AddressSanitizer: heap-use-after-free on PR_GetIdentitiesLayer after SSL_SetURL PORT_Strdup(url) allocation failure
Categories
(Core :: Security: PSM, defect, P1)
Tracking
()
People
(Reporter: sourc7, Assigned: keeler)
References
Details
(Keywords: csectype-uaf, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][psm-assigned][adv-main121+][adv-esr115.6+])
Attachments
(5 files)
16.96 KB,
text/plain
|
Details | |
462 bytes,
patch
|
Details | Diff | Splinter Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr115+
|
Details | Review |
142 bytes,
text/plain
|
Details |
When launching Firefox with --disable-e10s
and fillMemory code, then when contacting with URL, at rare time Firefox able to crash with AddressSanitizer: heap-use-after-free
on PR_GetIdentitiesLayer
.
It happen when allocation failure on SSL_SetURL
malloc at ss->url = (const char *)PORT_Strdup(url);
Reporter | ||
Comment 1•1 years ago
|
||
Assignee | ||
Updated•1 years ago
|
Updated•1 years ago
|
Comment 2•1 year ago
|
||
The severity field is not set for this bug.
:beurdouche, could you have a look please?
For more information, please visit BugBot documentation.
Updated•1 year ago
|
Updated•1 year ago
|
Comment 3•1 year ago
|
||
John, can you please check priority and severity on this when you have a min ?
Comment 4•1 year ago
|
||
Priority and severity look right to me.
I think the bug here is in PSM. The MOZ_ASSERT_UNREACHABLE
on nsNSSIOLayer.cpp#1602 is reachable in the case of allocation failure. I don't know this code well, but it seems like we might need to destroy plaintextLayer
and set it to null in the if (!sslSock)
block.
What do you think, Dana?
Assignee | ||
Comment 5•1 year ago
|
||
Yes, this seems like an issue in PSM, now that I've actually looked at it.
Assignee | ||
Comment 6•1 year ago
|
||
Comment 8•1 year ago
|
||
Updated•1 year ago
|
Updated•1 year ago
|
Comment 9•1 year ago
|
||
The patch landed in nightly and beta is affected.
:keeler, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox121
towontfix
.
For more information, please visit BugBot documentation.
Assignee | ||
Comment 10•1 year ago
|
||
Let's not uplift just yet - bug 1866006 will have to be addressed first.
Updated•1 year ago
|
Comment 11•1 year ago
|
||
Looks like the fix for bug 1866006 is holding up. Is this ready for Beta and ESR approval requests? Both bugs graft cleanly.
Assignee | ||
Comment 12•1 year ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D193722
Updated•1 year ago
|
Comment 13•1 year ago
|
||
Uplift Approval Request
- Fix verified in Nightly: no
- User impact if declined: UAF under memory pressure (maybe exploitable?)
- Needs manual QE test: no
- String changes made/needed: none
- Risk associated with taking this patch: low-medium
- Code covered by automated testing: yes
- Is Android affected?: yes
- Steps to reproduce for manual QE testing: n/a
- Explanation of risk level: We did catch one issue with the original patch, but otherwise this is a relatively small change.
Assignee | ||
Comment 14•1 year ago
|
||
Comment on attachment 9366572 [details]
Bug 1840144 - clean up some TLS socket creation error handling r?jschanck
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Potential UAF
- User impact if declined: This is potentially exploitable. Otherwise, it would just be memory corruption under memory pressure.
- Fix Landed on Version: 122
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): We already discovered one issue (bug 1866006), but other than that, it's a fairly small change.
Comment 15•1 year ago
|
||
Comment on attachment 9366572 [details]
Bug 1840144 - clean up some TLS socket creation error handling r?jschanck
Approved for 121.0b7.
Updated•1 year ago
|
Comment 16•1 year ago
|
||
uplift |
Comment 17•1 year ago
|
||
Comment on attachment 9366572 [details]
Bug 1840144 - clean up some TLS socket creation error handling r?jschanck
Approved for 115.6esr.
Comment 18•1 year ago
|
||
uplift |
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Comment 19•1 year ago
|
||
Updated•1 year ago
|
Comment 20•7 months ago
|
||
Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter
Updated•6 months ago
|
Description
•