Closed Bug 935499 Opened 11 years ago Closed 11 years ago

accessing short IDN causes Firefox crash

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla28
Tracking Flags:
Tracking Status
firefox25 --- wontfix
firefox26 + verified
firefox27 + verified
firefox28 + verified
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- ?
b2g-v1.2 --- fixed

People

(Reporter: m_kato, Assigned: m_kato)

References

Details

(Keywords: csectype-dos, regression, sec-other, Whiteboard: [adv-main26-])

Crash Data

Attachments

(3 files, 1 obsolete file)

v2
2.01 KB, patch
mayhemer
: review+
abillings
: sec-approval+
Details | Diff | Splinter Review
for Aurora/Beta
1.84 KB, patch
lsblakk
: approval-mozilla-aurora+
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review
for beta
1.94 KB, patch
Details | Diff | Splinter Review
Repro Step ========== 1 Acess http://xn--?-jju/ (or browse firefox this bug entry) Crash ID ======== bp-dbcbfad2-12ba-4596-b27e-c99fc2131106
Crash Signature: [@ punycode_decode]
Comment on attachment 828539 [details] [diff] [review] IsACE should return false if too short ># HG changeset patch ># Parent f48aa69ea925895e66dd84178e01987f7d054cc8 >Bug 935499. try: -b do -p all -u all -t none > >diff --git a/netwerk/dns/nsIDNService.cpp b/netwerk/dns/nsIDNService.cpp >--- a/netwerk/dns/nsIDNService.cpp >+++ b/netwerk/dns/nsIDNService.cpp >@@ -265,16 +265,22 @@ nsresult nsIDNService::ACEtoUTF8(const n > } > > return NS_OK; > } > > /* boolean isACE(in ACString input); */ > NS_IMETHODIMP nsIDNService::IsACE(const nsACString & input, bool *_retval) > { >+ if (input.Length() <= 4) { >+ // input string is too short for ACE/RACE >+ *_retval = false; >+ return NS_OK; >+ } >+ > nsACString::const_iterator begin; > input.BeginReading(begin); > > const char *data = begin.get(); > uint32_t dataLen = begin.size_forward(); > > // look for the ACE prefix in the input string. it may occur > // at the beginning of any segment in the domain name. for >diff --git a/netwerk/test/unit/test_bug935499.js b/netwerk/test/unit/test_bug935499.js >new file mode 100644 >--- /dev/null >+++ b/netwerk/test/unit/test_bug935499.js >@@ -0,0 +1,8 @@ >+function run_test() { >+ var idnService = Cc["@mozilla.org/network/idn-service;1"] >+ .getService(Ci.nsIIDNService); >+ >+ // don't crash xn-- IDN >+ var isASCII = {}; >+ do_check_eq(idnService.convertToDisplayIDN("xn--", isASCII), "xn--"); >+} >diff --git a/netwerk/test/unit/xpcshell.ini b/netwerk/test/unit/xpcshell.ini >--- a/netwerk/test/unit/xpcshell.ini >+++ b/netwerk/test/unit/xpcshell.ini >@@ -159,16 +159,17 @@ skip-if = os == "android" > [test_bug669001.js] > # Bug 675039: intermittent fail on Android-armv6 > skip-if = os == "android" > [test_bug712914_secinfo_validation.js] > [test_bug770243.js] > [test_bug894586.js] > # Allocating 4GB might actually succeed on 64 bit machines > skip-if = bits != 32 >+[test_bug935499.js] > [test_doomentry.js] > [test_cacheflags.js] > # Bug 675039: intermittent fail on Android-armv6 > skip-if = os == "android" > [test_cache_jar.js] > [test_channel_close.js] > [test_compareURIs.js] > [test_compressappend.js]
Attachment #828539 - Attachment is patch: true
Comment on attachment 828539 [details] [diff] [review] IsACE should return false if too short Current code passes length = 0 to punycode_decode, so Gecko will crash.
Attachment #828539 - Flags: review?(honzab.moz)
Assignee: nobody → m_kato
Blocks: 898221
Keywords: regression
No longer blocks: 898221
Depends on: 898221
Definitely the problem had been introduced with this changeset: http://hg.mozilla.org/mozilla-central/rev/515d75612e53 It actually contains a classic security bug... You apparently cannot do |j = input_length - 1| and then operate on |input[j]| w/o verifying that input_length is >= 1. The fix has to be there IMO, however Makoto's patch is probably correct too. Rather hiding this bug as a precaution. At least this is a bug allowing application crash on bad memory access at any time just by referring e.g. an image in bad address. No idea what happens when the *(input-1) memory is valid and we continue executing the code after the scan loop with a random value of |b|.
Group: core-security
dup of 935499?
(In reply to Patrick McManus [:mcmanus] from comment #5) > dup of 935499? It's this bug ;)
(In reply to Honza Bambas (:mayhemer) from comment #4) > Definitely the problem had been introduced with this changeset: > > http://hg.mozilla.org/mozilla-central/rev/515d75612e53 > > It actually contains a classic security bug... > > You apparently cannot do |j = input_length - 1| and then operate on > |input[j]| w/o verifying that input_length is >= 1. "j" should be a signed value, not unsigned "punycode_uint". Once "input_length" is 0, "j" becomes -1, or largest value "punycode_uint" can hold.
Comment on attachment 828539 [details] [diff] [review] IsACE should return false if too short Review of attachment 828539 [details] [diff] [review]: ----------------------------------------------------------------- Sorry, not the correct place to fix this bug IMO. See my earlier comments on a proposed fix. If there is a reason to add this one patch, then please add more explanatory comments (at least to the bug) why we should be taking it in. We should move forward with this bug, it's kinda critical... r-
Attachment #828539 - Flags: review?(honzab.moz) → review-
Attached patch v2Splinter Review
Even if not landing bug 898221, new test case (test_bug935499.js) for this bug will hit the assertion by "ASCII label in IDN checking" in nsIDNService::isLabelSafe(). So I think punycode_decode() should returns error if input_length == 0.
Attachment #828539 - Attachment is obsolete: true
Attachment #831427 - Flags: review?(honzab.moz)
Why is this crashing some people, but not me on a nightly? A crashing bug comment is not a good approach if you actually want that bug to be fixed, please put crashing things in attachment testcases in the future.
Blocks: 898221
No longer depends on: 898221
Keywords: sec-high
Comment on attachment 831427 [details] [diff] [review] v2 Review of attachment 831427 [details] [diff] [review]: ----------------------------------------------------------------- r=honzab thanks. this according mxr examination has the same affect as the first patch, but is on the right place.
Attachment #831427 - Flags: review?(honzab.moz) → review+
https://hg.mozilla.org/mozilla-central/rev/5dd82c64f4b7
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Attached patch for Aurora/BetaSplinter Review
[Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 898221 User impact if declined: If html has link of http:// xn-- / or access to it, Firefox will crash Testing completed (on m-c, etc.): landed in m-c. Also added test case Risk to taking this patch (and alternatives if risky): low. just check length of IDN. String or IDL/UUID changes made by this patch: no
Attachment #8333613 - Flags: approval-mozilla-beta?
Attachment #8333613 - Flags: approval-mozilla-aurora?
Please follow the procedure at https://wiki.mozilla.org/Security/Bug_Approval_Process. AFAICT, this patch should not have landed without sec-approval+.
Flags: needinfo?(m_kato)
(In reply to Brian Smith (:briansmith, was :bsmith; Please NEEDINFO? me if you want a response) from comment #16) > Please follow the procedure at > https://wiki.mozilla.org/Security/Bug_Approval_Process. AFAICT, this patch > should not have landed without sec-approval+. I'm sorry. I don't know this page, so I will follow it next.
Flags: needinfo?(m_kato)
Comment on attachment 8333613 [details] [diff] [review] for Aurora/Beta Well since it did already land to central we'd better take it on branches. And for what it's worth, my Firefox is currently unusable for bug triage because I keep crashing on this very bug.
Attachment #8333613 - Flags: approval-mozilla-beta?
Attachment #8333613 - Flags: approval-mozilla-beta+
Attachment #8333613 - Flags: approval-mozilla-aurora?
Attachment #8333613 - Flags: approval-mozilla-aurora+
Comment on attachment 831427 [details] [diff] [review] v2 I'm editing this bug in Chrome. I hate this bug. Since we just potentially pwned ourselves by checking it in, I'll go ahead and give retroactive approval. Let's try not to do this. :-) It would be nice if someone actually answered the sec-approval template questions since they help with writing advisories and such.
Attachment #831427 - Flags: sec-approval? → sec-approval+
(In reply to Al Billings [:abillings] from comment #19) > Comment on attachment 831427 [details] [diff] [review] > v2 > > I'm editing this bug in Chrome. I hate this bug. setting about:config network.IDN_show_punycode to true seemed to let me see this bug without crashing. fwiw.
(In reply to Al Billings [:abillings] from comment #19) > It would be nice if someone actually answered the sec-approval template > questions since they help with writing advisories and such. Kato-san, please set the sec-approval flag on the aurora/beta patch to ?. This should cause a template of questions to come up. Please answer those questions as best as you can. Thanks!
Flags: needinfo?(m_kato)
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #21) > https://hg.mozilla.org/releases/mozilla-beta/rev/a14c36a25b92 Looks like this broke an xpcshell test on beta: https://tbpl.mozilla.org/php/getParsedLog.php?id=30727813&tree=Mozilla-Beta I don't have a clone of beta handy to back this out, though.
Comment on attachment 8333613 [details] [diff] [review] for Aurora/Beta [Security approval request comment] How easily could an exploit be constructed based on the patch? This causes crash by HTML. Firefox for OSX/Linux x86-64 will crash by opening this bug entry. When using http:// xn-- / (remove space), punycode_decode reads out of range memory. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? user can make crash. Which older supported branches are affected by this flaw? Release, Beta and Aurora. If not all supported branches, which bug introduced the flaw? N/A Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Yes. But I need update unit test for beta. How likely is this patch to cause regressions; how much testing does it need? No. since this affects xn-- punycode only, I added unit test
Attachment #8333613 - Flags: sec-approval?
Flags: needinfo?(m_kato)
ah(In reply to Wes Kocher (:KWierso) from comment #23) > (In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #21) > > https://hg.mozilla.org/releases/mozilla-beta/rev/a14c36a25b92 > > Looks like this broke an xpcshell test on beta: > https://tbpl.mozilla.org/php/getParsedLog.php?id=30727813&tree=Mozilla-Beta > > I don't have a clone of beta handy to back this out, though. I need update unit test for Cc is undefined...
Attached patch for betaSplinter Review
Comment on attachment 8334413 [details] [diff] [review] for beta unit test for Beta needs Cc/Ci define.
Attachment #8334413 - Flags: review?(honzab.moz)
Comment on attachment 8334413 [details] [diff] [review] for beta Given that I would have pushed this change as a trivial test-only bustage fix had I been around to do so, I don't think this needs re-review. https://hg.mozilla.org/releases/mozilla-beta/rev/5ebf49f88efe
Attachment #8334413 - Flags: review?(honzab.moz)
I couldn't reproduce this issue on buggy Firefox 25 and 26 builds on Windows 7 64bit. It did reproduce on Ubuntu 12.10 64bit though, so I also verified it on this OS: I can't reproduce the crash anymore on the 11/19 Aurora and 11/18 Nightly. The same crash still happens on Firefox 26.0b6: https://crash-stats.mozilla.com/report/index/4fcdd848-8ee6-4d44-97de-e1dc22131119
status-firefox27: fixedverified
status-firefox28: fixedverified
QA Contact: ioana.budnar
Attachment #8333613 - Flags: sec-approval?
Per comment 7 / 9, b2g18 isn't affected. The bug was introduced in end of July so b2g1.1 may be affected, though this was a won't fix for Fx25
status-b2g18: --- → unaffected
status-b2g-v1.1hd: --- → ?
Confirmed crash on FF26, 27 and 28, 2013-11-13. Verified fixed on FF26, 27 and 28, 2013-11-21.
status-firefox26: fixedverified
status-firefox27: fixedverified
status-firefox28: fixedverified
Whiteboard: [adv-main26+]
Alias: CVE-2013-5617
Alias: CVE-2013-5617
Keywords: sec-highcsectype-dos, sec-other
Whiteboard: [adv-main26+] → [adv-main26-]
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: