Closed Bug 1864118 (CVE-2023-6861) Opened 11 months ago Closed 10 months ago

heap-buffer-overflow widget/windows/nsWindow.cpp:8197 in nsWindow::PickerOpen(void) in headless mode

Categories

(Core :: Widget: Win32, defect)

Product:
Core
Component:
Widget: Win32
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
122 Branch
Tracking Flags:
Tracking Status
firefox-esr115 121+ verified
firefox119 --- wontfix
firefox120 --- wontfix
firefox121 + verified
firefox122 + verified

People

(Reporter: m.cooolie, Assigned: rkraesig)

Details

(Keywords: csectype-bounds, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main121+][adv-esr115.6+])

Attachments

(4 files, 1 obsolete file)

poc.html
202 bytes, text/html
Details
Bug 1864118 - deny attempts to open a Windows file picker in headless mode r?#win-reviewers
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr115+
tjr
: sec-approval+
Details | Review
prefs.js
10.05 KB, application/x-javascript
Details
advisory.txt
236 bytes, text/plain
Details
Attached file poc.html

#Reproduce
OS:win X64
121.0a1 (2023-11-06) (64-bit)

  1. python -m http.server 1337
  2. python -m ffpuppet firefox --headless -p prefs.js -d -u http://localhost:1337/poc.html

#Analysis
Not yet

#ASAN

==36900==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x12959aa2c548 at pc 0x7ffdb43a10c9 bp 0x00b1a35fc010 sp 0x00b1a35fc058
READ of size 4 at 0x12959aa2c548 thread T0
    #0 0x7ffdb43a10c8 in nsWindow::PickerOpen(void) /builds/worker/checkouts/gecko/widget/windows/nsWindow.cpp:8197
    #1 0x7ffdb41fe18d in AutoWidgetPickerState::PickerState /builds/worker/checkouts/gecko/widget/windows/nsFilePicker.cpp:68
    #2 0x7ffdb41fe18d in AutoWidgetPickerState::AutoWidgetPickerState /builds/worker/checkouts/gecko/widget/windows/nsFilePicker.cpp:59
    #3 0x7ffdb41fe18d in nsFilePicker::ShowFilePicker(class nsTString<char16_t> const &) /builds/worker/checkouts/gecko/widget/windows/nsFilePicker.cpp:490
    #4 0x7ffdb420128c in nsFilePicker::ShowW(enum nsIFilePicker::ResultCode *) /builds/worker/checkouts/gecko/widget/windows/nsFilePicker.cpp:566
    #5 0x7ffdb40d368b in nsBaseFilePicker::AsyncShowFilePicker::Run(void) /builds/worker/checkouts/gecko/widget/nsBaseFilePicker.cpp:86
    #6 0x7ffdaa3057ce in mozilla::RunnableTask::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:549
    #7 0x7ffdaa2e7675 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:876
    #8 0x7ffdaa2e2dc5 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:699
    #9 0x7ffdaa2e3a14 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:485
    #10 0x7ffdaa309111 in mozilla::TaskController::TaskController::<lambda_5>::operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:211
    #11 0x7ffdaa309111 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:211:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548
    #12 0x7ffdaa339bc5 in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198
    #13 0x7ffdaa34aa8a in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480
    #14 0x7ffdaba43477 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #15 0x7ffdab960483 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370
    #16 0x7ffdab960483 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363
    #17 0x7ffdab96024a in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345
    #18 0x7ffdb40b3a1c in nsBaseAppShell::Run(void) /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148
    #19 0x7ffdb42f6487 in nsAppShell::Run(void) /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:824
    #20 0x7ffdb894682b in nsAppStartup::Run(void) /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:296
    #21 0x7ffdb8c90586 in XREMain::XRE_mainRun(void) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5680
    #22 0x7ffdb8c95b17 in XREMain::XRE_main(int, char **const, struct mozilla::BootstrapConfig const &) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5889
    #23 0x7ffdb8c96c3f in XRE_main(int, char **const, struct mozilla::BootstrapConfig const &) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5945
    #24 0x7ff74be320d8 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:227
    #25 0x7ff74be320d8 in NS_internal_main(int, char **, char **) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:445
    #26 0x7ff74be314d8 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:151
    #27 0x7ff74bf14207 in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
    #28 0x7ff74bf14207 in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #29 0x7ffe18107343  (C:\WINDOWS\System32\KERNEL32.DLL+0x180017343)
    #30 0x7ffe192e26b0  (C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800526b0)

0x12959aa2c548 is located 56 bytes before 608-byte region [0x12959aa2c580,0x12959aa2c7e0)
allocated by thread T0 here:
    #0 0x7ffdc70150e4 in calloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:114
    #1 0x7ffdaa17a054 in PLDHashTable::MakeEntryHandle(void const *, struct std::nothrow_t const &) /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:630
    #2 0x7ffdaa17b080 in PLDHashTable::MakeEntryHandle(void const *) /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:674
    #3 0x7ffdad9047bc in PLDHashTable::WithEntryHandle<class `protected: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::WithEntryHandle<class `public: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::PutEntry(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &)'::`1'::<lambda_1>>(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &, class `public: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::PutEntry(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &)'::`1'::<lambda_1> &&)'::`1'::<lambda_1>>(void const *, class `protected: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::WithEntryHandle<class `public: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::PutEntry(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &)'::`1'::<lambda_1>>(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &, class `public: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::PutEntry(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &)'::`1'::<lambda_1> &&)'::`1'::<lambda_1> &&) /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h:605
    #4 0x7ffdad8c7437 in nsTHashtable<mozilla::IdentifierMapEntry>::WithEntryHandle /builds/worker/checkouts/gecko/xpcom/ds/nsTHashtable.h:434
    #5 0x7ffdad8c7437 in nsTHashtable<mozilla::IdentifierMapEntry>::PutEntry /builds/worker/checkouts/gecko/xpcom/ds/nsTHashtable.h:306
    #6 0x7ffdad8c7437 in mozilla::dom::ShadowRoot::AddToIdTable(class mozilla::dom::Element *, class nsAtom *) /builds/worker/checkouts/gecko/dom/base/ShadowRoot.cpp:553
    #7 0x7ffdad736a6b in mozilla::dom::Element::AddToIdTable /builds/worker/checkouts/gecko/dom/base/Element.cpp:1136
    #8 0x7ffdad736a6b in mozilla::dom::Element::BindToTree(struct mozilla::dom::BindContext &, class nsINode &) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1921
    #9 0x7ffdad5895fa in nsStyledElement::BindToTree(struct mozilla::dom::BindContext &, class nsINode &) /builds/worker/checkouts/gecko/dom/base/nsStyledElement.cpp:210
    #10 0x7ffdb105236a in nsGenericHTMLElement::BindToTree(struct mozilla::dom::BindContext &, class nsINode &) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:466
    #11 0x7ffdada4edaf in nsINode::InsertChildBefore(class nsIContent *, class nsIContent *, bool, class mozilla::ErrorResult &) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1613
    #12 0x7ffdb4a35013 in nsINode::AppendChildTo /builds/worker/checkouts/gecko/dom/base/nsINode.h:967
    #13 0x7ffdb4a35013 in mozilla::AccessibleCaret::CreateCaretElement::<lambda_1>::operator() /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:237
    #14 0x7ffdb4a35013 in mozilla::AccessibleCaret::CreateCaretElement(void) const /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:240
    #15 0x7ffdb4a31d44 in mozilla::AccessibleCaret::InjectCaretElement(class mozilla::dom::Document *) /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:199
    #16 0x7ffdb4a3ba06 in mozilla::AccessibleCaret::AccessibleCaret /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:82
    #17 0x7ffdb4a3ba06 in mozilla::MakeUnique<class mozilla::AccessibleCaret, class mozilla::PresShell *&>(class mozilla::PresShell *&) /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:605
    #18 0x7ffdb4a37baa in mozilla::AccessibleCaretManager::AccessibleCaretManager /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:86
    #19 0x7ffdb4a37baa in mozilla::MakeUnique /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:605
    #20 0x7ffdb4a37baa in mozilla::AccessibleCaretEventHub::Init(void) /builds/worker/checkouts/gecko/layout/base/AccessibleCaretEventHub.cpp:365
    #21 0x7ffdb4a7d9fa in mozilla::PresShell::Init(class nsPresContext *, class nsViewManager *) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:907
    #22 0x7ffdad68ca47 in mozilla::dom::Document::CreatePresShell(class nsPresContext *, class nsViewManager *) /builds/worker/checkouts/gecko/dom/base/Document.cpp:6948
    #23 0x7ffdb4bb1924 in nsDocumentViewer::InitPresentationStuff(bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:702
    #24 0x7ffdb4bb1279 in nsDocumentViewer::InitInternal(class nsIWidget *, class nsISupports *, class mozilla::dom::WindowGlobalChild *, struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &, bool, bool, bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:909
    #25 0x7ffdb4bb08bf in nsDocumentViewer::Init(class nsIWidget *, struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &, class mozilla::dom::WindowGlobalChild *) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:675
    #26 0x7ffdb7d25722 in nsDocShell::SetupNewViewer(class nsIContentViewer *, class mozilla::dom::WindowGlobalChild *) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:8129
    #27 0x7ffdb7d23f5c in nsDocShell::Embed(class nsIContentViewer *, class mozilla::dom::WindowGlobalChild *, bool, bool, class nsIRequest *, class nsIURI *) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5603
    #28 0x7ffdb7d32fa2 in nsDocShell::CreateAboutBlankContentViewer(class nsIPrincipal *, class nsIPrincipal *, class nsIContentSecurityPolicy *, class nsIURI *, bool, class mozilla::Maybe<enum nsILoadInfo::CrossOriginEmbedderPolicy> const &, bool, bool, class mozilla::dom::WindowGlobalChild *) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6685
    #29 0x7ffdb7e8065f in nsAppShellService::JustCreateTopWindow(class nsIAppWindow *, class nsIURI *, unsigned int, int, int, bool, class mozilla::AppWindow **) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:716
    #30 0x7ffdb7e812a4 in nsAppShellService::CreateTopLevelWindow(class nsIAppWindow *, class nsIURI *, unsigned int, int, int, class nsIAppWindow **) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:179
    #31 0x7ffdb8949c5d in nsAppStartup::CreateChromeWindow(class nsIWebBrowserChrome *, unsigned int, class nsIOpenWindowInfo *, bool *, class nsIWebBrowserChrome **) /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:757
    #32 0x7ffdb8b00951 in nsWindowWatcher::CreateChromeWindow(class nsIWebBrowserChrome *, unsigned int, class nsIOpenWindowInfo *, class nsIWebBrowserChrome **) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:437
    #33 0x7ffdb8afc3ca in nsWindowWatcher::OpenWindowInternal(class mozIDOMWindowProxy *, class nsTSubstring<char> const &, class nsTSubstring<char> const &, class nsTSubstring<char> const &, bool, bool, bool, class nsIArray *, bool, bool, bool, enum nsPIWindowWatcher::PrintKind, class nsDocShellLoadState *, class mozilla::dom::BrowsingContext **) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:1045
    #34 0x7ffdb8af7e36 in nsWindowWatcher::OpenWindow(class mozIDOMWindowProxy *, class nsTSubstring<char> const &, class nsTSubstring<char> const &, class nsTSubstring<char> const &, class nsISupports *, class mozIDOMWindowProxy **) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:293
    #35 0x7ffdbc685471 in XPTC__InvokebyIndex (E:\firefox_asan\target\firefox\xul.dll+0x193015471)

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/checkouts/gecko/widget/windows/nsWindow.cpp:8197 in nsWindow::PickerOpen(void)
Shadow bytes around the buggy address:
  0x12959aa2c280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c480: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
=>0x12959aa2c500: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x12959aa2c580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c780: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==36900==ABORTING
Flags: sec-bounty?
Group: firefox-core-security → dom-core-security
Component: Security → Widget: Win32
Product: Firefox → Core

Well, that's not good. It looks like a file-picker is being opened for a window after the window has been destroyed. That shouldn't be possible -- the nsFilePicker should have a RefPtr to the nsWindow. The POC is too simplistic to be some destruction-order thing...

... ah, it's running in headless mode. In that case, there's no nsWindow above the nsIWidget and it's instead pointing off into someone else's internals. The relevant static_cast<> is here — although it's been around since at least 2011, so I assume I've exposed it outside its old context somehow.

Assignee: nobody → rkraesig

We don't necessarily even have access to a user-accessible desktop in
headless mode. Opening a file dialog isn't going to work out.

In practice, file-dialog invocations will typically be intercepted by
Puppeteer before they ever get here (see MockFilePicker.sys.mjs), but
that's configuration-dependent. Explicitly check whether we're in
headless mode before proceeding.

Adding #win-reviewers members to CC for review purposes.

For security-triage purposes:

  • I believe this bug can only occur in headless mode. If so, it can't be triggered by an ordinary user... unless there's some way to trick --backgroundtask into loading dynamic web-provided content. (Maybe as an element of a privilege-escalation chain?)
  • I don't see any reason this couldn't happen before bug 1837079, but under the circumstances I'm very reluctant to say it could.

Comment on attachment 9363081 [details]
Bug 1864118 - deny attempts to open a Windows file picker in headless mode r?#win-reviewers

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: I don't think this can be exploited remotely. At least one additional exploit would be needed to do so, and I think that exploit would be sec-critical all on its own.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Trivial. The patch should apply cleanly.
  • How likely is this patch to cause regressions; how much testing does it need?: Virtually no chance of user-visible regressions. Small chance of regressions in automated testing.
  • Is Android affected?: Yes
Attachment #9363081 - Flags: sec-approval?

(In reply to Ray Kraesig [:rkraesig] from comment #3)

  • I don't see any reason this couldn't happen before bug 1837079, but under the circumstances I'm very reluctant to say it could.

I'm less reluctant to say it could, now, though I haven't managed to repro locally.

At any rate, if they're unaffected but the attached patch is uplifted anyway, there should be no deleterious effects.

calling this sec-moderate because of headless mode. Normal users won't be using that, but this could still theoretically be used as a targeted booby-trap for some kind of automated browser/ web-scanner.

Keywords: csectype-bounds, sec-moderate
Attached file prefs.js

This does not reproduce on m-c or esr without a custom prefs.js file.

Comment on attachment 9363081 [details]
Bug 1864118 - deny attempts to open a Windows file picker in headless mode r?#win-reviewers

Approved to land and uplift

Attachment #9363081 - Flags: sec-approval? → sec-approval+
Pushed by rkraesig@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/706dc0292edf deny attempts to open a Windows file picker in headless mode r=win-reviewers,gstoll,cmartin

Comment on attachment 9363081 [details]
Bug 1864118 - deny attempts to open a Windows file picker in headless mode r?#win-reviewers

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-moderate, approved
  • User impact if declined: None to ordinary users; but see bug 1864118 comment 6 (:dveditz)
  • Fix Landed on Version: 122
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): not risky; simple, non-intrusive check
Attachment #9363081 - Flags: approval-mozilla-esr115?

https://hg.mozilla.org/mozilla-central/rev/706dc0292edf

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 10 months ago
status-firefox122: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 122 Branch

The patch landed in nightly and beta is affected.
:rkraesig, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox121 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(rkraesig)

Comment on attachment 9363081 [details]
Bug 1864118 - deny attempts to open a Windows file picker in headless mode r?#win-reviewers

Beta/Release Uplift Approval Request

  • User impact if declined: None to ordinary users; but see bug 1864118 comment 6 (:dveditz)
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: described in comment 0, with poc.html and prefs.js provided as attachments to the bug
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): not risky; simple, non-intrusive check
  • String changes made/needed: N/A
  • Is Android affected?: No
Flags: needinfo?(rkraesig)
Attachment #9363081 - Flags: approval-mozilla-beta?
Flags: qe-verify+

(In reply to BugBot [:suhaib / :marco/ :calixte] from comment #12)

:rkraesig, is this bug important enough to require an uplift?

I have no strong opinion on the matter, and will leave it to the discretion of the relevant release manager(s).

Comment on attachment 9363081 [details]
Bug 1864118 - deny attempts to open a Windows file picker in headless mode r?#win-reviewers

Approved for 121.0b5.

Attachment #9363081 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]

Comment on attachment 9363081 [details]
Bug 1864118 - deny attempts to open a Windows file picker in headless mode r?#win-reviewers

Approved for 115.6esr.

Attachment #9363081 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Flags: sec-bounty? → sec-bounty+
Summary: heap-buffer-overflow widget/windows/nsWindow.cpp:8197 in nsWindow::PickerOpen(void) → heap-buffer-overflow widget/windows/nsWindow.cpp:8197 in nsWindow::PickerOpen(void) in headless mode

We weren’t able to reproduce this error. Nothing happens after Launching Firefox and Running Firefox messages. We tried with all the Windows 2012 x64 asan builds 121.0a1 (2023-11-06) from treeherder. Is there maybe some details that we missed or could some interaction be at fault? Thank you!

Flags: needinfo?(rkraesig)

Well, that's odd. I get similar behavior with the Python HTTP server, but it works fine (i.e., correctly reproduces the bug) if you skip that and access the file directly:

ffpuppet.exe "C:/Users/Ray Kraesig/Downloads/target-asan-2023-11-06/firefox/firefox.exe" --headless -p 1864118-prefs.js -d -u 1864118-poc.html

I was able to reproduce consistently (n=5) with this build.

Flags: needinfo?(rkraesig)

(In reply to Ray Kraesig [:rkraesig] from comment #20)

Well, that's odd. I get similar behavior with the Python HTTP server, but it works fine (i.e., correctly reproduces the bug) if you skip that and access the file directly:

ffpuppet.exe "C:/Users/Ray Kraesig/Downloads/target-asan-2023-11-06/firefox/firefox.exe" --headless -p 1864118-prefs.js -d -u 1864118-poc.html

I was able to reproduce consistently (n=5) with this build.

Thank you for this additional information.
I've reproduced the error with Fx 121.0a1 (2023-11-06) on Windows 10 (but only after I've uninstalled the antivirus).
Verified fixed with Fx 122.0a1 (2023-12-04) and Fx 121.0b7 on Windows 10.

Status: RESOLVED → VERIFIED
status-firefox121: fixedverified
status-firefox122: fixedverified
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main121+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main121+] → [reporter-external] [client-bounty-form] [verif?][adv-main121+][adv-esr115.6+]
Attached file advisory.txt (obsolete) —
Attached file advisory.txt
Attachment #9367960 - Attachment is obsolete: true

Verified fixed with Fx 115.6esr on Windows 10.

status-firefox-esr115: fixedverified
Alias: CVE-2023-6861

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: