Closed
Bug 935499
Opened 11 years ago
Closed 11 years ago
accessing short IDN causes Firefox crash
Categories
(Core :: Networking, defect)
Tracking
()
VERIFIED
FIXED
mozilla28
People
(Reporter: m_kato, Assigned: m_kato)
References
Details
(Keywords: csectype-dos, regression, sec-other, Whiteboard: [adv-main26-])
Crash Data
Attachments
(3 files, 1 obsolete file)
2.01 KB,
patch
|
mayhemer
:
review+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
1.84 KB,
patch
|
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
1.94 KB,
patch
|
Details | Diff | Splinter Review |
Repro Step
==========
1 Acess http://xn--?-jju/ (or browse firefox this bug entry)
Crash ID
========
bp-dbcbfad2-12ba-4596-b27e-c99fc2131106
Assignee | ||
Updated•11 years ago
|
Crash Signature: [@ punycode_decode]
Assignee | ||
Comment 1•11 years ago
|
||
Assignee | ||
Comment 2•11 years ago
|
||
Comment on attachment 828539 [details] [diff] [review]
IsACE should return false if too short
># HG changeset patch
># Parent f48aa69ea925895e66dd84178e01987f7d054cc8
>Bug 935499. try: -b do -p all -u all -t none
>
>diff --git a/netwerk/dns/nsIDNService.cpp b/netwerk/dns/nsIDNService.cpp
>--- a/netwerk/dns/nsIDNService.cpp
>+++ b/netwerk/dns/nsIDNService.cpp
>@@ -265,16 +265,22 @@ nsresult nsIDNService::ACEtoUTF8(const n
> }
>
> return NS_OK;
> }
>
> /* boolean isACE(in ACString input); */
> NS_IMETHODIMP nsIDNService::IsACE(const nsACString & input, bool *_retval)
> {
>+ if (input.Length() <= 4) {
>+ // input string is too short for ACE/RACE
>+ *_retval = false;
>+ return NS_OK;
>+ }
>+
> nsACString::const_iterator begin;
> input.BeginReading(begin);
>
> const char *data = begin.get();
> uint32_t dataLen = begin.size_forward();
>
> // look for the ACE prefix in the input string. it may occur
> // at the beginning of any segment in the domain name. for
>diff --git a/netwerk/test/unit/test_bug935499.js b/netwerk/test/unit/test_bug935499.js
>new file mode 100644
>--- /dev/null
>+++ b/netwerk/test/unit/test_bug935499.js
>@@ -0,0 +1,8 @@
>+function run_test() {
>+ var idnService = Cc["@mozilla.org/network/idn-service;1"]
>+ .getService(Ci.nsIIDNService);
>+
>+ // don't crash xn-- IDN
>+ var isASCII = {};
>+ do_check_eq(idnService.convertToDisplayIDN("xn--", isASCII), "xn--");
>+}
>diff --git a/netwerk/test/unit/xpcshell.ini b/netwerk/test/unit/xpcshell.ini
>--- a/netwerk/test/unit/xpcshell.ini
>+++ b/netwerk/test/unit/xpcshell.ini
>@@ -159,16 +159,17 @@ skip-if = os == "android"
> [test_bug669001.js]
> # Bug 675039: intermittent fail on Android-armv6
> skip-if = os == "android"
> [test_bug712914_secinfo_validation.js]
> [test_bug770243.js]
> [test_bug894586.js]
> # Allocating 4GB might actually succeed on 64 bit machines
> skip-if = bits != 32
>+[test_bug935499.js]
> [test_doomentry.js]
> [test_cacheflags.js]
> # Bug 675039: intermittent fail on Android-armv6
> skip-if = os == "android"
> [test_cache_jar.js]
> [test_channel_close.js]
> [test_compareURIs.js]
> [test_compressappend.js]
Attachment #828539 -
Attachment is patch: true
Assignee | ||
Comment 3•11 years ago
|
||
Comment on attachment 828539 [details] [diff] [review]
IsACE should return false if too short
Current code passes length = 0 to punycode_decode, so Gecko will crash.
Attachment #828539 -
Flags: review?(honzab.moz)
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → m_kato
Assignee | ||
Updated•11 years ago
|
Blocks: 898221
Keywords: regression
Assignee | ||
Updated•11 years ago
|
Comment 4•11 years ago
|
||
Definitely the problem had been introduced with this changeset:
http://hg.mozilla.org/mozilla-central/rev/515d75612e53
It actually contains a classic security bug...
You apparently cannot do |j = input_length - 1| and then operate on |input[j]| w/o verifying that input_length is >= 1.
The fix has to be there IMO, however Makoto's patch is probably correct too.
Rather hiding this bug as a precaution. At least this is a bug allowing application crash on bad memory access at any time just by referring e.g. an image in bad address. No idea what happens when the *(input-1) memory is valid and we continue executing the code after the scan loop with a random value of |b|.
Group: core-security
Comment 5•11 years ago
|
||
dup of 935499?
Comment 6•11 years ago
|
||
(In reply to Patrick McManus [:mcmanus] from comment #5)
> dup of 935499?
It's this bug ;)
(In reply to Honza Bambas (:mayhemer) from comment #4)
> Definitely the problem had been introduced with this changeset:
>
> http://hg.mozilla.org/mozilla-central/rev/515d75612e53
>
> It actually contains a classic security bug...
>
> You apparently cannot do |j = input_length - 1| and then operate on
> |input[j]| w/o verifying that input_length is >= 1.
"j" should be a signed value, not unsigned "punycode_uint".
Once "input_length" is 0, "j" becomes -1, or largest value "punycode_uint" can hold.
Comment 8•11 years ago
|
||
Comment on attachment 828539 [details] [diff] [review]
IsACE should return false if too short
Review of attachment 828539 [details] [diff] [review]:
-----------------------------------------------------------------
Sorry, not the correct place to fix this bug IMO. See my earlier comments on a proposed fix. If there is a reason to add this one patch, then please add more explanatory comments (at least to the bug) why we should be taking it in.
We should move forward with this bug, it's kinda critical...
r-
Attachment #828539 -
Flags: review?(honzab.moz) → review-
Comment 9•11 years ago
|
||
introduced in ff25
status-firefox25:
--- → affected
status-firefox26:
--- → affected
status-firefox27:
--- → affected
status-firefox28:
--- → affected
status-firefox-esr24:
--- → unaffected
tracking-firefox26:
--- → ?
tracking-firefox27:
--- → ?
tracking-firefox28:
--- → ?
Assignee | ||
Comment 10•11 years ago
|
||
Even if not landing bug 898221, new test case (test_bug935499.js) for this bug will hit the assertion by "ASCII label in IDN checking" in nsIDNService::isLabelSafe(). So I think punycode_decode() should returns error if input_length == 0.
Attachment #828539 -
Attachment is obsolete: true
Attachment #831427 -
Flags: review?(honzab.moz)
Comment 11•11 years ago
|
||
Why is this crashing some people, but not me on a nightly?
A crashing bug comment is not a good approach if you actually want that bug to be fixed, please put crashing things in attachment testcases in the future.
Comment 12•11 years ago
|
||
Comment on attachment 831427 [details] [diff] [review]
v2
Review of attachment 831427 [details] [diff] [review]:
-----------------------------------------------------------------
r=honzab
thanks. this according mxr examination has the same affect as the first patch, but is on the right place.
Attachment #831427 -
Flags: review?(honzab.moz) → review+
Assignee | ||
Comment 13•11 years ago
|
||
Target Milestone: --- → mozilla28
Assignee | ||
Comment 14•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 15•11 years ago
|
||
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 898221
User impact if declined: If html has link of http:// xn-- / or access to it, Firefox will crash
Testing completed (on m-c, etc.): landed in m-c. Also added test case
Risk to taking this patch (and alternatives if risky): low. just check length of IDN.
String or IDL/UUID changes made by this patch: no
Attachment #8333613 -
Flags: approval-mozilla-beta?
Attachment #8333613 -
Flags: approval-mozilla-aurora?
Updated•11 years ago
|
Attachment #831427 -
Flags: sec-approval?
Comment 16•11 years ago
|
||
Please follow the procedure at https://wiki.mozilla.org/Security/Bug_Approval_Process. AFAICT, this patch should not have landed without sec-approval+.
Flags: needinfo?(m_kato)
Assignee | ||
Comment 17•11 years ago
|
||
(In reply to Brian Smith (:briansmith, was :bsmith; Please NEEDINFO? me if you want a response) from comment #16)
> Please follow the procedure at
> https://wiki.mozilla.org/Security/Bug_Approval_Process. AFAICT, this patch
> should not have landed without sec-approval+.
I'm sorry. I don't know this page, so I will follow it next.
Flags: needinfo?(m_kato)
Comment 18•11 years ago
|
||
Comment on attachment 8333613 [details] [diff] [review]
for Aurora/Beta
Well since it did already land to central we'd better take it on branches. And for what it's worth, my Firefox is currently unusable for bug triage because I keep crashing on this very bug.
Attachment #8333613 -
Flags: approval-mozilla-beta?
Attachment #8333613 -
Flags: approval-mozilla-beta+
Attachment #8333613 -
Flags: approval-mozilla-aurora?
Attachment #8333613 -
Flags: approval-mozilla-aurora+
Updated•11 years ago
|
Comment 19•11 years ago
|
||
Comment on attachment 831427 [details] [diff] [review]
v2
I'm editing this bug in Chrome. I hate this bug.
Since we just potentially pwned ourselves by checking it in, I'll go ahead and give retroactive approval. Let's try not to do this. :-)
It would be nice if someone actually answered the sec-approval template questions since they help with writing advisories and such.
Attachment #831427 -
Flags: sec-approval? → sec-approval+
Comment 20•11 years ago
|
||
(In reply to Al Billings [:abillings] from comment #19)
> Comment on attachment 831427 [details] [diff] [review]
> v2
>
> I'm editing this bug in Chrome. I hate this bug.
setting about:config network.IDN_show_punycode to true seemed to let me see this bug without crashing. fwiw.
Comment 21•11 years ago
|
||
Comment 22•11 years ago
|
||
(In reply to Al Billings [:abillings] from comment #19)
> It would be nice if someone actually answered the sec-approval template
> questions since they help with writing advisories and such.
Kato-san, please set the sec-approval flag on the aurora/beta patch to ?. This should cause a template of questions to come up. Please answer those questions as best as you can. Thanks!
Flags: needinfo?(m_kato)
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #21)
> https://hg.mozilla.org/releases/mozilla-beta/rev/a14c36a25b92
Looks like this broke an xpcshell test on beta: https://tbpl.mozilla.org/php/getParsedLog.php?id=30727813&tree=Mozilla-Beta
I don't have a clone of beta handy to back this out, though.
rnewman backed it out in https://hg.mozilla.org/releases/mozilla-beta/rev/266f8698dbb8
Updated•11 years ago
|
Assignee | ||
Comment 25•11 years ago
|
||
Comment on attachment 8333613 [details] [diff] [review]
for Aurora/Beta
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
This causes crash by HTML. Firefox for OSX/Linux x86-64 will crash by opening this bug entry.
When using http:// xn-- / (remove space), punycode_decode reads out of range memory.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
user can make crash.
Which older supported branches are affected by this flaw?
Release, Beta and Aurora.
If not all supported branches, which bug introduced the flaw?
N/A
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Yes. But I need update unit test for beta.
How likely is this patch to cause regressions; how much testing does it need?
No. since this affects xn-- punycode only, I added unit test
Attachment #8333613 -
Flags: sec-approval?
Assignee | ||
Updated•11 years ago
|
Flags: needinfo?(m_kato)
Assignee | ||
Comment 26•11 years ago
|
||
ah(In reply to Wes Kocher (:KWierso) from comment #23)
> (In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #21)
> > https://hg.mozilla.org/releases/mozilla-beta/rev/a14c36a25b92
>
> Looks like this broke an xpcshell test on beta:
> https://tbpl.mozilla.org/php/getParsedLog.php?id=30727813&tree=Mozilla-Beta
>
> I don't have a clone of beta handy to back this out, though.
I need update unit test for Cc is undefined...
Assignee | ||
Comment 27•11 years ago
|
||
Assignee | ||
Comment 28•11 years ago
|
||
Comment on attachment 8334413 [details] [diff] [review]
for beta
unit test for Beta needs Cc/Ci define.
Attachment #8334413 -
Flags: review?(honzab.moz)
Comment 29•11 years ago
|
||
Comment on attachment 8334413 [details] [diff] [review]
for beta
Given that I would have pushed this change as a trivial test-only bustage fix had I been around to do so, I don't think this needs re-review.
https://hg.mozilla.org/releases/mozilla-beta/rev/5ebf49f88efe
Attachment #8334413 -
Flags: review?(honzab.moz)
Updated•11 years ago
|
Comment 30•11 years ago
|
||
I couldn't reproduce this issue on buggy Firefox 25 and 26 builds on Windows 7 64bit. It did reproduce on Ubuntu 12.10 64bit though, so I also verified it on this OS:
I can't reproduce the crash anymore on the 11/19 Aurora and 11/18 Nightly.
The same crash still happens on Firefox 26.0b6: https://crash-stats.mozilla.com/report/index/4fcdd848-8ee6-4d44-97de-e1dc22131119
Updated•11 years ago
|
Attachment #8333613 -
Flags: sec-approval?
Comment 31•11 years ago
|
||
status-b2g-v1.2:
--- → fixed
Comment 33•11 years ago
|
||
Per comment 7 / 9, b2g18 isn't affected. The bug was introduced in end of July so b2g1.1 may be affected, though this was a won't fix for Fx25
status-b2g18:
--- → unaffected
status-b2g-v1.1hd:
--- → ?
Comment 34•11 years ago
|
||
Confirmed crash on FF26, 27 and 28, 2013-11-13.
Verified fixed on FF26, 27 and 28, 2013-11-21.
Updated•11 years ago
|
Whiteboard: [adv-main26+]
Updated•11 years ago
|
Alias: CVE-2013-5617
Updated•11 years ago
|
Alias: CVE-2013-5617
Updated•11 years ago
|
Whiteboard: [adv-main26+] → [adv-main26-]
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•