Closed Bug 1893891 (CVE-2024-4771) Opened 9 months ago Closed 9 months ago

AddressSanitizer: heap-use-after-free gfx/thebes/gfxFontEntry.cpp in ForgetHashEntry after calloc failure on hb_object_create

Categories

(Core :: Graphics: Text, defect)

Product:
Core
Component:
Graphics: Text
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
127 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox125 --- wontfix
firefox126 + fixed
firefox127 + fixed

People

(Reporter: sourc7, Assigned: jfkthame)

Details

(Keywords: csectype-uaf, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?] [adv-main126+])

Attachments

(6 files)

ForgetHashEntry-heap-use-after-free-write-8.txt
14.95 KB, text/plain
Details
hb-blob-create-or-fail.patch
682 bytes, patch
Details | Diff | Splinter Review
testcase-for-hb-blob-patch.html
80 bytes, text/html
Details
Bug 1893891 - Clear mSharedBlobData if blob creation failed.
48 bytes, text/x-phabricator-request
Details | Review
Bug 1893891 - Clear mSharedBlobData if blob creation failed.
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
advisory.txt
256 bytes, text/plain
Details

On hb_blob_create_or_fail when the hb_object_create<hb_blob_t> calloc return nullptr, after user_data is freed, the user_data able to reused by ForgetHashEntry code.

Steps to reproduce

  1. Apply attached hb-blob-create-or-fail.patch
  2. Compile Firefox with AddressSanitizer
  3. Visit attached testcase-for-hb-blob-patch.html
  4. Firefox crashed with AddressSanitizer: heap-use-after-free
Flags: sec-bounty?
Group: firefox-core-security → gfx-core-security
Component: Security → Graphics: Text
Keywords: csectype-uaf
Product: Firefox → Core

The jemalloc we use in Firefox is infallible by default. It looks like this allocation is done by calloc. glandium, am I right in thinking that calloc will never return null? Thanks. Though maybe other people build Firefox with other allocators.

Flags: needinfo?(mh+mozilla)

Jemalloc is not infallible. moz_malloc/moz_calloc are.

Flags: needinfo?(mh+mozilla)
Severity: -- → S2

While this is a valid bug, I think the real-world risk here must be pretty low. Note that what's being allocated here is the hb_blob_t struct, which is just 48 bytes (not a possibly-large block with an attacker-controlled size). So if the calloc here does fail, we must be on the very edge of memory exhaustion. In that case it's likely that within moments, an "infallible" allocation attempt is going to terminate the process anyway.

Still, we clearly need to handle the potential failure here more correctly. Or we could switch harfbuzz to use our infallible moz_x* functions and avoid the issue.

I haven't verified this with a local build yet, but if I'm reading the code right, I think all that's needed is to ensure we clear the mSharedBlobData pointer in the failure case. I'll try to confirm this on my Linux machine in a while.

Irvan, if you're able to apply the above patch and check whether it resolves the issue for you, that would be great. Thanks!

Flags: needinfo?(susah.yak)

Ok, in a local ASAN build I confirmed that the patch resolves the issue for me. (Further confirmation would still be welcome.)

Assignee: nobody → jfkthame
Status: NEW → ASSIGNED

I'll mark it sec-moderate because it sounds difficult to actually exploit.

Keywords: sec-moderate
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c91b19ecb5d3 Clear mSharedBlobData if blob creation failed. r=gfx-reviewers,lsalzman

(In reply to Jonathan Kew [:jfkthame] from comment #8)

I haven't verified this with a local build yet, but if I'm reading the code right, I think all that's needed is to ensure we clear the mSharedBlobData pointer in the failure case. I'll try to confirm this on my Linux machine in a while.

Irvan, if you're able to apply the above patch and check whether it resolves the issue for you, that would be great. Thanks!

Thanks Jonathan for the patch, after added mSharedBlobData = nullptr; above return hb_blob_reference(mBlob); then re-compile the Firefox ASan, I confirm that this solves the problem. Thanks!

Flags: needinfo?(susah.yak)

https://hg.mozilla.org/mozilla-central/rev/c91b19ecb5d3

Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
status-firefox125: --- → wontfix
status-firefox126: --- → affected
status-firefox127: --- → fixed
status-firefox-esr115: --- → affected
tracking-firefox126: --- → +
tracking-firefox127: --- → +
tracking-firefox-esr115: --- → 126+
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch

:jfkthame can you attach a beta uplift request on this when ready. Is this something we want to uplift to ESR115?

Flags: needinfo?(jfkthame)

I think it would be fine to uplift to ESR, in that the patch carries no significant regression risk; but I also think the issue is likely so hard to exploit (reaching this particular small-allocation failure, without OOM-crashing the process) that the real-world risk is minimal. So not sure it's worth touching ESR here...?

Flags: needinfo?(jfkthame)
Attachment #9399732 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: potential UAF after a malloc() failure
  • Code covered by automated testing: no
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: n/a
  • Risk associated with taking this patch: minimal
  • Explanation of risk level: trivial - clearing a pointer on error
  • String changes made/needed: none
  • Is Android affected?: yes
Attachment #9399732 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Flags: sec-bounty? → sec-bounty+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?] [adv-main126+]
Alias: CVE-2024-4771
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: