dead reference loadingEntry.
  SessionHistoryEntry::LoadingEntry* entry =
      SessionHistoryEntry::GetByLoadId(loadingEntry.mLoadId);

I'm not sure how exploitable this is, given that there's only a few lines of code in between the free and the use. You'd have to be running code on a worker and somehow allocating a new object that was just released on another thread?

I didn't see any crashes on poison values in the last 6 months with RecvNotifyOnHistoryReload in the proto signature, for what it is worth.

Keywords: sec-highsec-moderate
Assignee: nobody → smaug
Status: NEW → ASSIGNED
Flags: sec-bounty?

ensure correct loadId is used when removing entry, r=peterv
https://hg.mozilla.org/integration/autoland/rev/0274a8c06c67e5ee1dccdb4e151ccf0ec70af43f
https://hg.mozilla.org/mozilla-central/rev/0274a8c06c67

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 years ago
status-firefox116: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch

The patch landed in nightly and beta is affected.
:smaug, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox115 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(smaug)

Comment on attachment 9339757 [details]
Bug 1837993, ensure correct loadId is used when removing entry, r=peterv

Beta/Release Uplift Approval Request

  • User impact if declined: unsafe crash
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This shouldn't be risky at all, just storing a value on stack before passing it to a method. That way it should be guaranteed that the value is correct.

(Release versions of Fenix are not affect, because it doesn't use Fission/session-history-in-parent)

  • String changes made/needed: NA
  • Is Android affected?: No
Flags: needinfo?(smaug)
Attachment #9339757 - Flags: approval-mozilla-beta?

Comment on attachment 9339757 [details]
Bug 1837993, ensure correct loadId is used when removing entry, r=peterv

Approved for 115.0b9.

Attachment #9339757 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

:smaug could you add an esr uplift request on this and a patch based on esr?

Flags: needinfo?(smaug)
Whiteboard: [adv-main115+r]
Flags: sec-bounty? → sec-bounty+
Keywords: csectype-race
Whiteboard: [adv-main115+r] → [adv-main115+]
Alias: CVE-2023-37209
Keywords: regression
Regressed by: 1804803
QA Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: