use-after-free in ColorPickerShownCallback
Categories
(Core :: DOM: Content Processes, defect, P2)
Tracking
()
People
(Reporter: sonakkbi, Assigned: vhilla)
References
(Regression)
Details
(6 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [adv-main117+] [adv-esr115.2+] [adv-esr102.15+])
Attachments
(6 files, 1 obsolete file)
13.40 KB,
text/plain
|
Details | |
215 bytes,
text/html
|
Details | |
986 bytes,
patch
|
Details | Diff | Splinter Review | |
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr102+
RyanVM
:
approval-mozilla-esr115+
tjr
:
sec-approval+
|
Details | Review |
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr102+
|
Details | Review |
354 bytes,
text/plain
|
Details |
|ColorPickerShownCallback| is requested when a Color Picker window open1. It isn’t considered several |ColorPickerShownCallbacks| are requested at a time. And |Done()| will destroy |mColorPickerParent|2. This leads to use-after-free when another |Done()| is called after a |Done()|
REPRODUCE
- apply *patch.diff
- visit index.html
*: Patch to emulate a compromised content process.
Crash State: see asan file
Updated•2 years ago
|
Comment 4•2 years ago
|
||
Comment on attachment 9346875 [details] [diff] [review]
patch.diff
hiding to avoid confusion... duplicate attachment
Updated•2 years ago
|
Updated•1 years ago
|
Updated•1 years ago
|
Comment 5•1 years ago
|
||
As this code is basically identical to the code in bug 1846689, we want to make sure these are fixed in the same release.
Updated•1 years ago
|
Assignee | ||
Updated•1 years ago
|
Assignee | ||
Comment 6•1 years ago
|
||
Depends on D185820
Updated•1 years ago
|
Assignee | ||
Comment 7•1 years ago
|
||
Comment on attachment 9348238 [details]
Bug 1846688 - Make ColorPickerShownCallback::mCallback into a RefPtr. r=mccr8
Security Approval Request
- How easily could an exploit be constructed based on the patch?: To exploit this bug, there first has to be a content-RCE security bug compromising the child process.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: Bug 910384
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: The same patch should apply to older versions too.
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely. The main concern are leaks, though the newly introduced strong reference is always cleared in FilePickerParent::ActorDestroy.
- Is Android affected?: Unknown
Comment 8•1 years ago
|
||
Comment on attachment 9348238 [details]
Bug 1846688 - Make ColorPickerShownCallback::mCallback into a RefPtr. r=mccr8
Approved to land and uplift
Updated•1 years ago
|
Comment 10•1 years ago
|
||
Comment 11•1 years ago
|
||
The patch landed in nightly and beta is affected.
:vhilla, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox117
towontfix
.
For more information, please visit BugBot documentation.
Updated•1 years ago
|
Assignee | ||
Comment 12•1 years ago
|
||
Comment on attachment 9348238 [details]
Bug 1846688 - Make ColorPickerShownCallback::mCallback into a RefPtr. r=mccr8
Beta/Release Uplift Approval Request
- User impact if declined: Security risk. If someone can compromise a child process, this UAF could enable a sandbox escape.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: Bug 1846689
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change is small with the only risk being a leak. Though the newly introduced strong reference is always cleared in ColorPickerParent::ActorDestroy, which should prevent such.
- String changes made/needed:
- Is Android affected?: Unknown
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: Security risk. If someone can compromise a child process, this UAF could enable a sandbox escape.
- Fix Landed on Version: 118
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change is small with the only risk being a leak. Though the newly introduced strong reference is always cleared in ColorPickerParent::ActorDestroy, which should prevent such.
Comment 13•1 years ago
|
||
Comment on attachment 9348238 [details]
Bug 1846688 - Make ColorPickerShownCallback::mCallback into a RefPtr. r=mccr8
Approved for 117.0b9, 115.2esr, and 102.15esr.
Comment 14•1 years ago
|
||
uplift |
Updated•1 years ago
|
Comment 15•1 years ago
|
||
uplift |
Updated•1 years ago
|
Comment 16•1 years ago
|
||
uplift |
Updated•1 years ago
|
Comment 17•1 years ago
|
||
This is a rebased version of bug 1816740 #6:
https://hg.mozilla.org/mozilla-central/rev/dab075577d74
There should be no functional changes from this change, but it resolves
the build failures caused by the patches in bug 1846688 and bug 1846689.
Updated•1 years ago
|
Comment 18•1 years ago
|
||
Uplift Approval Request
- Is Android affected?: no
- Fix verified in Nightly: no
- Code covered by automated testing: yes
- Risk associated with taking this patch: low
- String changes made/needed: --
- Needs manual QE test: yes
- Explanation of risk level: no functional changes; straightforward backport of (verified-in-Nightly) no-functional-changes patch on mainline
- Steps to reproduce for manual QE testing: confirm no crash when using
data:text/html,<input type=file multiple>
- User impact if declined: can't easily uplift other dependent patches
Updated•1 years ago
|
Comment 19•1 years ago
|
||
uplift |
Updated•1 years ago
|
Comment 20•1 years ago
|
||
Updated•1 years ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Updated•8 months ago
|
Description
•