Closed Bug 798045 (CVE-2012-4191) Opened 12 years ago Closed 12 years ago

crash in mozilla::net::FailDelayManager::Lookup

Categories

(Core :: Networking: WebSockets, defect)

Product:
Core
Component:
Networking: WebSockets
Version:
16 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla19
Tracking Flags:
Tracking Status
firefox16 + fixed
firefox17 --- fixed
firefox18 --- fixed
firefox19 --- verified
firefox-esr10 --- unaffected

People

(Reporter: scoobidiver, Assigned: jduell.mcbugs)

Details

(5 keywords, Whiteboard: [blocking bug 711793, but see comment 8][qa-])

Crash Data

Attachments

(2 files, 1 obsolete file)

v1
1.11 KB, patch
briansmith
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
akeybl
: approval-mozilla-release+
akeybl
: sec-approval+
Details | Diff | Splinter Review
test v2
1.37 KB, text/html
Details
It's #114 top browser crasher in 16.0b5 and seems to happen only in Beta versions with this signature: 15.0 or 16.0. Signature arena_dalloc_small | je_free | nsACString_internal::`scalar deleting destructor''(unsigned int) More Reports Search UUID c977c9fe-233d-4d8a-a1be-19ea42121004 Date Processed 2012-10-04 19:56:15 Uptime 82347 Last Crash 22.9 hours before submission Install Age 4.4 days since version was first installed. Install Time 2012-06-28 10:56:11 Product Firefox Version 16.0 Build ID 20120925201946 Release Channel beta OS Windows NT OS Version 6.1.7600 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 42 stepping 7 Crash Reason EXCEPTION_BREAKPOINT Crash Address 0x6e8f01f1 App Notes AdapterVendorID: 0x8086, AdapterDeviceID: 0x0116, AdapterSubsysID: 15ea10cf, AdapterDriverVersion: 8.15.10.2287 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ EMCheckCompatibility True Adapter Vendor ID 0x8086 Adapter Device ID 0x0116 Total Virtual Memory 2147352576 Available Virtual Memory 1357484032 System Memory Use Percentage 54 Available Page File 5218824192 Available Physical Memory 1687126016 Frame Module Signature Source 0 mozglue.dll arena_dalloc_small memory/mozjemalloc/jemalloc.c:4510 1 mozglue.dll je_free memory/mozjemalloc/jemalloc.c:6565 2 xul.dll nsACString_internal::`scalar deleting destructor' 3 xul.dll mozilla::net::FailDelayManager::Lookup netwerk/protocol/websocket/WebSocketChannel.cpp:218 4 xul.dll mozilla::net::FailDelayManager::DelayOrBegin netwerk/protocol/websocket/WebSocketChannel.cpp:229 5 xul.dll mozilla::net::nsWSAdmissionManager::ConditionallyConnect netwerk/protocol/websocket/WebSocketChannel.cpp:339 6 xul.dll mozilla::net::WebSocketChannel::OnLookupComplete netwerk/protocol/websocket/WebSocketChannel.cpp:2217 7 xul.dll `anonymous namespace'::DNSListenerProxy::OnLookupCompleteRunnable::Run netwerk/dns/nsDNSService2.cpp:552 8 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:624 9 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:82 10 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:201 11 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:175 12 xul.dll nsBaseAppShell::Run widget/xpwidgets/nsBaseAppShell.cpp:163 13 xul.dll nsAppShell::Run widget/windows/nsAppShell.cpp:232 14 xul.dll nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:257 15 xul.dll XREMain::XRE_mainRun toolkit/xre/nsAppRunner.cpp:3794 16 xul.dll XREMain::XRE_main toolkit/xre/nsAppRunner.cpp:3871 17 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:3947 18 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:100 19 firefox.exe __tmainCRTStartup crtexe.c:552 20 kernel32.dll BaseThreadInitThunk 21 ntdll.dll __RtlUserThreadStart 22 ntdll.dll _RtlUserThreadStart More reports at: https://crash-stats.mozilla.com/report/list?signature=arena_dalloc_small+|+je_free+|+nsACString_internal%3A%3A%60scalar+deleting+destructor%27%27%28unsigned+int%29
> 2 xul.dll nsACString_internal::`scalar deleting destructor' Do we know how this gets generated (instead of the normal foo.cpp:line# stack trace)? Assuming this is indeed happening in a CString, that would be FailDelay.mAddress. But I don't see any obvious errors in how it's allocated/freed. Do we know of any jemalloc bugs that might be the cause of this?
With combined signatures, it's #15 top browser crasher in 16.0b6. There are no interesting correlations.
Crash Signature: [@ arena_dalloc_small | je_free | nsACString_internal::`scalar deleting destructor''(unsigned int)] → [@ arena_dalloc_small | je_free | nsACString_internal::`scalar deleting destructor''(unsigned int)] [@ nsAString_internal::Finalize()] [@ arena_dalloc_small | je_free | nsAutoString::`scalar deleting destructor''(unsigned int)] [@ memmove | nsTArray_ba…
tracking-firefox16: --- → ?
Keywords: regression, topcrash
Assigning to you for investigation Jason, since this is in WebSockets. Also including Brian, since he landed the two networking changes in FF16b6.
Assignee: nobody → jduell.mcbugs
Group: core-security
bsmith suggests this may be sec-critical
<bsmith> I don't think it is that race. <bsmith> Seems like it gets deleted during static destruction of nsWSAdmissionManager <bsmith> I did notice this: <bsmith> if (fail->mAddress.Equals(address) && fail->mPort == port) { <bsmith> if (outIndex) <bsmith> *outIndex = i; <bsmith> result = fail; <bsmith> } else if (fail->IsExpired(rightNow)) { <bsmith> seems like there shoul be a "break;" after result = fail; <bsmith> Oh, I got it, I think <bsmith> I'm pretty sure that's it <bsmith> We set *outIndex = i; <bsmith> then, later, because we don't break, we delete some entries between 0 and i <bsmith> but, we don't decrease i
I would expect this to crash in line 252/253, not line 218. But, I think the compiler might be inlining this code so that a crash at line 253 is reported as a crash in line 218. See: https://mxr.mozilla.org/mozilla-beta/source/netwerk/protocol/websocket/WebSocketChannel.cpp?rev=6cd5f16a8c3c#216 216 } else if (fail->IsExpired(rightNow)) { 217 mEntries.RemoveElementAt(i); 218 delete fail; 219 } ... https://mxr.mozilla.org/mozilla-beta/source/netwerk/protocol/websocket/WebSocketChannel.cpp?rev=6cd5f16a8c3c#251 251 } else if (fail->IsExpired(rightNow)) { 252 mEntries.RemoveElementAt(failIndex); 253 delete fail; 254 } See also: https://crash-stats.mozilla.com/query/query?product=Firefox&version=ALL%3AALL&range_value=1&range_unit=weeks&date=10%2F08%2F2012+23%3A27%3A41&query_search=signature&query_type=contains&query=DelayOrBegin&reason=&build_id=&process_type=any&hang_type=any&do_query=1 Or, it could be a different problem.
(In reply to Alex Keybl [:akeybl] from comment #4) > bsmith suggests this may be sec-critical This seems likely to have been caused by the patch for bug 711793, which also caused use-after-free bug 771318, which we're planning to release an advisory for. So, if this is exploitable, it is likely as close to (if not) a zero-day, especially if we release that advisory. To avoid drawing even more attention to this code, I avoided adding it as blocking bug 711793 and I avoided mentioning this bug (and adding this comment) in bug 771318, just in case bug 771318 gets opened up.
Whiteboard: [blocking bug 711793, but see comment]
Attached patch v1Splinter Review
Actually crash @ line 218 makes perfect sense here: when Lookup() returns an index for an item that is no longer valid, and it now happens to be off the end of the nsTArray, we only have MOZ_ASSERT checks in RemoveElementAt() so it passes through in release builds and we then try to delete some garbage. Solution as bsmith suggested is to break once Lookup() finds a match. We'll get rid of any expired entries the next time it's called and nothing is found (which is the most common case), so stale entries are not an issue. thanks to bsmith for tracking this down. > Don't we need kung-fu death grip? Good question, but not the bug at hand IMO. I've emailed bsmedberg about whether our sWebsocketAdmissions usage is safe, and will file a bug if not.
Attachment #669347 - Flags: review?(bsmith)
(In reply to Brian Smith (:bsmith) from comment #8) > (In reply to Alex Keybl [:akeybl] from comment #4) > > bsmith suggests this may be sec-critical > > This seems likely to have been caused by the patch for bug 711793, which > also caused use-after-free bug 771318, which we're planning to release an > advisory for. So, if this is exploitable, it is likely as close to (if not) > a zero-day, especially if we release that advisory. bug 771318 is in a roll-up advisory for Abhishek's ASAN bugs. We don't list it or a similar bug by number in the advisory because the issues never shipped in a release, being found and fixed before becoming public.
Attachment #669347 - Flags: review?(bsmith)
Attachment #669347 - Flags: review+
Attachment #669347 - Flags: approval-mozilla-release?
Attachment #669347 - Flags: approval-mozilla-beta?
Attachment #669347 - Flags: approval-mozilla-aurora?
Comment on attachment 669347 [details] [diff] [review] v1 [Security approval request comment] > How easily can the security issue be deduced from the patch? I found the potential out-of-bounds memory access / double-free within 30 minutes, and I am not particularly good at this stuff. > Do comments in the patch, the check-in comment, or tests > included in the patch paint a bulls-eye on the security problem? Review the comment in the patch. > Which older supported branches are affected by this flaw? > If not all supported branches, which bug introduced the flaw? Bug 711793. > Do you have backports for the affected branches? > If not, how different, hard to create, and risky will they be? Should apply easily. > How likely is this patch to cause regressions; how much testing does it need? Very unlikely / not much. > Is there anything we could do to make this sec-approval form better? Yes, please have it automatically formatted like I have done here.
Attachment #669347 - Flags: sec-approval?
https://hg.mozilla.org/integration/mozilla-inbound/rev/f9469bf48ff6 re: exploitability. It's possible to cause this crash by creating several websockets to different host:ports and then delaying the TCP connect process differently per socket at reconnect time. I'm not sure how easy it is to then deterministically exploit the crash.
meh--sorry, still getting used to the sec-approval process.
https://hg.mozilla.org/mozilla-central/rev/f9469bf48ff6
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox16: --- → affected
status-firefox17: --- → affected
status-firefox18: --- → affected
status-firefox19: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
a nit in the comment: "will be be deleted"
Comment on attachment 669347 [details] [diff] [review] v1 [Triage Comment] Since this landed on m-i/m-c already, let's also get this on Aurora/Beta in preparation for possible 16.0.1 inclusion.
Attachment #669347 - Flags: approval-mozilla-beta?
Attachment #669347 - Flags: approval-mozilla-beta+
Attachment #669347 - Flags: approval-mozilla-aurora?
Attachment #669347 - Flags: approval-mozilla-aurora+
Comment on attachment 669347 [details] [diff] [review] v1 [Triage Comment] To help prevent the possibility of a 16.0.2, let's land this fix in 16.0.1. Please land on mozilla-release asap.
Attachment #669347 - Flags: sec-approval?
Attachment #669347 - Flags: sec-approval+
Attachment #669347 - Flags: approval-mozilla-release?
Attachment #669347 - Flags: approval-mozilla-release+
Is there a testcase or steps to reproduce this crash? Given this is being uplifted to release, QA would like to be able to verify it is fixed.
Keywords: steps-wanted, testcase-wanted
Marking as ESR10 unaffected based upon comment 11.
status-firefox-esr10: --- → unaffected
If you have any suggestions on how to test this, please let us know. We'll have Fx16.0.1 builds ready sometime this evening, and any instructions would be helpful.
I'm writing a test for this right now... stay tuned.
Attached file web page that demonstrates issue (obsolete) —
So this webpage (you can either open it as a file or serve it off a webserver) crashes without the patch and is OK with it. Crashes in opt-builds (such as the release) are harder to cause deterministically (in debug mode we hit an assert: in release mode we try to delete off the end of an array and that doesn't always crash), but I'm confident this is catching the cause of the crash. Note that this test takes 70 seconds to run, so I don't think we want to make a mochitest out of it. We're not likely to regress this codepath in this way again, so I think that's ok.
Status: RESOLVED → VERIFIED
Alias: CVE-2012-4191
Keywords: sec-critical
Whiteboard: [blocking bug 711793, but see comment] → [blocking bug 711793, but see comment 8]
I tried Fx16 and Fx16.0.1 builds but neither of them crashed on Windows 7. I tried a Mac nightly debug build where an older version crashed but the latest one didn't. I'm changing the status-firefox16 flag based on this and comment #24.
status-firefox16: fixedverified
I was unable to reproduce a crash with the attached testcase using Firefox 17.0b1#1, 17.0b1#2, 2012-10-10 mozilla-beta debug, 2012-10-09 mozilla-beta debug, and 2012-10-07 mozilla-beta debug builds on Windows 7. Given these results, I don't think we can mark this verified for Firefox 17. If someone else is able to reproduce this more easily, please help by verifying this for Firefox 17.0b1#2, Firefox 18.0a2, and Firefox 19.0a1 builds. That said, I'm not going to block Firefox 17b1's release if this goes unverified. I'm basing this decision on comment 24 and 25.
(In reply to juan becerra [:juanb] from comment #25) > I tried Fx16 and Fx16.0.1 builds but neither of them crashed on Windows 7. So it's not verified.
status-firefox16: verifiedfixed
Attached file test v2
This version has just crashed FF 16 for me on linux 3 out of 6 times. I consider that good enough, given that we have crash reports that point us right at the line number that's failing, a very exact understanding of the bug, and deterministic failure in debug mode.
Attachment #670198 - Attachment is obsolete: true
Unfortunately, I'm still not able to trigger a crash using test v2. I tried Firefox 17.0b1 build 1 on Linux 64-bit and 2012-10-09 mozilla-beta debug (Firefox 17) on Windows 7 32-bit. I tried 7 times on each waiting 2 minutes before reloading the test. Still no crash. I think we are going to have to ship without explicit verification here, trusting Jason's assessment and crash reports as pointed out in comment 29.
Whiteboard: [blocking bug 711793, but see comment 8] → [blocking bug 711793, but see comment 8][qa-]
Followup on comment 5 (which we were wondering might need a separate bug): > Don't we need kung-fu death grip [on sWebSocketAdmissions]? After talking to bsmedberg about this: No, we're guaranteed that since we don't destroy sWebSocketAdmissions until XPCOM shutdown, we can rely on it existing during any XPCOM events that we dispatch. We won't handle any events after shutdown is called.
Group: core-security
I tried to reproduce a crash with attachment from comment 29 on Firefox 16.0 beta 5 with no luck. No crashes also for Firefox 19.0 beta 5 Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0 Build ID: 20130206083616 Crash reports are not showing any crashes with these signatures. Moving this to verified.
status-firefox19: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: