Closed Bug 1846688 (CVE-2023-4574) Opened 2 years ago Closed 2 years ago

use-after-free in ColorPickerShownCallback

Categories

(Core :: DOM: Content Processes, defect, P2)

Product:
Core
Component:
DOM: Content Processes
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
118 Branch
Tracking Flags:
Tracking Status
firefox-esr102 117+ fixed
firefox-esr115 117+ fixed
firefox116 --- wontfix
firefox117 + fixed
firefox118 + fixed

People

(Reporter: sonakkbi, Assigned: vhilla)

References

(Regression)

Details

(6 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [adv-main117+] [adv-esr115.2+] [adv-esr102.15+])

Attachments

(6 files, 1 obsolete file)

ASAN.txt
13.40 KB, text/plain
Details
index.html
215 bytes, text/html
Details
patch.diff
986 bytes, patch
Details | Diff | Splinter Review
Bug 1846688 - Make ColorPickerShownCallback::mCallback into a RefPtr. r=mccr8
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr102+
RyanVM
: approval-mozilla-esr115+
tjr
: sec-approval+
Details | Review
Bug 1846688 - Backport ManualDealloc removal from ColorPicker and FilePicker.
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr102+
Details | Review
advisory.txt
354 bytes, text/plain
Details
Attached file ASAN.txt

|ColorPickerShownCallback| is requested when a Color Picker window open1. It isn’t considered several |ColorPickerShownCallbacks| are requested at a time. And |Done()| will destroy |mColorPickerParent|2. This leads to use-after-free when another |Done()| is called after a |Done()|

REPRODUCE

  1. apply *patch.diff
  2. visit index.html

*: Patch to emulate a compromised content process.

Crash State: see asan file

Flags: sec-bounty?
Attached file index.html
Attached patch patch.diffSplinter Review
Attached patch patch.diff (obsolete) — Splinter Review
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Content Processes
Product: Firefox → Core
See Also: → CVE-2023-4575

Comment on attachment 9346875 [details] [diff] [review]
patch.diff

hiding to avoid confusion... duplicate attachment

Attachment #9346875 - Attachment is obsolete: true
Keywords: testcase
Status: UNCONFIRMED → NEW
Ever confirmed: true
Severity: -- → S2
Priority: -- → P2

As this code is basically identical to the code in bug 1846689, we want to make sure these are fixed in the same release.

Assignee: nobody → vhilla
Attachment #9348238 - Attachment description: Bug 1846688 - Prevent multiple color picker from breaking. r=mccr8 → Bug 1846688 - Make ColorPickerShownCallback::mCallback into a RefPtr. r=mccr8

Comment on attachment 9348238 [details]
Bug 1846688 - Make ColorPickerShownCallback::mCallback into a RefPtr. r=mccr8

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: To exploit this bug, there first has to be a content-RCE security bug compromising the child process.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: Bug 910384
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: The same patch should apply to older versions too.
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely. The main concern are leaks, though the newly introduced strong reference is always cleared in FilePickerParent::ActorDestroy.
  • Is Android affected?: Unknown
Attachment #9348238 - Flags: sec-approval?

Comment on attachment 9348238 [details]
Bug 1846688 - Make ColorPickerShownCallback::mCallback into a RefPtr. r=mccr8

Approved to land and uplift

Attachment #9348238 - Flags: sec-approval? → sec-approval+
Pushed by rvandermeulen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e69719641442 Make ColorPickerShownCallback::mCallback into a RefPtr. r=mccr8

https://hg.mozilla.org/mozilla-central/rev/e69719641442

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox118: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 118 Branch

The patch landed in nightly and beta is affected.
:vhilla, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox117 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(vhilla)
Flags: sec-bounty? → sec-bounty+

Comment on attachment 9348238 [details]
Bug 1846688 - Make ColorPickerShownCallback::mCallback into a RefPtr. r=mccr8

Beta/Release Uplift Approval Request

  • User impact if declined: Security risk. If someone can compromise a child process, this UAF could enable a sandbox escape.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: Bug 1846689
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change is small with the only risk being a leak. Though the newly introduced strong reference is always cleared in ColorPickerParent::ActorDestroy, which should prevent such.
  • String changes made/needed:
  • Is Android affected?: Unknown

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: Security risk. If someone can compromise a child process, this UAF could enable a sandbox escape.
  • Fix Landed on Version: 118
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change is small with the only risk being a leak. Though the newly introduced strong reference is always cleared in ColorPickerParent::ActorDestroy, which should prevent such.
Flags: needinfo?(vhilla)
Attachment #9348238 - Flags: approval-mozilla-esr115?
Attachment #9348238 - Flags: approval-mozilla-esr102?
Attachment #9348238 - Flags: approval-mozilla-beta?

Comment on attachment 9348238 [details]
Bug 1846688 - Make ColorPickerShownCallback::mCallback into a RefPtr. r=mccr8

Approved for 117.0b9, 115.2esr, and 102.15esr.

Attachment #9348238 - Flags: approval-mozilla-esr115?
Attachment #9348238 - Flags: approval-mozilla-esr115+
Attachment #9348238 - Flags: approval-mozilla-esr102?
Attachment #9348238 - Flags: approval-mozilla-esr102+
Attachment #9348238 - Flags: approval-mozilla-beta?
Attachment #9348238 - Flags: approval-mozilla-beta+
Group: dom-core-security → core-security-release
status-firefox-esr102: affectedfixed

This is a rebased version of bug 1816740 #6:
https://hg.mozilla.org/mozilla-central/rev/dab075577d74

There should be no functional changes from this change, but it resolves
the build failures caused by the patches in bug 1846688 and bug 1846689.

Attachment #9349601 - Flags: approval-mozilla-esr102+

Uplift Approval Request

  • Is Android affected?: no
  • Fix verified in Nightly: no
  • Code covered by automated testing: yes
  • Risk associated with taking this patch: low
  • String changes made/needed: --
  • Needs manual QE test: yes
  • Explanation of risk level: no functional changes; straightforward backport of (verified-in-Nightly) no-functional-changes patch on mainline
  • Steps to reproduce for manual QE testing: confirm no crash when using data:text/html,<input type=file multiple>
  • User impact if declined: can't easily uplift other dependent patches
Flags: qe-verify+
Flags: qe-verify+
QA Whiteboard: [post-critsmash-triage]
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?] [adv-main117+] [adv-esr115.2+] [adv-esr102.15+]
Group: core-security-release
Alias: CVE-2023-4574
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: