Closed
Bug 584252
Opened 14 years ago
Closed 14 years ago
non-canonical qnan coming out of strtod
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | beta3+ |
| status2.0 | --- | ? |
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: luke, Assigned: luke)
References
Details
(Whiteboard: [sg:critical] fixed-in-tracemonkey webkit version of this bug: rdar://problem/8269822)
Attachments
(2 files)
|
6.07 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
|
906 bytes,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
Curiously enough, strtod accepts "NAN(xxx)" (and is standardized to do so http://www.opengroup.org/onlinepubs/000095399/functions/strtod.html). This means anywhere we call strtod, we accept this syntax as well. More problematically, NAN(xxx) creates a non-canonical qnan with xxx as the payload. This means you can make a double that gets interpreted as some other type and crashes: -parseFloat("NAN(fffffffffffff)") I think the fix is to define No_Hex_Nan in dtoa.c, which turns off this "feature".
This affects WebKit too (crashes Safari 5, Epiphany, Android 2.1) with a slightly different string - 'ffffeeeeeff0f'. Luke thinks this is the security bug Mike Pall vaguely hinted at on Reddit, based on comments in the LuaJIT 2.0 source code.
|
||
Updated•14 years ago
|
Whiteboard: webkit version of this bug: rdar://problem/8269822 don't zero day them
|
||
Comment 2•14 years ago
|
||
(In reply to comment #1) > Luke thinks this is the security bug Mike Pall vaguely hinted at on Reddit, > based on comments in the LuaJIT 2.0 source code. http://www.backtype.com/url/www.reddit.com%252fuser%252fmikemike/comment/00006bbad0001f33b79896da23a0d12d "But they forgot about a few critical details. Unfortunately the Mozilla bug bounty does not apply to development versions. So I guess I have to wait until 4.0 is released before reporting the bugs (verified crash with FF/x86 and FF/x64 for hg 898ab54a0ce9, remote exploitable)."
|
|
||
Comment 3•14 years ago
|
||
Note we have at least two copies of dtoa in the tree, so need to make sure both are patched. Why are we filing rdar:// bugs for webkit issues? Shouldn't they be filed as security bugs on bugs.webkit.org?
|
|
||
Comment 4•14 years ago
|
||
While our bug bounty FAQ does say we only give bounties for vulnerabilities in currently released versions of Firefox, Firefox Mobile, and Thunderbird, we have been known to offer the bounties for bugs found only on trunk, so what he says isn't completely true...
|
|
||
Comment 5•14 years ago
|
||
We should not land a fix for this problem until September 1st, because it could make Android, Safari, and other WebKit users unsafe.
|
|
||
Comment 6•14 years ago
|
||
reason: We will be shipping a beta with our new jsval around Sep 1, and do not want this bug in that beta. I can bury the fix in an hg merge, though.
|
|
||
Comment 7•14 years ago
|
||
(In reply to comment #3) > > Why are we filing rdar:// bugs for webkit issues? Shouldn't they be filed as > security bugs on bugs.webkit.org? Apple filed the rdar bug. We got in touch over email. Please do not make any further procedural comments in this bug.
|
|
||
Updated•14 years ago
|
|
||
Comment 8•14 years ago
|
||
Also tracked by http://webkit.org/b/43454
|
|
||
Comment 9•14 years ago
|
||
(In reply to comment #3) > Note we have at least two copies of dtoa in the tree, so need to make sure both > are patched. For the record, they are: * ipc/chromium/src/base/third_party/dmg_fp/dtoa.cc * js/src/dtoa.c * nsprpub/pr/src/misc/dtoa.c * nsprpub/pr/src/misc/prdtoa.c
|
|
||
Updated•14 years ago
|
See Also: → https://bugs.webkit.org/show_bug.cgi?id=43454
|
Assignee | |
Comment 10•14 years ago
|
||
Instead of defining No_Hex_Nan, the patch just removes the code.
|
||
Comment 11•14 years ago
|
||
(In reply to comment #9) > (In reply to comment #3) > > Note we have at least two copies of dtoa in the tree, so need to make sure both > > are patched. > > For the record, they are: > * ipc/chromium/src/base/third_party/dmg_fp/dtoa.cc > * js/src/dtoa.c > * nsprpub/pr/src/misc/dtoa.c > * nsprpub/pr/src/misc/prdtoa.c Wouldn't two copies be enough? Usually is. /be
|
|
Assignee | |
Comment 12•14 years ago
|
||
(In reply to comment #9) Bug 584168 is going to canonicalize nans at API boundaries, so, with respect to this bug, there is no problem with these other strtods.
|
||
Comment 13•14 years ago
|
||
(In reply to comment #9) > * nsprpub/pr/src/misc/dtoa.c This copy is not being used. I added it to archive the pristine upstream dtoa.c source. Luke: NSPR's prdtoa.c doesn't define INFNAN_CHECK: http://mxr.mozilla.org/nspr/ident?i=INFNAN_CHECK Does this mean prdtoa.c is not vulnerable to this bug? Why don't you just define the No_Hex_NaN macro for js/src/dtoa.c? Removing the #ifndef No_Hex_NaN code can make it harder to merge with new versions of dtoa.c.
This code is so dangerous to our encoding that it seems better to remove it entirely than risk the define accidentally disappearing.
|
|
||
Updated•14 years ago
|
blocking2.0: ? → beta5+
|
|
||
Updated•14 years ago
|
Whiteboard: [sg:critical?] webkit version of this bug: rdar://problem/8269822 don't zero day them → [sg:critical] webkit version of this bug: rdar://problem/8269822 don't zero day them
|
|
||
Comment 15•14 years ago
|
||
(In reply to comment #6) > reason: We will be shipping a beta with our new jsval around Sep 1, and do not > want this bug in that beta. uh, so this comment is totally wrong. we are going to ship a beta with our new jsvals very soon. we will discuss further tomorrow.
|
|
||
Updated•14 years ago
|
blocking2.0: beta5+ → beta3+
|
||
Comment 16•14 years ago
|
||
Who's on reviewing this patch?
|
||
Updated•14 years ago
|
Attachment #462633 -
Flags: review+
|
|
||
Comment 17•14 years ago
|
||
Thanks for the review. Talked with sayrer about this on IRC. We know that one security researcher (see comment 2) has discovered this independently, but it looks like he wants to hold it back until Firefox 4 is released so he can collect a bounty. While I don't want to speculate (or anyone else to!) in this bug about whether or not such a bounty should be granted anyway, it does mean that the chances of him weaponizing or zero-daying is low. Accordingly, we should be respectful of our browser building colleagues and not zero day them. Rob and I agreed that this should be held until after they've had a chance to address the issue in their shipped products, so moving back to beta5+ - please do not land it until we've got the all clear or it becomes a zero-day issue.
blocking2.0: beta3+ → beta5+
|
|
||
Comment 18•14 years ago
|
||
Attachment 462633 [details] [diff] takes care of js/src/dtoa.c, comment #13 takes care of nsprpub/pr/src/misc/dtoa.c and nsprpub/pr/src/misc/prdtoa.c, but what about ipc/chromium/src/base/third_party/dmg_fp/dtoa.cc?
|
|
||
Comment 19•14 years ago
|
||
Cc'ing cjones. I hope we are not using that dtoa.cc. If not, can we rm it? /be
We Gecko certainly aren't. The chromium code uses it for string utils, but I can build locally with all that code nuked. Seeing what tryserver has to say about other platforms.
|
||
Comment 21•14 years ago
|
||
(In reply to comment #4) > While our bug bounty FAQ does say we only give bounties for vulnerabilities > in currently released versions [...], we have been known to offer the > bounties for bugs found only on trunk, so what he says isn't completely true It's not true in any sense, the FAQ explicitly includes nightlies http://www.mozilla.org/security/bug-bounty-faq.html#development-releases
|
|
||
Comment 22•14 years ago
|
||
Although the dtoa feature exists on the stable branches, it doesn't appear to be causing us any problems prior to recent JS engine changes.
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
|
||
Comment 23•14 years ago
|
||
Maybe he only saw the main bounty page and not the FAQ? See bug 576166.
(In reply to comment #20) > We Gecko certainly aren't. The chromium code uses it for string utils, but I > can build locally with all that code nuked. Seeing what tryserver has to say > about other platforms. Looks good on tryserver. Spun off bug 584580 on deleting it, as since it's unused there's no security concern.
|
|
||
Comment 25•14 years ago
|
||
(In reply to comment #17) > > Accordingly, we should be respectful of our browser building colleagues and not > zero day them. Rob and I agreed that this should be held until after they've > had a chance to address the issue in their shipped products, so moving back to > beta5+ - please do not land it until we've got the all clear or it becomes a > zero-day issue. I will not be so worried about this kind of coordination in the future: http://trac.webkit.org/changeset/64706 Basically any moron with a copy of feedparser.py can figure out that there's a problem, since the checkin includes a testcase and a link to a security bug. No need for creative research around binary diffs or static analysis.
|
|
||
Comment 26•14 years ago
|
||
Can we go ahead and land the patch now then?
Whiteboard: [sg:critical] webkit version of this bug: rdar://problem/8269822 don't zero day them → [sg:critical] webkit version of this bug: rdar://problem/8269822
|
|
||
Comment 27•14 years ago
|
||
*sigh*, the reference to the crash itself was unintentionally left in by geoff :-/
|
|
||
Comment 28•14 years ago
|
||
Oliver: preference/opinion on whether we should continue to hold? I'm assuming that we shouldn't now. If we do respin beta3, we'll probably want to include this. If we land it on mozilla-central, can we also land it on GECKO20b3_20100804_RELBRANCH
|
|
||
Comment 29•14 years ago
|
||
We think it can probably be landed if the patch doesn't refer to the crash and security implications, eg. something like geoff's patch sans the remaining "crash" comments - I had wanted something along the lines of "disallow non-standard extensions to float syntax" as our bug, but this is how it goes i guess :-/
|
|
||
Updated•14 years ago
|
blocking2.0: beta5+ → beta3+
|
|
||
Updated•14 years ago
|
Flags: in-testsuite?
|
|
Assignee | |
Comment 30•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/3899c73806fe
Whiteboard: [sg:critical] webkit version of this bug: rdar://problem/8269822 → [sg:critical] fixed-in-tracemonkey webkit version of this bug: rdar://problem/8269822
|
|
||
Comment 31•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/34beabb64efd by rsayrer
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
||
Comment 32•14 years ago
|
||
(In reply to comment #28) > If we do respin beta3, we'll probably want to include this. If we land it on > mozilla-central, can we also land it on GECKO20b3_20100804_RELBRANCH http://hg.mozilla.org/mozilla-central/rev/3e2124f5d0d6 for GECKO20b3_20100804_RELBRANCH
|
|
||
Comment 33•14 years ago
|
||
NSPR doesn't define INFNAN_CHECK, but I added
#define No_Hex_NaN
anyway so I don't need to worry about this.
I checked in the patch on the NSPR trunk (NSPR 4.8.7).
Checking in prdtoa.c;
/cvsroot/mozilla/nsprpub/pr/src/misc/prdtoa.c,v <-- prdtoa.c
new revision: 4.16; previous revision: 4.15
done
Attachment #463762 -
Flags: review?(lw)
|
|
Assignee | |
Comment 34•14 years ago
|
||
Comment on attachment 463762 [details] [diff] [review] Patch for NSPR Looks good, but I probably shouldn't be the reviewer for an NSPR patch.
Attachment #463762 -
Flags: review?(lw)
|
|
||
Comment 35•14 years ago
|
||
Comment on attachment 463762 [details] [diff] [review] Patch for NSPR NSPR and I go way back... /be
Attachment #463762 -
Flags: review+
|
|
||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•