AddressSanitizer: heap-use-after-free on PR_GetIdentitiesLayer after SSL_SetURL PORT_Strdup(url) allocation failure
Categories
(Core :: Security: PSM, defect, P1)
Tracking
()
People
(Reporter: sourc7, Assigned: keeler)
References
Details
(Keywords: csectype-uaf, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][psm-assigned][adv-main121+][adv-esr115.6+])
Attachments
(5 files)
|
16.96 KB,
text/plain
|
Details | |
|
462 bytes,
patch
|
Details | Diff | Splinter Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr115+
|
Details | Review |
|
142 bytes,
text/plain
|
Details |
When launching Firefox with --disable-e10s and fillMemory code, then when contacting with URL, at rare time Firefox able to crash with AddressSanitizer: heap-use-after-free on PR_GetIdentitiesLayer.
It happen when allocation failure on SSL_SetURL malloc at ss->url = (const char *)PORT_Strdup(url);
|
Reporter | |
Comment 1•1 year ago
|
||
|
Assignee | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Comment 2•1 year ago
|
||
The severity field is not set for this bug.
:beurdouche, could you have a look please?
For more information, please visit BugBot documentation.
|
||
Updated•8 months ago
|
|
|
||
Updated•8 months ago
|
|
|
||
Comment 3•8 months ago
|
||
John, can you please check priority and severity on this when you have a min ?
|
||
Comment 4•8 months ago
|
||
Priority and severity look right to me.
I think the bug here is in PSM. The MOZ_ASSERT_UNREACHABLE on nsNSSIOLayer.cpp#1602 is reachable in the case of allocation failure. I don't know this code well, but it seems like we might need to destroy plaintextLayer and set it to null in the if (!sslSock) block.
What do you think, Dana?
|
|
Assignee | |
Comment 5•8 months ago
|
||
Yes, this seems like an issue in PSM, now that I've actually looked at it.
|
|
Assignee | |
Comment 6•7 months ago
|
||
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a5a183d53f8e clean up some TLS socket creation error handling r=jschanck
|
|
||
Comment 8•7 months ago
|
||
|
||
Updated•7 months ago
|
|
|
||
Updated•7 months ago
|
|
|
||
Comment 9•7 months ago
|
||
The patch landed in nightly and beta is affected.
:keeler, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox121towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 10•7 months ago
|
||
Let's not uplift just yet - bug 1866006 will have to be addressed first.
|
|
||
Updated•7 months ago
|
|
||
Comment 11•7 months ago
|
||
Looks like the fix for bug 1866006 is holding up. Is this ready for Beta and ESR approval requests? Both bugs graft cleanly.
|
|
Assignee | |
Comment 12•7 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D193722
|
||
Updated•7 months ago
|
|
|
||
Comment 13•7 months ago
|
||
Uplift Approval Request
- Fix verified in Nightly: no
- User impact if declined: UAF under memory pressure (maybe exploitable?)
- Needs manual QE test: no
- String changes made/needed: none
- Risk associated with taking this patch: low-medium
- Code covered by automated testing: yes
- Is Android affected?: yes
- Steps to reproduce for manual QE testing: n/a
- Explanation of risk level: We did catch one issue with the original patch, but otherwise this is a relatively small change.
|
|
Assignee | |
Comment 14•7 months ago
|
||
Comment on attachment 9366572 [details]
Bug 1840144 - clean up some TLS socket creation error handling r?jschanck
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Potential UAF
- User impact if declined: This is potentially exploitable. Otherwise, it would just be memory corruption under memory pressure.
- Fix Landed on Version: 122
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): We already discovered one issue (bug 1866006), but other than that, it's a fairly small change.
|
|
||
Comment 15•7 months ago
|
||
Comment on attachment 9366572 [details]
Bug 1840144 - clean up some TLS socket creation error handling r?jschanck
Approved for 121.0b7.
|
||
Updated•7 months ago
|
|
||
Comment 16•7 months ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/ff6cf7531182
|
|
||
Comment 17•7 months ago
|
||
Comment on attachment 9366572 [details]
Bug 1840144 - clean up some TLS socket creation error handling r?jschanck
Approved for 115.6esr.
|
|
||
Comment 18•7 months ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr115/rev/dc32e9be8aea
|
|
||
Updated•7 months ago
|
|
||
Updated•7 months ago
|
|
||
Updated•7 months ago
|
|
|
||
Updated•7 months ago
|
|
|
||
Comment 19•7 months ago
|
||
|
||
Updated•6 months ago
|
|
|
||
Comment 20•2 months ago
|
||
Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter
|
||
Updated•27 days ago
|
Description
•