ASAN: Several xpcshell tests in toolkit/identity trigger use-after-free, involving KeyGenRunnable

RESOLVED FIXED in Firefox 23

Status

defect
--
critical
RESOLVED FIXED
7 years ago
5 months ago

People

(Reporter: decoder, Assigned: bholley)

Tracking

(Blocks 1 bug, {csectype-uaf, sec-high})

Dependency tree / graph

Firefox Tracking Flags

(firefox21 unaffected, firefox22 ?, firefox23+ fixed, firefox-esr17 unaffected, b2g18+ fixed, b2g18-v1.0.1 wontfix, b2g-v1.1hd fixed)

Details

(Whiteboard: [asan][asan-test-failure][fixed by bug 850253][adv-main23+])

Attachments

(1 attachment)

Posted file ASan log
In several try runs I've already been observing that tests like

toolkit/identity/tests/unit/test_jwcrypto.js
toolkit/identity/tests/unit/test_relying_party.js
toolkit/identity/tests/unit/test_provisioning.js

cause ASan errors. I was however never able to reproduce it locally. Now I managed to reproduce a failure with the third test locally, using:

taskset -c 0 make -C toolkit/identity/tests/ xpcshell-tests

on an optimized build (mozilla-central 885cde564ff3). Might need to run it multiple times, but maybe the attached symbolized trace already helps to solve this issue.
This looks like it's just the XPCWrappedJS off the main thread bug in different clothing.
For the ASAN failures, how much risk do these ASAN failures pose to FF OS's use of navigator.id from a security perspective?

I'm looking to know if this is worth nominating to block or not.
Flags: needinfo?(choller)
Jed and I stand ready to fix this ... except we don't know how to read these traces. Kyle: can you help us? Is this how we handled wrapped JS objects, or is it in the C++ crypto code we're using?
(In reply to Ben Adida [:benadida] from comment #3)
> Jed and I stand ready to fix this ... except we don't know how to read these
> traces. Kyle: can you help us? Is this how we handled wrapped JS objects, or
> is it in the C++ crypto code we're using?

I think its the same underlying issue as bug 843923 (which is being fixed in bug 773610) and has nothing to do with identity.
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #4)
> 
> I think its the same underlying issue as bug 843923 (which is being fixed in
> bug 773610) and has nothing to do with identity.

OK, it looks to me like there is a fix in sight for this, so should we wait and see if that fix also fixes this? Or should we be more aggressive and investigate this further right away?
I think you should just wait and see.
Depends on: 773610
Keywords: sec-high
(In reply to Jason Smith [:jsmith] from comment #2)
> For the ASAN failures, how much risk do these ASAN failures pose to FF OS's
> use of navigator.id from a security perspective?
> 
> I'm looking to know if this is worth nominating to block or not.

Shouldn't block, but you'll eventually want the fix when we have one.
Flags: needinfo?(choller)
Assigning to bholley so he can mark it fixed when bug 772610 lands (assuming that turns out to do the trick).
Assignee: nobody → bobbyholley+bmo
Keywords: csec-uaf
More precisely, it appears that bug 850253 should fix this.
decoder, now that bug 850253 has landed on central, can you make sure that this doesn't happen any more?  Thanks!
Flags: needinfo?(choller)
Several try runs haven't shown the issue anymore, confirming as fixed :)
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(choller)
Resolution: --- → FIXED
No longer depends on: 773610
Whiteboard: [asan][asan-test-failure] → [asan][asan-test-failure][fixed by bug 850253]
Does this need to be fixed on prior branches? I don't think the identity code is enabled anywhere shipping, is it?
oh, b2g18 has this though.
status-b2g18: --- → ?
(In reply to Daniel Veditz [:dveditz] from comment #13)
> oh, b2g18 has this though.

Right. B2G Identity is enabled on b2g18 and b2g18v1.01. Given comment 7 doesn't indicate this is a blocker, I'd suggest nominating the dependency here (bug 850253) for approval b2g18 to uplift this fix.
Whiteboard: [asan][asan-test-failure][fixed by bug 850253] → [asan][asan-test-failure][fixed by bug 850253][adv-main23+]
Group: core-security
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.