Closed Bug 806031 (CVE-2013-0748) Opened 12 years ago Closed 12 years ago

[FIX] XBL.__proto__.toString is ugly and reveals address space layout

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla20
Tracking Flags:
Tracking Status
firefox17 --- wontfix
firefox18 + fixed
firefox19 + fixed
firefox20 + fixed
firefox-esr10 18+ fixed
firefox-esr17 18+ fixed
b2g18 --- fixed

People

(Reporter: jruderman, Assigned: smaug)

References

(Blocks 1 open bug)

Details

(Keywords: sec-high, testcase, Whiteboard: [adv-main18+][adv-esr17+][adv-esr10+])

Attachments

(4 files, 1 obsolete file)

testcase
320 bytes, text/html
Details
less silly assert
6.83 KB, patch
bzbarsky
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
abillings
: sec-approval+
Details | Diff | Splinter Review
esr17
6.77 KB, patch
akeybl
: approval-mozilla-esr17+
Details | Diff | Splinter Review
esr10
6.72 KB, patch
akeybl
: approval-mozilla-esr10+
Details | Diff | Splinter Review
Attached file testcase
Got: [object chrome://xbl-marquee/content/xbl-marquee.xml#marquee a646314] Expected in opt, don't reveal address space info: [object chrome://xbl-marquee/content/xbl-marquee.xml#marquee] Expected in debug, format it properly: [object chrome://xbl-marquee/content/xbl-marquee.xml#marquee @ 0x0a646314] I can't find the code that's doing this. But here's an example of code doing it right: http://mxr.mozilla.org/mozilla-central/source/js/xpconnect/src/XPCWrappedNativeJSOps.cpp#74
Blocks: 806034
The relevant code is nsXBLBinding::DoInitJSClass which does: 1372 // We need to create a unique classname based on aClassName and 1373 // parent_proto. Append a space (an invalid URI character) to ensure that 1374 // we don't have accidental collisions with the case when parent_proto is 1375 // null and aClassName ends in some bizarre numbers (yeah, it's unlikely). 1376 jsid parent_proto_id; 1377 if (!::JS_GetObjectId(cx, parent_proto, &parent_proto_id)) { 1378 // Probably OOM 1379 return NS_ERROR_OUT_OF_MEMORY; 1380 } 1381 1382 // One space, maybe "0x", at most 16 chars (on a 64-bit system) of long, 1383 // and a null-terminator (which PR_snprintf ensures is there even if the 1384 // string representation of what we're printing does not fit in the buffer 1385 // provided). 1386 char buf[20]; 1387 PR_snprintf(buf, sizeof(buf), " %lx", parent_proto_id); 1388 className.Append(buf); and then uses that as the .name of the JSClass, so it gets picked up by toString. JS_GetObjectId seems to use the object pointer. :(
What we really want is a fast one-way hash of the parent_proto_id... ;)
(In reply to Boris Zbarsky (:bz) from comment #2) > What we really want is a fast one-way hash of the parent_proto_id... ;) Does the result of the hash need to be guaranteed unique?
I suspect so, yes. At least on a per-window basis... But we have a hashtable with those strings as keys (which is why they need to be unique). We could just do a lookup after hashing and if we get a hit iterate the hash, no?
What we did for the XSLT generate-id() function (which also needs to generate per-document unique identifiers) is that we simply output ((uintptr_t)node) - ((uintptr_t)node->GetOwnerDoc->GetWindow()) Would that work here?
Hmm. This hashtable is cross-window, but there might be no real hits in it across windows because the protos would be different... Looking at this more, we might be able to just not store this string the JSClass .name at all, and put it directly on nsXBLJSClass instead.
Can someone suggest a security rating for this issue?
Hi Al. dveditz and I have been arguing in about that (e.g. in bug 806034).
Well, I'll mark this sec-high, and somebody can change it if they want.
Keywords: sec-high
IMO sec-high should be assigned to someone. Taking.
Assignee: nobody → bugs
So to keep the old behavior as much as possible, couldn't we store binding name + 64bit id as class name, and store the current binding name + parent_proto_id in nsXBLService::gClassTable. I think also comment 6 hints about that.
Attached patch minimal patch? (obsolete) — Splinter Review
To not reveal address space, reveal only an id. Boris, what do you think of this conservative approach? nsXBLBinding::DoInitJSClass could certainly be cleaned up a bit, but I tried to keep the changes minimal. I explicitly decided to not have any special classname for DEBUG. Also, as far as I see PR_snprintf usage is currently wrong on 64bit.
Attachment #690347 - Flags: review?(bzbarsky)
oh, fun. Static assert fires on 32bit.
Ah, silly me. that assertion is just wrong.
Attachment #690347 - Attachment is obsolete: true
Attachment #690347 - Flags: review?(bzbarsky)
Attachment #690354 - Flags: review?(bzbarsky)
Comment on attachment 690354 [details] [diff] [review] less silly assert r=me
Attachment #690354 - Flags: review?(bzbarsky) → review+
Comment on attachment 690354 [details] [diff] [review] less silly assert [Security approval request comment] How easily can the security issue be deduced from the patch? The issue perhaps easily, but it isn't a security problem without having some other security bug. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Not really. The comment will about having better toString for XBL classes. Which older supported branches are affected by this flaw? All Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? The patch should apply to all the branches with some minor merging. The code is _old_. How likely is this patch to cause regressions; how much testing does it need? I tried to take the most conservative approach - I don't expect regressions.
Attachment #690354 - Flags: sec-approval?
Summary: XBL.__proto__.toString is ugly and reveals address space layout → [FIX] XBL.__proto__.toString is ugly and reveals address space layout
Attachment #690354 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/mozilla-central/rev/718145f0d606
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment on attachment 690354 [details] [diff] [review] less silly assert [Approval Request Comment] Bug caused by (feature/regressing bug #): No bug, but XBL class sharing from year 2000 User impact if declined: See bug 806034 Testing completed (on m-c, etc.): just landed m-c Risk to taking this patch (and alternatives if risky): Shouldn't be too risky String or UUID changes made by this patch: NA
Attachment #690354 - Flags: approval-mozilla-beta?
Attachment #690354 - Flags: approval-mozilla-aurora?
Comment on attachment 690354 [details] [diff] [review] less silly assert This will first land in beta 5, which should be manageable.
Attachment #690354 - Flags: approval-mozilla-beta?
Attachment #690354 - Flags: approval-mozilla-beta+
Attachment #690354 - Flags: approval-mozilla-aurora?
Attachment #690354 - Flags: approval-mozilla-aurora+
Attached patch esr17Splinter Review
See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #692532 - Flags: approval-mozilla-esr17?
Comment on attachment 692532 [details] [diff] [review] esr17 approving for uplift to go along with ff18 (please land once this is also uplifted to mozilla-beta).
Attachment #692532 - Flags: approval-mozilla-esr17? → approval-mozilla-esr17+
Comment on attachment 690354 [details] [diff] [review] less silly assert Since this didn't make it into beta 5, we'll review the necessity of the fix for this internally reported bug during tomorrow's security triage.
Attachment #690354 - Flags: approval-mozilla-beta?
Attachment #690354 - Flags: approval-mozilla-beta+
Attachment #690354 - Flags: approval-mozilla-aurora?
Attachment #690354 - Flags: approval-mozilla-aurora+
Attachment #692532 - Flags: approval-mozilla-esr17+ → approval-mozilla-esr17?
Alex, I'd already landed this on all the branches and mid-aired with you updating the bug. How would you like me to proceed? https://hg.mozilla.org/releases/mozilla-aurora/rev/e65cdbf38911 https://hg.mozilla.org/releases/mozilla-beta/rev/82e323659c9d https://hg.mozilla.org/releases/mozilla-esr17/rev/f579c9a6d8f2
status-firefox17: affectedwontfix
status-firefox18: affectedfixed
status-firefox19: affectedfixed
status-firefox-esr17: affectedfixed
Flags: in-testsuite?
Target Milestone: --- → mozilla20
Comment on attachment 690354 [details] [diff] [review] less silly assert We'll leave this one in the build, given the fact that it's low risk and is exposed on pre-release branches. Fingers crossed :)
Attachment #690354 - Flags: approval-mozilla-beta?
Attachment #690354 - Flags: approval-mozilla-beta+
Attachment #690354 - Flags: approval-mozilla-aurora?
Attachment #690354 - Flags: approval-mozilla-aurora+
Attachment #692532 - Flags: approval-mozilla-esr17? → approval-mozilla-esr17+
We still need a patch for ESR10 here. Olli?
Uh, I can't keep track on my security bugs :/ I'll write esr10 patch tomorrow.
Attached patch esr10Splinter Review
I was told try may not work too well with esr10 anymore, so crossing fingers. The only changes to esr17 patch are merging + one nullptr -> nsnull.
Attachment #694801 - Flags: approval-mozilla-esr10?
Attachment #694801 - Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
Whiteboard: [adv-main18+][adv-esr17+][adv-esr10+]
Alias: CVE-2013-0748
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: