Closed Bug 584252 Opened 15 years ago Closed 15 years ago

non-canonical qnan coming out of strtod

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- beta3+
status2.0 --- ?
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: luke, Assigned: luke)

References

Details

(Whiteboard: [sg:critical] fixed-in-tracemonkey webkit version of this bug: rdar://problem/8269822)

Attachments

(2 files)

patch and test
6.07 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review
Patch for NSPR
906 bytes, patch
brendan
: review+
Details | Diff | Splinter Review
Curiously enough, strtod accepts "NAN(xxx)" (and is standardized to do so http://www.opengroup.org/onlinepubs/000095399/functions/strtod.html). This means anywhere we call strtod, we accept this syntax as well. More problematically, NAN(xxx) creates a non-canonical qnan with xxx as the payload. This means you can make a double that gets interpreted as some other type and crashes: -parseFloat("NAN(fffffffffffff)") I think the fix is to define No_Hex_Nan in dtoa.c, which turns off this "feature".
This affects WebKit too (crashes Safari 5, Epiphany, Android 2.1) with a slightly different string - 'ffffeeeeeff0f'. Luke thinks this is the security bug Mike Pall vaguely hinted at on Reddit, based on comments in the LuaJIT 2.0 source code.
Whiteboard: webkit version of this bug: rdar://problem/8269822 don't zero day them
(In reply to comment #1) > Luke thinks this is the security bug Mike Pall vaguely hinted at on Reddit, > based on comments in the LuaJIT 2.0 source code. http://www.backtype.com/url/www.reddit.com%252fuser%252fmikemike/comment/00006bbad0001f33b79896da23a0d12d "But they forgot about a few critical details. Unfortunately the Mozilla bug bounty does not apply to development versions. So I guess I have to wait until 4.0 is released before reporting the bugs (verified crash with FF/x86 and FF/x64 for hg 898ab54a0ce9, remote exploitable)."
Note we have at least two copies of dtoa in the tree, so need to make sure both are patched. Why are we filing rdar:// bugs for webkit issues? Shouldn't they be filed as security bugs on bugs.webkit.org?
While our bug bounty FAQ does say we only give bounties for vulnerabilities in currently released versions of Firefox, Firefox Mobile, and Thunderbird, we have been known to offer the bounties for bugs found only on trunk, so what he says isn't completely true...
We should not land a fix for this problem until September 1st, because it could make Android, Safari, and other WebKit users unsafe.
reason: We will be shipping a beta with our new jsval around Sep 1, and do not want this bug in that beta. I can bury the fix in an hg merge, though.
(In reply to comment #3) > > Why are we filing rdar:// bugs for webkit issues? Shouldn't they be filed as > security bugs on bugs.webkit.org? Apple filed the rdar bug. We got in touch over email. Please do not make any further procedural comments in this bug.
blocking2.0: --- → ?
status2.0: --- → ?
Whiteboard: webkit version of this bug: rdar://problem/8269822 don't zero day them → [sg:critical?] webkit version of this bug: rdar://problem/8269822 don't zero day them
Also tracked by http://webkit.org/b/43454
(In reply to comment #3) > Note we have at least two copies of dtoa in the tree, so need to make sure both > are patched. For the record, they are: * ipc/chromium/src/base/third_party/dmg_fp/dtoa.cc * js/src/dtoa.c * nsprpub/pr/src/misc/dtoa.c * nsprpub/pr/src/misc/prdtoa.c
Attached patch patch and testSplinter Review
Instead of defining No_Hex_Nan, the patch just removes the code.
(In reply to comment #9) > (In reply to comment #3) > > Note we have at least two copies of dtoa in the tree, so need to make sure both > > are patched. > > For the record, they are: > * ipc/chromium/src/base/third_party/dmg_fp/dtoa.cc > * js/src/dtoa.c > * nsprpub/pr/src/misc/dtoa.c > * nsprpub/pr/src/misc/prdtoa.c Wouldn't two copies be enough? Usually is. /be
(In reply to comment #9) Bug 584168 is going to canonicalize nans at API boundaries, so, with respect to this bug, there is no problem with these other strtods.
(In reply to comment #9) > * nsprpub/pr/src/misc/dtoa.c This copy is not being used. I added it to archive the pristine upstream dtoa.c source. Luke: NSPR's prdtoa.c doesn't define INFNAN_CHECK: http://mxr.mozilla.org/nspr/ident?i=INFNAN_CHECK Does this mean prdtoa.c is not vulnerable to this bug? Why don't you just define the No_Hex_NaN macro for js/src/dtoa.c? Removing the #ifndef No_Hex_NaN code can make it harder to merge with new versions of dtoa.c.
This code is so dangerous to our encoding that it seems better to remove it entirely than risk the define accidentally disappearing.
blocking2.0: ? → beta5+
Whiteboard: [sg:critical?] webkit version of this bug: rdar://problem/8269822 don't zero day them → [sg:critical] webkit version of this bug: rdar://problem/8269822 don't zero day them
(In reply to comment #6) > reason: We will be shipping a beta with our new jsval around Sep 1, and do not > want this bug in that beta. uh, so this comment is totally wrong. we are going to ship a beta with our new jsvals very soon. we will discuss further tomorrow.
blocking2.0: beta5+ → beta3+
Who's on reviewing this patch?
Thanks for the review. Talked with sayrer about this on IRC. We know that one security researcher (see comment 2) has discovered this independently, but it looks like he wants to hold it back until Firefox 4 is released so he can collect a bounty. While I don't want to speculate (or anyone else to!) in this bug about whether or not such a bounty should be granted anyway, it does mean that the chances of him weaponizing or zero-daying is low. Accordingly, we should be respectful of our browser building colleagues and not zero day them. Rob and I agreed that this should be held until after they've had a chance to address the issue in their shipped products, so moving back to beta5+ - please do not land it until we've got the all clear or it becomes a zero-day issue.
blocking2.0: beta3+ → beta5+
Attachment 462633 [details] [diff] takes care of js/src/dtoa.c, comment #13 takes care of nsprpub/pr/src/misc/dtoa.c and nsprpub/pr/src/misc/prdtoa.c, but what about ipc/chromium/src/base/third_party/dmg_fp/dtoa.cc?
Cc'ing cjones. I hope we are not using that dtoa.cc. If not, can we rm it? /be
We Gecko certainly aren't. The chromium code uses it for string utils, but I can build locally with all that code nuked. Seeing what tryserver has to say about other platforms.
(In reply to comment #4) > While our bug bounty FAQ does say we only give bounties for vulnerabilities > in currently released versions [...], we have been known to offer the > bounties for bugs found only on trunk, so what he says isn't completely true It's not true in any sense, the FAQ explicitly includes nightlies http://www.mozilla.org/security/bug-bounty-faq.html#development-releases
Although the dtoa feature exists on the stable branches, it doesn't appear to be causing us any problems prior to recent JS engine changes.
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Maybe he only saw the main bounty page and not the FAQ? See bug 576166.
(In reply to comment #20) > We Gecko certainly aren't. The chromium code uses it for string utils, but I > can build locally with all that code nuked. Seeing what tryserver has to say > about other platforms. Looks good on tryserver. Spun off bug 584580 on deleting it, as since it's unused there's no security concern.
(In reply to comment #17) > > Accordingly, we should be respectful of our browser building colleagues and not > zero day them. Rob and I agreed that this should be held until after they've > had a chance to address the issue in their shipped products, so moving back to > beta5+ - please do not land it until we've got the all clear or it becomes a > zero-day issue. I will not be so worried about this kind of coordination in the future: http://trac.webkit.org/changeset/64706 Basically any moron with a copy of feedparser.py can figure out that there's a problem, since the checkin includes a testcase and a link to a security bug. No need for creative research around binary diffs or static analysis.
Can we go ahead and land the patch now then?
Whiteboard: [sg:critical] webkit version of this bug: rdar://problem/8269822 don't zero day them → [sg:critical] webkit version of this bug: rdar://problem/8269822
*sigh*, the reference to the crash itself was unintentionally left in by geoff :-/
Oliver: preference/opinion on whether we should continue to hold? I'm assuming that we shouldn't now. If we do respin beta3, we'll probably want to include this. If we land it on mozilla-central, can we also land it on GECKO20b3_20100804_RELBRANCH
We think it can probably be landed if the patch doesn't refer to the crash and security implications, eg. something like geoff's patch sans the remaining "crash" comments - I had wanted something along the lines of "disallow non-standard extensions to float syntax" as our bug, but this is how it goes i guess :-/
blocking2.0: beta5+ → beta3+
Flags: in-testsuite?
http://hg.mozilla.org/tracemonkey/rev/3899c73806fe
Whiteboard: [sg:critical] webkit version of this bug: rdar://problem/8269822 → [sg:critical] fixed-in-tracemonkey webkit version of this bug: rdar://problem/8269822
http://hg.mozilla.org/mozilla-central/rev/34beabb64efd by rsayrer
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
(In reply to comment #28) > If we do respin beta3, we'll probably want to include this. If we land it on > mozilla-central, can we also land it on GECKO20b3_20100804_RELBRANCH http://hg.mozilla.org/mozilla-central/rev/3e2124f5d0d6 for GECKO20b3_20100804_RELBRANCH
Attached patch Patch for NSPRSplinter Review
NSPR doesn't define INFNAN_CHECK, but I added #define No_Hex_NaN anyway so I don't need to worry about this. I checked in the patch on the NSPR trunk (NSPR 4.8.7). Checking in prdtoa.c; /cvsroot/mozilla/nsprpub/pr/src/misc/prdtoa.c,v <-- prdtoa.c new revision: 4.16; previous revision: 4.15 done
Attachment #463762 - Flags: review?(lw)
Comment on attachment 463762 [details] [diff] [review] Patch for NSPR Looks good, but I probably shouldn't be the reviewer for an NSPR patch.
Attachment #463762 - Flags: review?(lw)
Comment on attachment 463762 [details] [diff] [review] Patch for NSPR NSPR and I go way back... /be
Attachment #463762 - Flags: review+
Group: core-security
Blocks: fatvals
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: