Closed Bug 951354 Opened 11 years ago Closed 10 years ago

ASan: Crash with heap-use-after-free when running xpcshell test getHSTSPreloadList.js

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
29 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla29
Tracking Flags:
Tracking Status
firefox26 --- unaffected
firefox27 + verified
firefox28 + verified
firefox29 + verified
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- unaffected
b2g-v1.3 --- fixed
b2g-v1.3T --- fixed
b2g-v1.4 --- fixed

People

(Reporter: mwobensmith, Assigned: keeler)

References

(Depends on 1 open bug)

Details

(Keywords: csectype-uaf, regression, sec-high, Whiteboard: [asan])

Attachments

(4 files, 1 obsolete file)

stack.txt
6.58 KB, text/plain
Details
patch
1.13 KB, patch
cviecco
: review+
abillings
: approval-mozilla-aurora+
abillings
: approval-mozilla-beta+
abillings
: sec-approval+
Details | Diff | Splinter Review
test v1.1
2.75 KB, patch
keeler
: review+
Details | Diff | Splinter Review
m-c_asan_crash.txt
7.57 KB, text/plain
Details
Attached file stack.txt 
With a local repository, run the getHSTSPreloadList.js test on an ASan build of nightly. 

./run-mozilla.sh [path to]/xpcshell [path to]/getHSTSPreloadList.js [path to]/nsSTSPreloadList.inc

See attached stack.

The stack I'm providing has no symbol names, because I can't figure out how to use the ASan symbolizer script with the above. If anyone has advice, I'd appreciate it.
I should also mention that the test seems to run all of the way through, before it crashes at the very end.
status-firefox26: --- → unaffected
status-firefox27: --- → affected
status-firefox28: --- → affected
status-firefox29: --- → affected
status-firefox-esr24: --- → unaffected
Whiteboard: [asan]
Component: XUL → Security: PSM
Assignee: nobody → dkeeler
Attached patch patchSplinter Review 
Looks like any nsNSSShutDownObject needs to call shutdown(calledFromObject) in its destructor.
Attachment #8350229 - Flags: review?(cviecco)
All other classes that inherit from nsNSSShutdownObject that I could find do call shutdown(calledFromObject). One question is there seems to be some inconsistencies in whether or not the nsNSSShutdownPreventionLock is used and/or isAlreadyShutDown() is called. I'll investigate further to see if this matters.
Comment on attachment 8350229 [details] [diff] [review]
patch

I missed that one.
Attachment #8350229 - Flags: review?(cviecco) → review+
Attached patch test (obsolete) — Splinter Review 
Turns out a compiled code test was the easiest way to test this. Unfortunately, I had to add another test directory ("compiled") under security/manager/ssl/tests/ (it was that or change all of the moz.build files in that subtree to say TEST_TOOL_DIRS instead of TEST_DIRS or DIRS). I'm open to suggestions for alternatives to either of these.
Attachment #8350805 - Flags: review?(cviecco)
Comment on attachment 8350805 [details] [diff] [review]
test

Review of attachment 8350805 [details] [diff] [review]:
-----------------------------------------------------------------

I like this.
Attachment #8350805 - Flags: review?(cviecco) → review+
Comment on attachment 8350229 [details] [diff] [review]
patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

I don't think it is possible to trigger this bug in Firefox itself. nsNSSComponent causes all NSS resources to be released when it receives the "profile-before-change" notification or in its destructor. When using a ScopedXPCOMStartup (as it appears Firefox does, but xpcshell doesn't), it will always be notified before receiving the "xpcom-shutdown" notification, which is when services are destructed. If there is no profile, however (as can be the case with xpcshell), "profile-before-change" is never emitted, and if nsNSSCertificateDB is destructed before nsNSSComponent, when nsNSSComponent tries to free all NSS resources, it will use the now dead nsNSSCertificateDB object and segfault.

So, in short, I don't think this is exploitable in Firefox.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Not really - determining the security problem would require familiarity with how NSS shutdown works

Which older supported branches are affected by this flaw?

27 and 28 (beta and aurora)

If not all supported branches, which bug introduced the flaw?

bug 911336

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

This patch applies cleanly to beta and aurora.

How likely is this patch to cause regressions; how much testing does it need?

Very unlikely.
Attachment #8350229 - Flags: sec-approval?
Comment on attachment 8350229 [details] [diff] [review]
patch

sec-approval+ for trunk. Please check in and, assuming all is green, nominate for Aurora and Beta so we can avoid ever shipping this issue.
Attachment #8350229 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/mozilla-central/rev/d0aced80aa98
Status: NEW → ASSIGNED
status-firefox29: affectedfixed
Target Milestone: --- → mozilla29
Comment on attachment 8350229 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 911336
User impact if declined: potentially exploitable
Testing completed (on m-c, etc.): landed on m-c
Risk to taking this patch (and alternatives if risky): very low
String or IDL/UUID changes made by this patch: none
Attachment #8350229 - Flags: approval-mozilla-beta?
Attachment #8350229 - Flags: approval-mozilla-aurora?
Attachment #8350229 - Flags: approval-mozilla-beta?
Attachment #8350229 - Flags: approval-mozilla-beta+
Attachment #8350229 - Flags: approval-mozilla-aurora?
Attachment #8350229 - Flags: approval-mozilla-aurora+
ni? to myself so I don't forget to land the test when appropriate.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → FIXED
Whiteboard: [asan][leave open] → [asan]
Comment on attachment 8350805 [details] [diff] [review]
test

[Security approval request comment]
This is just the test for the fix. The fix itself has shipped on all affected versions, I believe.
Attachment #8350805 - Flags: sec-approval?
Flags: needinfo?(dkeeler)
Comment on attachment 8350805 [details] [diff] [review]
test

sec-approval+ to check in the test.
Attachment #8350805 - Flags: sec-approval? → sec-approval+
Flags: in-testsuite+
Depends on: 961436
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached patch test v1.1Splinter Review 
OS X and Windows were complaining because a pref wasn't set (which was because this test can't rely on some services, etc. that are commonly available, because they would keep the certificate db alive past the scope of the pointer in the test, which defeats the whole point of the test (which tests that if the db is destructed before NSS is shut down, it does the appropriate cleanup)).
Carrying over r+.
https://tbpl.mozilla.org/?tree=Try&rev=f47f89cfab86
Attachment #8350805 - Attachment is obsolete: true
Attachment #8363334 - Flags: review+
Group: crypto-core-security
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → FIXED
Attached file m-c_asan_crash.txt 
Both FF27 and FF28 look good, but FF29 ASan produces this crash.
Flags: needinfo?(dkeeler)
That looks like a new bug - I filed bug 965379.
Flags: needinfo?(dkeeler)
Thanks Keeler. I'll go ahead and mark this one verified for 29, based on that. Much appreciated.
Status: RESOLVED → VERIFIED
status-firefox29: fixedverified
Group: crypto-core-security
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: