Closed Bug 1886852 (CVE-2024-29944) Opened 2 years ago Closed 2 years ago

[pwn2own-2024] sandbox escape using non-SHIP session restore

Categories

(Firefox :: Session Restore, defect)

Product:
Firefox
Component:
Session Restore
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox-esr115 124+ fixed
firefox124 + fixed
firefox125 + fixed
firefox126 + fixed

People

(Reporter: dveditz, Assigned: nika)

References

Details

(Keywords: csectype-sandbox-escape, reporter-external, sec-critical, Whiteboard: [adv-main124.0.1+][adv-esr115.9.1+])

Attachments

(2 files)

Bug 1886852 - Avoid registering unnecessary MessageManager listeners when SHIP is enabled, r=smaug!
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
diannaS
: approval-mozilla-release+
diannaS
: approval-mozilla-esr115+
tjr
: sec-approval+
Details | Review
advisory.txt
249 bytes, text/plain
Details
No description provided.
status-firefox124: --- → affected
status-firefox125: --- → affected
status-firefox126: --- → affected
status-firefox-esr115: --- → affected
tracking-firefox-esr115: --- → 124+
Summary: pwn2own-2024 sandbox escape using session restore → [pwn2own-2024] sandbox escape using session restore

The core of the sandbox escape is basically this:

const script = `
  dump("do whatever you want in parent process chrome JS");
`;

let attr = {"style":"text-indent: 500px;", "onoverflow":script, "onunderflow":script};
const data = {"epoch":0,"data":{"attributes":attr}};
mm.sendSyncMessage("SessionStore:update",data);
Assignee: nobody → nika
Status: NEW → ASSIGNED

Nika said this code is dead on desktop because bug 1804140 is on 114+, so we're always using SHIP. She also said that Android is not affected even though it is not using SHIP because the actual exploited code is not present on Android, or something like that.

Summary: [pwn2own-2024] sandbox escape using session restore → [pwn2own-2024] sandbox escape using non-SHIP session restore
Attached file advisory.txt

I checked locally in an opt Nightly build with this patch that session restore still works even if Fission is disabled.

Attachment #9392594 - Flags: sec-approval+
Alias: CVE-2024-29944

As another double check that the patch worked as expected, I wrote a patch to log when we add a message listener or receive a message manager message, in the parent process. I tested starting the browser with "open previous tabs" enabled with a few tabs saved. On MacOS desktop, without the patch, we register 5 message listeners with "SessionStore" in the name. With the patch, we don't have any. So that is working as expected. Also as expected, in this simple scenario we don't receive any messages with SessionStore in the name, both with and without the patch.

Pushed by smolnar@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/eccf7da6ea0f Avoid registering unnecessary MessageManager listeners when SHIP is enabled, r=smaug!

https://hg.mozilla.org/mozilla-central/rev/eccf7da6ea0f

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox126: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 126 Branch
See Also: → 1886889

Comment on attachment 9392594 [details]
Bug 1886852 - Avoid registering unnecessary MessageManager listeners when SHIP is enabled, r=smaug!

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: sandbox escape
  • Fix Landed on Version: 126
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Disabling dead code (as verified by ccov and code reading) which should have been behind a preference, and exposed a security vulnerability to content processes.

Beta/Release Uplift Approval Request

  • User impact if declined: sandbox escape
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Disabling dead code (as verified by ccov and code reading) which should have been behind a preference, and exposed a security vulnerability to content processes.
  • String changes made/needed: none
  • Is Android affected?: No
Attachment #9392594 - Flags: approval-mozilla-release?
Attachment #9392594 - Flags: approval-mozilla-esr115?
Attachment #9392594 - Flags: approval-mozilla-beta?

Comment on attachment 9392594 [details]
Bug 1886852 - Avoid registering unnecessary MessageManager listeners when SHIP is enabled, r=smaug!

Approved for 125.0b3

Attachment #9392594 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9392594 [details]
Bug 1886852 - Avoid registering unnecessary MessageManager listeners when SHIP is enabled, r=smaug!

Approved for 115.9.1esr

Attachment #9392594 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+

Comment on attachment 9392594 [details]
Bug 1886852 - Avoid registering unnecessary MessageManager listeners when SHIP is enabled, r=smaug!

Approved for 124.0.1 dot release

Attachment #9392594 - Flags: approval-mozilla-release? → approval-mozilla-release+

Smoke tested Session Restore with and without Fission on RC 124.0.1-build1 and ESR 115.9.1esr-build1 - all manual tests passed. More details on confluence page: https://mozilla-hub.atlassian.net/wiki/spaces/FDPDT/pages/10617980/Firefox+regression+testing#Chemspill-124.0.1-build1

See Also: → 1887029
QA Whiteboard: [post-critsmash-triage]
Keywords: reporter-external
Whiteboard: [adv-main124.0.1+][adv-esr115.9.1+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: