Closed Bug 937132 Opened 11 years ago Closed 11 years ago

LifoAlloc missing overflow checks

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla29
Project Flags:
blocking-b2g koi+
Tracking Flags:
Tracking Status
firefox25 --- wontfix
firefox26 --- wontfix
firefox27 + fixed
firefox28 + fixed
firefox29 + fixed
firefox-esr17 --- wontfix
firefox-esr24 27+ fixed
b2g18 --- fixed
b2g-v1.1hd --- fixed
b2g-v1.2 --- fixed
b2g-v1.3 --- fixed
b2g-v1.3T --- fixed
b2g-v1.4 --- fixed

People

(Reporter: sunfish, Assigned: sunfish)

References

Details

(Keywords: regression, sec-critical, Whiteboard: [adv-main27+][adv-esr24.3+][qa-])

Attachments

(3 files, 6 obsolete files)

ds-overflow-all.patch
5.88 KB, patch
bajaj
: approval-mozilla-aurora+
abillings
: sec-approval+
Details | Diff | Splinter Review
ds-overflow-all-beta.patch
5.90 KB, patch
bajaj
: approval-mozilla-beta+
bajaj
: approval-mozilla-esr24+
bajaj
: approval-mozilla-b2g26+
Details | Diff | Splinter Review
ds-overflow-all-b2g18.patch
3.08 KB, patch
Details | Diff | Splinter Review
Attached patch ds-overflow-check.patch (obsolete) — Splinter Review 
js/src/ds/LifoAlloc.h contains generic array allocation code which does sizeof(T) * count without checking for overflow.

I have not audited the codebase to determine if this is exploitable. I was just trying to figure out the intended difference between newArray and newArrayUninitialized (and it's still not clear) and noticed this while I was there.
Attachment #830194 - Flags: review?(luke)
Comment on attachment 830194 [details] [diff] [review]
ds-overflow-check.patch

Nice catch!
Attachment #830194 - Flags: review?(luke) → review+
The bug was introduced in 4d10127fd106 for bug 684039, which appears to be on all release branches.

If exploitable, this could easily be sec-critical, but it's hard to tell if it's exploitable or not. I'm not comfortable assigning a security rating myself.
This seems theoretically exploitable (request large alloc, the small alloc succeeds, you get to stomp over real memory).  OTOH, it seems hard to trigger the large alloc (Lifos are only used for certain things, most of which are tiny).  Given that and that this was discovered internally, it seems reasonable to let it ride the trains.
By "ride the trains", do you mean just check it into mozilla-incoming and call it done?
Yes, but note that without a sec-rating, this can't land without approval, FWIW.
status-b2g18: --- → affected
status-firefox25: --- → wontfix
status-firefox26: --- → affected
status-firefox27: --- → affected
status-firefox28: --- → affected
status-firefox-esr17: --- → affected
status-firefox-esr24: --- → affected
Whiteboard: could be sec-critical if we could find a reliable trigger for large allocs
Ok. According to [0], sec-moderate means that the fix should just be landed without explicit approval. Is that appropriate here?

[0] https://wiki.mozilla.org/Security/Bug_Approval_Process
Attached patch ds-fixedlist.patch (obsolete) — Splinter Review 
While we're here, here are a few more instances of the same problem.
Attachment #8337738 - Flags: review?(luke)
Comment on attachment 8337738 [details] [diff] [review]
ds-fixedlist.patch

Review of attachment 8337738 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/FixedList.h
@@ +51,5 @@
>          length_ -= num;
>      }
>  
>      bool growBy(size_t num) {
> +        size_t newlength = length_ + num;

Can this overflow also?
Attachment #8337738 - Flags: review?(luke) → review+
Attached patch ds-fixedlist.patch (obsolete) — Splinter Review 
(In reply to Luke Wagner [:luke] from comment #8)
> >      bool growBy(size_t num) {
> > +        size_t newlength = length_ + num;
> 
> Can this overflow also?

Yes, good catch.
Attachment #8337738 - Attachment is obsolete: true
Attachment #8341866 - Flags: review?(luke)
Attached patch ds-asmjscall.patch (obsolete) — Splinter Review 
This patch converts a few things in MAsmJSCall to use FixedList. The old code lacked overflow checks, and FixedList is being fixed to do overflow checks.
Attachment #8341867 - Flags: review?(luke)
Attached patch ds-mirgenerator-allocate.patch (obsolete) — Splinter Review 
This patch deletes an unused allocate function which lacked overflow checks, and adds an overflow check to MIRGenerator's allocate function.
Attachment #8341871 - Flags: review?(luke)
Attached patch ds-typeset.patch (obsolete) — Splinter Review 
This patch adds overflow checking to some custom hashtable code in jsinferinlines.h.
Attachment #8341874 - Flags: review?(luke)
Comment on attachment 8341867 [details] [diff] [review]
ds-asmjscall.patch

Nice
Attachment #8341867 - Flags: review?(luke) → review+
Attachment #8341866 - Flags: review?(luke) → review+
Attachment #8341871 - Flags: review?(luke) → review+
Attachment #8341874 - Flags: review?(luke) → review+
Upgrading to sec-critical, because there are several fixes here now, and if any are exploitable, they'd be sec-critical. I'll prepare patches for release branches as desired.
Keywords: sec-moderatesec-critical
Whiteboard: could be sec-critical if we could find a reliable trigger for large allocs
Comment on attachment 830194 [details] [diff] [review]
ds-overflow-check.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

It'd be challenging. It would first require finding a way to create an overflow in the affected code. It'd also require crafting an actual exploit around the subsequent memory clobber.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

They paint a bulls-eye on the code that has the overflow problem, but not on how to actually get it to overflow.

Which older supported branches are affected by this flaw?

Most branches are.

If not all supported branches, which bug introduced the flaw?

Bug 684039.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

I don't have backports handy, but I can easily create them on request. They ought to be easy and low-risk.

How likely is this patch to cause regressions; how much testing does it need?

It is very unlikely to cause regressions. I've done extensive local testing of it.
Attachment #830194 - Flags: sec-approval?
We're shipping in seven days so this can't go into this cycle. I'm going to give it sec-approval+ for checkin on 12/23 or later.
Whiteboard: [checkin after 12/23]
Attachment #830194 - Flags: sec-approval? → sec-approval+
Since there's a relatively high per-patch overhead here, I've coalesced the patches above into a single patch. They each have regular review approval, and I'm submitting the combined patch for sec-approval herewith.

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

It'd be challenging. It would first require finding a way to create an overflow in the affected code. It'd also require crafting an actual exploit around the subsequent memory clobber.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

They paint a bulls-eye on the code that has the overflow problem, but not on how to actually get it to overflow.

Which older supported branches are affected by this flaw?
If not all supported branches, which bug introduced the flaw?

Probably all branches.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

I don't have backports made yet, but they'd be easy to create, and low-risk.

How likely is this patch to cause regressions; how much testing does it need?

It's very unlikely to cause regressions. I've done extensive local testing of it.
Attachment #830194 - Attachment is obsolete: true
Attachment #8341866 - Attachment is obsolete: true
Attachment #8341871 - Attachment is obsolete: true
Attachment #8341874 - Attachment is obsolete: true
Attachment #8345022 - Flags: sec-approval?
Comment on attachment 8345022 [details] [diff] [review]
ds-overflow-all.patch

sec-approval+ with the same caveat (checkin on 12/23 or laster).
Attachment #8345022 - Flags: sec-approval? → sec-approval+
Comment on attachment 8341867 [details] [diff] [review]
ds-asmjscall.patch

I resubmitted this asmjscall patch in bug 948241, as it wasn't actually security-relevant.

For the main patches on this bug, I will wait until 12/23 as directed.
Attachment #8341867 - Attachment is obsolete: true
Comment on attachment 8345022 [details] [diff] [review]
ds-overflow-all.patch

Review of attachment 8345022 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/FixedList.h
@@ +61,1 @@
>          T *list = (T *)alloc.allocate((length_ + num) * sizeof(T));

nit: replace (length_ + num) by newLength in the above expression, to ensure that one is not mutated without the other.
Whiteboard: [checkin after 12/23]
https://hg.mozilla.org/mozilla-central/rev/68f065d772e8
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox29: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
NI on :sunfish to help with uplift here so this can get into our next beta.
Flags: needinfo?(sunfish)
What information do you need from me here?
Approval requests would be nice :)
Does the patch apply to branches as is?
Comment on attachment 8345022 [details] [diff] [review]
ds-overflow-all.patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 684039
User impact if declined: Potential security bug
Testing completed (on m-c, etc.): On mozilla-central
Risk to taking this patch (and alternatives if risky): Quite low; the changes are simple and localized.
String or IDL/UUID changes made by this patch: None.
Attachment #8345022 - Flags: approval-mozilla-aurora?
Attached is the patch ported to the mozilla-beta branch.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 684039
User impact if declined: Potential security bug
Testing completed (on m-c, etc.): On mozilla-central
Risk to taking this patch (and alternatives if risky): Quite low; the changes are simple and localized.
String or IDL/UUID changes made by this patch: None.
Attachment #8356266 - Flags: approval-mozilla-beta?
Flags: needinfo?(sunfish)
Unsettting bounty nomination. Dan has passed on receiving a bounty since google is paying him to work on Mozilla code.
Flags: sec-bounty?
Attachment #8345022 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Attachment #8356266 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 8356266 [details] [diff] [review]
ds-overflow-all-beta.patch



[Triage Comment]
Spoke on irc with Ryan as the same pacth applies to b2g/esr, approving for uplift.
Attachment #8356266 - Flags: approval-mozilla-esr24+
Attachment #8356266 - Flags: approval-mozilla-b2g26+
Attached is the patch ported to mozilla-b2g18. I removed the Ion parts, since Ion is disabled in b2g18.

NOTE: This flag is now for security issues only. Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 684039
User impact if declined: Potential security bug
Testing completed: On mozilla-central
Risk to taking this patch (and alternatives if risky): Quite low; the changes are simple and localized.
String or UUID changes made by this patch: None.
Attachment #8356774 - Flags: approval-mozilla-b2g18?
blocking-b2g: koi? → koi+
Whiteboard: [adv-main27+][adv-esr24.3+]
Marking [qa-] unless someone provides a runnable test case.
Whiteboard: [adv-main27+][adv-esr24.3+] → [adv-main27+][adv-esr24.3+][qa-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: