Closed Bug 1905843 (CVE-2024-9392) Opened 1 year ago Closed 1 year ago

Setting [channel|docshellLoadState|*] original uri in a (compromised) content process may be used to trigger loading of cross-origin pages in a wrong content process

Categories

(Core :: DOM: Navigation, defect, P2)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
132 Branch
Tracking Flags:
Tracking Status
firefox-esr115 131+ fixed
firefox-esr128 131+ fixed
firefox130 --- wontfix
firefox131 + fixed
firefox132 + fixed

People

(Reporter: smaug, Assigned: smaug)

References

(Regressed 1 open bug)

Details

(Keywords: sec-high, Whiteboard: [adv-main131+][adv-esr128.3+][adv-esr115.16+])

Attachments

(5 files, 1 obsolete file)

Bug 1905843, prevent unexpected use of result site origin, r=nika
48 bytes, text/x-phabricator-request
tjr
: sec-approval+
Details | Review
Bug 1905843, prevent unexpected use of result site origin, r=nika
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1905843, prevent unexpected use of result site origin, r=nika
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr128+
Details | Review
Bug 1905843, prevent unexpected use of result site origin, r=nika
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr115+
Details | Review
advisory.txt
165 bytes, text/plain
Details

bug 1899154 is a subset of this.

We could at least make this a bit harder by comparing original uri and channel's uri in IsolationOptionsForNavigation.

Attachment #9410812 - Attachment description: WIP: Bug 1905843, prevent unexpected use of result site origin, r=nika → Bug 1905843, prevent unexpected use of result site origin, r=nika
Attachment #9410812 - Attachment description: Bug 1905843, prevent unexpected use of result site origin, r=nika → WIP: Bug 1905843, prevent unexpected use of result site origin, r=nika
Attachment #9410812 - Attachment description: WIP: Bug 1905843, prevent unexpected use of result site origin, r=nika → Bug 1905843, prevent unexpected use of result site origin, r=nika

Need to still audit some code/behavior.

Comment on attachment 9410812 [details]
Bug 1905843, prevent unexpected use of result site origin, r=nika

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: I think it is relatively well hidden where the actual issue happens - on needs to have a compromised content process
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
  • Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: I think this should be trivial to rebase. I might even work as is.
  • How likely is this patch to cause regressions; how much testing does it need?: I've tried to limit the scope as much as possible, but it is not regression-risk-free.
  • Is the patch ready to land after security approval is given?: Yes
  • Is Android affected?: Yes
Attachment #9410812 - Flags: sec-approval?

Comment on attachment 9410812 [details]
Bug 1905843, prevent unexpected use of result site origin, r=nika

Approved to land and uplift

Attachment #9410812 - Flags: sec-approval? → sec-approval+
Pushed by opettay@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/230299b03e10 prevent unexpected use of result site origin, r=nika
Pushed by opettay@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/894b18e7cc4f prevent unexpected use of result site origin, r=nika

https://hg.mozilla.org/mozilla-central/rev/894b18e7cc4f

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox132: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 132 Branch
Attachment #9425679 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: Compromised content process might load cross-origin pages in it
  • Code covered by automated testing: no
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: One needs to inject for example code from bug 1899154 to Firefox, rebuild and test
  • Risk associated with taking this patch: medium
  • Explanation of risk level: It has been a bit hard to test all the code paths locally, since this requires injecting broken code to content processes
  • String changes made/needed: NA
  • Is Android affected?: yes
Attachment #9425679 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: needinfo?(smaug)

Please nominate this for ESR128 and ESR115 also. It grafts cleanly to both.

Flags: needinfo?(smaug)
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Attachment #9426093 - Flags: approval-mozilla-esr128?

esr128 Uplift Approval Request

  • User impact if declined: Compromised content process might load cross-origin pages in it
  • Code covered by automated testing: no
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: One needs to inject for example code from bug 1899154 to Firefox, rebuild and test
  • Risk associated with taking this patch: medium
  • Explanation of risk level: It has been a bit hard to test all the code paths locally, since this requires injecting broken code to content processes
  • String changes made/needed: NA
  • Is Android affected?: yes
Attachment #9426094 - Flags: approval-mozilla-esr115?

esr115 Uplift Approval Request

  • User impact if declined: Compromised content process might load cross-origin pages in it
  • Code covered by automated testing: no
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: One needs to inject for example code from bug 1899154 to Firefox, rebuild and test
  • Risk associated with taking this patch: medium
  • Explanation of risk level: It has been a bit hard to test all the code paths locally, since this requires injecting broken code to content processes
  • String changes made/needed: NA
  • Is Android affected?: yes
Attachment #9426093 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
Attachment #9426094 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+

:smaug can you take a look at the esr115 failures?

status-firefox-esr115: affectedfixed
Flags: needinfo?(smaug)
Whiteboard: [adv-main131+]
Whiteboard: [adv-main131+] → [adv-main131+][adv-esr128.3+]
Attached file advisory.txt (obsolete) —
Attached file advisory.txt
Attachment #9427480 - Attachment is obsolete: true
Whiteboard: [adv-main131+][adv-esr128.3+] → [adv-main131+][adv-esr128.3+][adv-esr115.16+]
Alias: CVE-2024-9392
Group: core-security-release
Regressions: 1963585
Regressions: 1955078
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: