Closed Bug 1866006 Opened 1 year ago Closed 1 year ago

Assertion failure: !mFd (NSSSocketControl must outlive its file descriptor!), at security/manager/ssl/NSSSocketControl.h:267

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
122 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- fixed
firefox120 --- unaffected
firefox121 --- fixed
firefox122 + fixed

People

(Reporter: decoder, Assigned: keeler)

References

Details

(Keywords: crash, testcase, Whiteboard: [psm-assigned])

Crash Data

Attachments

(4 files)

Detailed Crash Information
8.67 KB, text/plain
Details
Testcase
61 bytes, text/plain
Details
Bug 1866006 - clarify ownership and lifetimes of NSSSocketControl and its associated fd r?jschanck
48 bytes, text/x-phabricator-request
Details | Review
Bug 1866006 - clarify ownership and lifetimes of NSSSocketControl and its associated fd r?jschanck
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr115+
Details | Review

The attached testcase crashes on mozilla-central revision 20231122-ef0b50d89a7f (build with (metadatabuildFlags not available)).

For detailed crash information, see attachment.

To reproduce the issue, perform the following steps:

  1. Download the attached testcase, save as "test.bin".
    2a. Build with --enable-fuzzing (requires Clang and ASan, also build gtests using ./mach gtest dontruntests).
    2b. Alternatively you can download builds from TC using python -mfuzzfetch -a --fuzzing --target firefox gtest (see https://github.com/MozillaSecurity/fuzzfetch).
  2. Run FUZZER=NetworkHttp objdir/dist/bin/firefox test.bin
Attached file Testcase

This just started to pop up in the older libFuzzer targets. Did we maybe do a refactoring that broke these? Not sure if this is fuzzing only.

Flags: needinfo?(moz.valentin)

I'm not aware of any recent changes.
Kershaw, do you know if something changed recently?

Flags: needinfo?(moz.valentin) → needinfo?(kershaw)
Group: core-security → network-core-security

That assertion was introduced recently in bug 1840144.
Not sure if this reveals a hidden problem or we can just ignore this check in fuzzing.
Dana, could you take a look? Thanks.

Flags: needinfo?(kershaw) → needinfo?(dkeeler)

It looks like the assertion is just making sure we don't leak an fd, which doesn't really feel like a security issue.

Duplicate of this bug: 1866719

Looks like this has started showing up in the wild, too. (bug 1866719)

Copying crash signatures from duplicate bugs.

Crash Signature: [@ NSSSocketControl::~NSSSocketControl | NSSSocketControl::~NSSSocketControl | CommonSocketControl::Release]
Depends on: CVE-2023-6859
Assignee: nobody → dkeeler
Severity: -- → S2
Component: Networking: HTTP → Security: PSM
Flags: needinfo?(dkeeler)
Priority: -- → P1
Whiteboard: [psm-assigned]
Group: network-core-security → crypto-core-security
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/62bd80f46c8e clarify ownership and lifetimes of NSSSocketControl and its associated fd r=jschanck

Is this a 122-only issue? Is this a sec issue? If so what rating do you think it should have? Thanks.

Flags: needinfo?(dkeeler)

This is a 122-only issue because bug 1840144 introduced the assertion that's failing. By itself I don't think it's a security issue (at most, it could be a denial-of-service issue).

Flags: needinfo?(dkeeler)

https://hg.mozilla.org/mozilla-central/rev/62bd80f46c8e

Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox122: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 122 Branch
Attachment #9366573 - Flags: approval-mozilla-beta?

Uplift Approval Request

  • String changes made/needed: none
  • Needs manual QE test: no
  • Risk associated with taking this patch: low
  • Fix verified in Nightly: yes
  • User impact if declined: assertion failures
  • Explanation of risk level: This is a small change that is relatively straightforward to verify.
  • Steps to reproduce for manual QE testing: n/a
  • Code covered by automated testing: yes
  • Is Android affected?: yes

Comment on attachment 9366573 [details]
Bug 1866006 - clarify ownership and lifetimes of NSSSocketControl and its associated fd r?jschanck

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Release assertion failure.
  • User impact if declined: Release assertion failure.
  • Fix Landed on Version: 122
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is a small change.
Attachment #9366573 - Flags: approval-mozilla-esr115?

Comment on attachment 9366573 [details]
Bug 1866006 - clarify ownership and lifetimes of NSSSocketControl and its associated fd r?jschanck

Approved for 121.0b7.

Attachment #9366573 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9366573 [details]
Bug 1866006 - clarify ownership and lifetimes of NSSSocketControl and its associated fd r?jschanck

Approved for 115.6esr.

Attachment #9366573 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: