Closed Bug 1849037 (CVE-2023-6866) Opened 2 years ago Closed 2 years ago

Many uses of TypedArray::Create don't handle failures correctly

Categories

(Core :: DOM: Bindings (WebIDL), defect)

Product:
Core
Component:
DOM: Bindings (WebIDL)
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
121 Branch
Tracking Flags:
Tracking Status
firefox-esr115 - wontfix
firefox119 --- wontfix
firefox120 --- wontfix
firefox121 + fixed

People

(Reporter: evilpies, Assigned: peterv)

References

Details

(Keywords: reporter-external, sec-audit, sec-moderate, Whiteboard: [adv-main121+])

Attachments

(4 files)

Bug 1849037 - Pass objects that support conversion to a Span directly to TypedArray::Create as a Span. r?farre!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1849037 - Make TypedArray::Create either take a length or a Span. r?farre!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1849037 - Add ErrorResult to TypedArray::Create. r?farre!
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
211 bytes, text/plain
Details

Looking at the uses of TypedArray::Create it seems to me like many either don't really consider this API fallible at all or don't clear the pending exception properly.

Considering how many problematic uses there are, even in some abstractions like CryptoBuffer::ToArrayBuffer, we should consider changing this API. I imagine we could change it to have an ErrorResult parameter by stealing the exception internally?

Without a specific PoC it's hard to call this sec-high, but boy does this smell like trouble brewing. In the cryptobuffer case the webauthn buffers are small enough that if you're that close to OOM there's likely lots of other failing things. But I bet there are other features with more user-defined data could be easier to trigger.

Group: core-security → dom-core-security
Keywords: sec-audit, sec-moderate
See Also: → 1849056

Peter, is this something that your TypedArray patches will fix?

Flags: needinfo?(peterv)

No, but it was next on my things I want to look at for TypedArray.

Assignee: nobody → peterv
Status: NEW → ASSIGNED
Flags: needinfo?(peterv)

Peter, feel free to change if you think severity should be higher.

Severity: -- → S3
Attachment #9359328 - Attachment description: WIP: Bug 1849037 - Pass objects that support conversion to a Span directly to TypedArray::Create as a Span. r?farre! → Bug 1849037 - Pass objects that support conversion to a Span directly to TypedArray::Create as a Span. r?farre!
Attachment #9359329 - Attachment description: WIP: Bug 1849037 - Make TypedArray::Create either take a length or a Span. r?farre! → Bug 1849037 - Make TypedArray::Create either take a length or a Span. r?farre!
Attachment #9359330 - Attachment description: WIP: Bug 1849037 - Add ErrorResult to TypedArray::Create. r?farre! → Bug 1849037 - Add ErrorResult to TypedArray::Create. r?farre!
Pushed by pvanderbeken@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c336a8c78928 Pass objects that support conversion to a Span directly to TypedArray::Create as a Span. r=necko-reviewers,extension-reviewers,media-playback-reviewers,profiler-reviewers,farre,padenot,jesup https://hg.mozilla.org/integration/autoland/rev/89aa49de2473 Make TypedArray::Create either take a length or a Span. r=farre https://hg.mozilla.org/integration/autoland/rev/27fd9f6f57ea Add ErrorResult to TypedArray::Create. r=necko-reviewers,extension-reviewers,media-playback-reviewers,webidl,profiler-reviewers,farre,padenot,smaug,robwu,jesup
Backout by sstanca@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/995799598f27 Backed out 3 changesets for causing mochitests failures in test_gamepad_extensions.html.

Push with mochitest failures
Failure log

TEST-UNEXPECTED-FAIL | dom/tests/mochitest/gamepad/test_gamepad_extensions.html | correct touch surfaceDimensions - got false, expected true
TEST-UNEXPECTED-FAIL | dom/tests/mochitest/gamepad/test_gamepad_multitouch_crossorigin.html | correct touch surfaceDimensions - got false, expected true

Push with hazard failure
Failure log

TEST-UNEXPECTED-FAIL | hazards | unrooted 'array' of type 'JS::TypedArray<JS::Scalar::Uint8>' live across GC call at dist/include/mozilla/dom/TypedArray.h:742

Flags: needinfo?(peterv)
Pushed by pvanderbeken@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/695789b9b326 Pass objects that support conversion to a Span directly to TypedArray::Create as a Span. r=necko-reviewers,extension-reviewers,media-playback-reviewers,profiler-reviewers,farre,padenot,jesup https://hg.mozilla.org/integration/autoland/rev/4efe82747dc2 Make TypedArray::Create either take a length or a Span. r=farre https://hg.mozilla.org/integration/autoland/rev/29fb30143955 Add ErrorResult to TypedArray::Create. r=necko-reviewers,extension-reviewers,media-playback-reviewers,webidl,profiler-reviewers,farre,padenot,smaug,robwu,jesup,aabh
Group: dom-core-security → core-security-release
status-firefox119: --- → wontfix
status-firefox120: --- → wontfix
status-firefox-esr115: --- → affected
tracking-firefox121: --- → +
tracking-firefox-esr115: --- → 121+
Flags: needinfo?(peterv)
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main121+]
Alias: CVE-2023-6866

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter

Group: core-security-release

Sorry for the burst of bugspam: filter on tinkling-glitter-filtrate
Adding reporter-external keyword to security bugs found by non-employees for accounting reasons

Keywords: reporter-external
Regressions: 1900927
Regressions: 1900930
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: