Closed
Bug 1965279
(CVE-2025-6703)
Opened 1 year ago
Closed 10 months ago
Crash when processing DATA_BLOCK frame in neqo project
Categories
(Core :: Networking, defect, P2)
Core
Networking
Tracking
()
RESOLVED
FIXED
People
(Reporter: 13298187933, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [necko-triaged][adv-main140-])
Attachments
(1 file)
|
305.70 KB,
image/jpeg
|
Details |
snapshot.jfif
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Steps to reproduce:
neqo(https://github.com/mozilla/neqo) is a component used by Mozilla to implement the QUIC protocol interaction, we tested it using the main branch, when using neqo as a server to provide the QUIC service, we send a DATA_BLOCKED frame after the 1-RTT handshake has been established, and the server processes the frame and declares a new DATA expected maximum value which is more than the maximum value that can be received by varint in the QUIC protocol, thus causing a crash.
The attacker only needs to establish a connection and send a DATA_BLOCKED frame to perform a DOS attack on a QUIC service built with neqo.
The exact cause is as follows:
- When DATA_BLOCKED is received, neqo chooses to send a MAX_DATA frame to update it, the implementation of which is located in line 229 of neqo-transport/src/streams.rs
- This is followed by a call to ReceiverFlowControl::write_frames, located at line 321 of neqo-transport/src/streams.rs, and a call to self.next_limit() at line 330 to update the maximum number of acceptable DATA.
- The next_limit function is calculated as self.retired(the amount of data already received) + self.max_active(the current maximum acceptable value).
- However, in ReceiverFlowControl::new(), located in neqo-transport/src/fc.rs on line 244, max_active is set to max, which is 2^62-1 in the default setting, which is in line 108 of neqo-transport/src/connection/params.rs, which is the maximum value that varint can receive, so once self.retired is not 0, i.e. several bytes have already been received, the new max_allowed exceeds 2^62 and ends up at line 210 of neqo-common/src/codec.rs varint_len function triggers a crash.
Actual results:
As shown in the attachment, neqo service is running on port 32440, we sent 2 DATA_BLOCKED frames, neqo correctly processed the first one, this is because at this time self.retired==0 , when processing the second one, self.retired increased to 3, at this time, the neqo server will report an error and exit the programme. The error message is as follows:
thread 'main' panicked at neqo-common/src/codec.rs:216:19:
Varint value too large
stack backtrace:
0: 0x5a256162707d - std::backtrace_rs::backtrace::libunwind::trace::h302945139c18af97
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/../../backtrace/src/backtrace/libunwind.rs:116:5
1: 0x5a256162707d - std::backtrace_rs::backtrace::trace_unsynchronized::h840548b20704de9e
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
2: 0x5a256162707d - std::sys::backtrace::_print_fmt::h2ac22f81c7dcdaef
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/sys/backtrace.rs:66:9
3: 0x5a256162707d - <std::sys::backtrace::BacktraceLock::print::DisplayBacktrace as core::fmt::Display>::fmt::h2d25858e63254058
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/sys/backtrace.rs:39:26
4: 0x5a256164ce0b - core::fmt::rt::Argument::fmt::h66cd8d9ce11d21a1
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/fmt/rt.rs:173:76
5: 0x5a256164ce0b - core::fmt::write::hd0a778a03aa43ec1
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/fmt/mod.rs:1178:21
6: 0x5a2561623cf3 - std::io::Write::write_fmt::hd97beb4bdd22d4f5
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/io/mod.rs:1823:15
7: 0x5a2561628232 - std::sys::backtrace::BacktraceLock::print::hce055f7dccf3e70f
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/sys/backtrace.rs:42:9
8: 0x5a2561628232 - std::panicking::default_hook::{{closure}}::hc67d88b4b3625d0a
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:266:22
9: 0x5a2561627e9e - std::panicking::default_hook::hf7bb98a0440f301f
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:293:9
10: 0x5a2561628b2f - std::panicking::rust_panic_with_hook::h1d911cf10ecc7e43
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:797:13
11: 0x5a25616287e3 - std::panicking::begin_panic_handler::{{closure}}::h5f828f72649fb5d3
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:664:13
12: 0x5a2561627569 - std::sys::backtrace::__rust_end_short_backtrace::ha0666bd495c11bc8
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/sys/backtrace.rs:170:18
13: 0x5a25616284a4 - rust_begin_unwind
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:662:5
14: 0x5a256164a713 - core::panicking::panic_fmt::h393e3dd80dd6b20b
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/panicking.rs:74:14
15: 0x5a25613ba3b8 - neqo_common::codec::Encoder::varint_len::he69e87fe03fef4d4
at /path/to/neqo/neqo-common/src/codec.rs:216:19
16: 0x5a2560fe742b - neqo_transport::packet::PacketBuilder::write_varint_frame::{{closure}}::hfe8060a639a615d8
at /path/to/neqo/neqo-transport/src/packet/mod.rs:400:27
17: 0x5a2560f63064 - core::iter::adapters::map::map_fold::{{closure}}::hb5bcf8b59dba6679
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/iter/adapters/map.rs:88:28
18: 0x5a2560ee9a61 - <core::slice::iter::Iter<T> as core::iter::traits::iterator::Iterator>::fold::h23359fb99f72c267
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/slice/iter/macros.rs:232:27
19: 0x5a2560f61ce9 - <core::iter::adapters::map::Map<I,F> as core::iter::traits::iterator::Iterator>::fold::hb2aeeac1cd10f2e6
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/iter/adapters/map.rs:128:9
20: 0x5a2560f63678 - <usize as core::iter::traits::accum::Sum>::sum::h504084182f5db453
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/iter/traits/accum.rs:50:17
21: 0x5a2560f62404 - core::iter::traits::iterator::Iterator::sum::h51da320164083910
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/iter/traits/iterator.rs:3577:9
22: 0x5a2560f19fe5 - neqo_transport::packet::PacketBuilder::write_varint_frame::had81f5e136c86f0c
at /path/to/neqo/neqo-transport/src/packet/mod.rs:398:16
23: 0x5a25610202a7 - neqo_transport::fc::ReceiverFlowControl<()>::write_frames::h61266ba7d1ddbb2b
at /path/to/neqo/neqo-transport/src/fc.rs:331:12
24: 0x5a2560f452e8 - neqo_transport::streams::Streams::write_maintenance_frames::hd9dadc70f995189d
at /path/to/neqo/neqo-transport/src/streams.rs:229:9
25: 0x5a256100ef6f - neqo_transport::connection::Connection::write_appdata_frames::hff8a641276e82743
at /path/to/neqo/neqo-transport/src/connection/mod.rs:2181:9
26: 0x5a2561010458 - neqo_transport::connection::Connection::write_frames::h172e50d73eec28dd
at /path/to/neqo/neqo-transport/src/connection/mod.rs:2361:17
27: 0x5a2561011eb1 - neqo_transport::connection::Connection::output_path::h235e5dada61fd6aa
at /path/to/neqo/neqo-transport/src/connection/mod.rs:2502:21
28: 0x5a2560fa2ed4 - neqo_transport::connection::Connection::output::{{closure}}::h2a57400a8b08133f
at /path/to/neqo/neqo-transport/src/connection/mod.rs:2063:31
29: 0x5a2560ff4b5d - core::option::Option<T>::map_or_else::hefa996f437415c68
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/option.rs:1210:24
30: 0x5a256100df08 - neqo_transport::connection::Connection::output::hded2c10498f6749b
at /path/to/neqo/neqo-transport/src/connection/mod.rs:2060:35
31: 0x5a2561003748 - neqo_transport::connection::Connection::process_output::h3c83b7b42e4cb1ad
at /path/to/neqo/neqo-transport/src/connection/mod.rs:1156:15
32: 0x5a2560c11f98 - neqo_transport::connection::Connection::process::h698d4780ae89eea0
at /path/to/neqo/neqo-transport/src/connection/mod.rs:1192:22
33: 0x5a2560c09ea7 - neqo_transport::server::Server::process_input::h35acf5806a30de9d
at /path/to/neqo/neqo-transport/src/server.rs:376:20
34: 0x5a2560c0f05a - neqo_transport::server::Server::process::{{closure}}::h4270d692a3a278db
at /path/to/neqo/neqo-transport/src/server.rs:486:39
35: 0x5a2560c44e3f - core::option::Option<T>::map_or::h12069e4bf0d76966
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/option.rs:1164:24
36: 0x5a2560c0ef40 - neqo_transport::server::Server::process::he35d1041262904fa
at /path/to/neqo/neqo-transport/src/server.rs:485:19
37: 0x5a2560c41ea4 - neqo_http3::server::Http3Server::process::hf5e3a85329ad8655
at /path/to/neqo/neqo-http3/src/server.rs:125:19
38: 0x5a2560c3f5b1 - <neqo_bin::server::http3::HttpServer as neqo_bin::server::HttpServer>::process::he71da29ead6ad071
at /path/to/neqo/neqo-bin/src/server/http3.rs:86:9
39: 0x5a2560bfd513 - neqo_bin::server::ServerRunner::process_inner::{{closure}}::hcf696368084b3fa9
at /path/to/neqo/neqo-bin/src/server/mod.rs:256:19
40: 0x5a2560bfdcb2 - neqo_bin::server::ServerRunner::read_and_process::{{closure}}::h1bf1fc5ddd60e7cf
at /path/to/neqo/neqo-bin/src/server/mod.rs:299:18
41: 0x5a2560bfeaa9 - neqo_bin::server::ServerRunner::run::{{closure}}::h44f4447c86082662
at /path/to/neqo/neqo-bin/src/server/mod.rs:347:58
42: 0x5a2560c00daf - neqo_bin::server::server::{{closure}}::he36cc7418e2dd45a
at /path/to/neqo/neqo-bin/src/server/mod.rs:443:10
43: 0x5a2560bf10eb - neqo_server::main::{{closure}}::h1eed091db164f826
at /path/to/neqo/neqo-bin/src/bin/server.rs:13:36
44: 0x5a2560bf157b - <core::pin::Pin<P> as core::future::future::Future>::poll::h3d0c3bcdaaabab4b
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/future/future.rs:123:9
45: 0x5a2560bf8a1e - tokio::runtime::scheduler::current_thread::CoreGuard::block_on::{{closure}}::{{closure}}::{{closure}}::hf32e93c5793fdffa
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:729:57
46: 0x5a2560bf88f5 - tokio::runtime::coop::with_budget::h65ec4be0a176a434
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/coop.rs:107:5
47: 0x5a2560bf88f5 - tokio::runtime::coop::budget::h4c9c616a68887f1e
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/coop.rs:73:5
48: 0x5a2560bf88f5 - tokio::runtime::scheduler::current_thread::CoreGuard::block_on::{{closure}}::{{closure}}::ha875dc9f51f3c7ac
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:729:25
49: 0x5a2560bf5c1d - tokio::runtime::scheduler::current_thread::Context::enter::h93bbf67f6b90c21e
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:428:19
50: 0x5a2560bf75bb - tokio::runtime::scheduler::current_thread::CoreGuard::block_on::{{closure}}::h7b498e296785792f
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:728:36
51: 0x5a2560bf722b - tokio::runtime::scheduler::current_thread::CoreGuard::enter::{{closure}}::h7ca26ec97a4ac210
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:807:68
52: 0x5a2560bf075a - tokio::runtime::context::scoped::Scoped<T>::set::h927d9bdb0adff02c
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/context/scoped.rs:40:9
53: 0x5a2560bf306a - tokio::runtime::context::set_scheduler::{{closure}}::h1bc65cb6e3fff864
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/context.rs:180:26
54: 0x5a2560c035b4 - std::thread::local::LocalKey<T>::try_with::hfec3d3b0cd3d4491
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/thread/local.rs:283:12
55: 0x5a2560c02a0d - std::thread::local::LocalKey<T>::with::hc7a7960b53e66eab
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/thread/local.rs:260:9
56: 0x5a2560bf2fc1 - tokio::runtime::context::set_scheduler::ha59225e764947f93
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/context.rs:180:9
57: 0x5a2560bf6afe - tokio::runtime::scheduler::current_thread::CoreGuard::enter::h0d3c0db26969d5dd
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:807:27
58: 0x5a2560bf7298 - tokio::runtime::scheduler::current_thread::CoreGuard::block_on::h55662df0ea8f6596
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:716:19
59: 0x5a2560bf4cbf - tokio::runtime::scheduler::current_thread::CurrentThread::block_on::{{closure}}::ha5b1990dd0841d43
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:196:28
60: 0x5a2560bf24f8 - tokio::runtime::context::runtime::enter_runtime::h73cde13fba8978c3
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/context/runtime.rs:65:16
61: 0x5a2560bf4988 - tokio::runtime::scheduler::current_thread::CurrentThread::block_on::h22a1c5bda317b17b
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/scheduler/current_thread/mod.rs:184:9
62: 0x5a2560bf08a9 - tokio::runtime::runtime::Runtime::block_on_inner::h9467077ff100c62c
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/runtime.rs:368:47
63: 0x5a2560bf0bee - tokio::runtime::runtime::Runtime::block_on::hd88e9ed8f146f085
at /home/john/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.43.1/src/runtime/runtime.rs:342:13
64: 0x5a2560c01ab8 - neqo_server::main::he92a6fc4b1bfa69e
at /path/to/neqo/neqo-bin/src/bin/server.rs:13:5
65: 0x5a2560bf8e72 - core::ops::function::FnOnce::call_once::hfea84c30e7c47159
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/ops/function.rs:250:5
66: 0x5a2560c02445 - std::sys::backtrace::__rust_begin_short_backtrace::hd4ffae83c75e45dc
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/sys/backtrace.rs:154:18
67: 0x5a2560bfcc36 - std::rt::lang_start::{{closure}}::he1c87708e28d5326
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/rt.rs:164:18
68: 0x5a256161edb0 - core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once::h49cb17a227232e8a
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/core/src/ops/function.rs:284:13
69: 0x5a256161edb0 - std::panicking::try::do_call::h4ec17dd43a7f552a
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:554:40
70: 0x5a256161edb0 - std::panicking::try::h5bb9e6fcb9bcedd4
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:518:19
71: 0x5a256161edb0 - std::panic::catch_unwind::h0351d54cce54b394
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panic.rs:345:14
72: 0x5a256161edb0 - std::rt::lang_start_internal::{{closure}}::hbedf4aa2a5b26eb2
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/rt.rs:143:48
73: 0x5a256161edb0 - std::panicking::try::do_call::h9861ac54db992cff
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:554:40
74: 0x5a256161edb0 - std::panicking::try::h20bb8ca1f70b8b85
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panicking.rs:518:19
75: 0x5a256161edb0 - std::panic::catch_unwind::h8478447418590db8
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/panic.rs:345:14
76: 0x5a256161edb0 - std::rt::lang_start_internal::h046989e7acc7e62e
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/rt.rs:143:20
77: 0x5a2560bfcc0a - std::rt::lang_start::h27d2d3a23086a896
at /rustc/515395af0efdbdd657ff08a1f6d28e553856654f/library/std/src/rt.rs:163:17
78: 0x5a2560c01b5e - main
79: 0x70e13d22a1ca - __libc_start_call_main
at ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
80: 0x70e13d22a28b - __libc_start_main_impl
at ./csu/../csu/libc-start.c:360:3
81: 0x5a2560beb925 - _start
82: 0x0 - <unknown>
Expected results:
The expected result is normal processing of MAX_DATA data frames, so the max_active value in the initial state should be adjusted and set to a smaller value such as 0xffff
|
||
Updated•1 year ago
|
Group: core-security → network-core-security
Keywords: reporter-external
|
||
Comment 1•1 year ago
|
||
Max, do you know if we already have a neqo issue for this?
FWIW, I think this bug doesn't need to be a secure bug.
Severity: -- → S4
Flags: needinfo?(mail)
Priority: -- → P2
Whiteboard: [necko-triaged]
No existing issues mention this vulnerability. While the root cause is straightforward, attackers can easily exploit it to crash the service. So I've chosen to report it as a security concern rather than opening a GitHub issue.
Thank you for the report. I can reproduce this locally. I will create a pull request for Neqo.
FWIW, I think this bug doesn't need to be a secure bug.
While not high impact, preference for keeping it private for now.
Flags: needinfo?(mail)
|
||
Comment 5•1 year ago
|
||
@k4ra5u do you have a GitHub ID you would like acknowledged with the disclosure?
Flags: needinfo?(13298187933)
(In reply to Lars Eggert [:lars] from comment #5)
@k4ra5u do you have a GitHub ID you would like acknowledged with the disclosure?
k4ra5u is my GitHub ID.
Thanks.
Flags: needinfo?(13298187933)
If you don't mind sharing k4ra5u, I am curious how you found this bug.
Flags: needinfo?(13298187933)
(In reply to Max Inden from comment #7)
If you don't mind sharing k4ra5u, I am curious how you found this bug.
We are currently conducting fuzzing research on QUIC implementations by mutating various fields in frame sequences and performing blackbox differential testing. During testing, we identified this crash and later confirmed its root cause through traffic and code analysis.
Additionally, the fuzzer detected another bug that triggers an assertion crash only in debug builds of neqo. In release mode, it merely disrupts the current connection without affecting neqo's overall QUIC service quality. Since this issue has minimal impact, I will report it later as a regular GitHub issue.
Flags: needinfo?(13298187933)
|
|
||
Updated•1 year ago
|
For the record Bug 1966980 is backported to Firefox 140 which is currently in Beta.
|
|
||
Comment 10•10 months ago
|
||
Would this attack also work against neqo as the client?
|
||
Comment 11•10 months ago
|
||
Would this attack also work against neqo as the client?
Sorry for missing this. Yes.
The patch is released as part of Firefox 140. The security vulnerability has been disclosed as part of https://github.com/mozilla/neqo/security/advisories/GHSA-jfv6-x22w-grhf. Thus I am closing here.
Thank you k4ra5u for your great work!
Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
|
|
||
Updated•10 months ago
|
Alias: CVE-2025-6703
Group: network-core-security → core-security-release
status-firefox140:
--- → fixed
status-firefox-esr140:
--- → fixed
|
|
||
Updated•10 months ago
|
Keywords: csectype-dos
|
|
||
Updated•7 months ago
|
Whiteboard: [necko-triaged] → [necko-triaged][adv-main140-]
|
|
||
Updated•5 months ago
|
Group: core-security-release
|
|
||
Updated•2 months ago
|
status-firefox-esr115:
--- → wontfix
You need to log in
before you can comment on or make changes to this bug.
Description
•