Closed
Bug 951354
Opened 11 years ago
Closed 10 years ago
ASan: Crash with heap-use-after-free when running xpcshell test getHSTSPreloadList.js
Categories
(Core :: Security: PSM, defect)
Tracking
()
VERIFIED
FIXED
mozilla29
Tracking | Status | |
---|---|---|
firefox26 | --- | unaffected |
firefox27 | + | verified |
firefox28 | + | verified |
firefox29 | + | verified |
firefox-esr24 | --- | unaffected |
b2g18 | --- | unaffected |
b2g-v1.1hd | --- | unaffected |
b2g-v1.2 | --- | unaffected |
b2g-v1.3 | --- | fixed |
b2g-v1.3T | --- | fixed |
b2g-v1.4 | --- | fixed |
People
(Reporter: mwobensmith, Assigned: keeler)
References
(Depends on 1 open bug)
Details
(Keywords: csectype-uaf, regression, sec-high, Whiteboard: [asan])
Attachments
(4 files, 1 obsolete file)
6.58 KB,
text/plain
|
Details | |
1.13 KB,
patch
|
cviecco
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
2.75 KB,
patch
|
keeler
:
review+
|
Details | Diff | Splinter Review |
7.57 KB,
text/plain
|
Details |
With a local repository, run the getHSTSPreloadList.js test on an ASan build of nightly. ./run-mozilla.sh [path to]/xpcshell [path to]/getHSTSPreloadList.js [path to]/nsSTSPreloadList.inc See attached stack. The stack I'm providing has no symbol names, because I can't figure out how to use the ASan symbolizer script with the above. If anyone has advice, I'd appreciate it.
Reporter | ||
Comment 1•11 years ago
|
||
I should also mention that the test seems to run all of the way through, before it crashes at the very end.
status-firefox26:
--- → unaffected
status-firefox27:
--- → affected
status-firefox28:
--- → affected
status-firefox29:
--- → affected
status-firefox-esr24:
--- → unaffected
Whiteboard: [asan]
Updated•11 years ago
|
Keywords: csectype-uaf
Updated•11 years ago
|
Component: XUL → Security: PSM
Updated•11 years ago
|
Assignee: nobody → dkeeler
Assignee | ||
Comment 2•11 years ago
|
||
After bisecting, the first bad changeset I get is https://hg.mozilla.org/mozilla-central/rev/f78f52c8c9ff (bug 911336).
Blocks: 911336
Assignee | ||
Comment 3•11 years ago
|
||
Looks like any nsNSSShutDownObject needs to call shutdown(calledFromObject) in its destructor.
Attachment #8350229 -
Flags: review?(cviecco)
Assignee | ||
Comment 4•11 years ago
|
||
All other classes that inherit from nsNSSShutdownObject that I could find do call shutdown(calledFromObject). One question is there seems to be some inconsistencies in whether or not the nsNSSShutdownPreventionLock is used and/or isAlreadyShutDown() is called. I'll investigate further to see if this matters.
Comment 5•11 years ago
|
||
Comment on attachment 8350229 [details] [diff] [review] patch I missed that one.
Attachment #8350229 -
Flags: review?(cviecco) → review+
Updated•11 years ago
|
Keywords: regression,
sec-high
Assignee | ||
Comment 6•11 years ago
|
||
Turns out a compiled code test was the easiest way to test this. Unfortunately, I had to add another test directory ("compiled") under security/manager/ssl/tests/ (it was that or change all of the moz.build files in that subtree to say TEST_TOOL_DIRS instead of TEST_DIRS or DIRS). I'm open to suggestions for alternatives to either of these.
Attachment #8350805 -
Flags: review?(cviecco)
Comment 7•10 years ago
|
||
Comment on attachment 8350805 [details] [diff] [review] test Review of attachment 8350805 [details] [diff] [review]: ----------------------------------------------------------------- I like this.
Attachment #8350805 -
Flags: review?(cviecco) → review+
Assignee | ||
Comment 8•10 years ago
|
||
Comment on attachment 8350229 [details] [diff] [review] patch [Security approval request comment] How easily could an exploit be constructed based on the patch? I don't think it is possible to trigger this bug in Firefox itself. nsNSSComponent causes all NSS resources to be released when it receives the "profile-before-change" notification or in its destructor. When using a ScopedXPCOMStartup (as it appears Firefox does, but xpcshell doesn't), it will always be notified before receiving the "xpcom-shutdown" notification, which is when services are destructed. If there is no profile, however (as can be the case with xpcshell), "profile-before-change" is never emitted, and if nsNSSCertificateDB is destructed before nsNSSComponent, when nsNSSComponent tries to free all NSS resources, it will use the now dead nsNSSCertificateDB object and segfault. So, in short, I don't think this is exploitable in Firefox. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Not really - determining the security problem would require familiarity with how NSS shutdown works Which older supported branches are affected by this flaw? 27 and 28 (beta and aurora) If not all supported branches, which bug introduced the flaw? bug 911336 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? This patch applies cleanly to beta and aurora. How likely is this patch to cause regressions; how much testing does it need? Very unlikely.
Attachment #8350229 -
Flags: sec-approval?
Comment 9•10 years ago
|
||
Comment on attachment 8350229 [details] [diff] [review] patch sec-approval+ for trunk. Please check in and, assuming all is green, nominate for Aurora and Beta so we can avoid ever shipping this issue.
Attachment #8350229 -
Flags: sec-approval? → sec-approval+
Updated•10 years ago
|
status-b2g18:
--- → unaffected
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → unaffected
status-b2g-v1.3:
--- → ?
tracking-firefox27:
--- → +
tracking-firefox28:
--- → +
tracking-firefox29:
--- → +
Assignee | ||
Comment 10•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d0aced80aa98
Whiteboard: [asan] → [asan][leave open]
Assignee | ||
Comment 12•10 years ago
|
||
Comment on attachment 8350229 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 911336 User impact if declined: potentially exploitable Testing completed (on m-c, etc.): landed on m-c Risk to taking this patch (and alternatives if risky): very low String or IDL/UUID changes made by this patch: none
Attachment #8350229 -
Flags: approval-mozilla-beta?
Attachment #8350229 -
Flags: approval-mozilla-aurora?
Updated•10 years ago
|
Attachment #8350229 -
Flags: approval-mozilla-beta?
Attachment #8350229 -
Flags: approval-mozilla-beta+
Attachment #8350229 -
Flags: approval-mozilla-aurora?
Attachment #8350229 -
Flags: approval-mozilla-aurora+
Updated•10 years ago
|
Keywords: checkin-needed
Assignee | ||
Comment 13•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/7863c4ddd409 https://hg.mozilla.org/releases/mozilla-beta/rev/fba7bb9253f1
Updated•10 years ago
|
Assignee | ||
Comment 14•10 years ago
|
||
ni? to myself so I don't forget to land the test when appropriate.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → FIXED
Whiteboard: [asan][leave open] → [asan]
Assignee | ||
Comment 15•10 years ago
|
||
Comment on attachment 8350805 [details] [diff] [review] test [Security approval request comment] This is just the test for the fix. The fix itself has shipped on all affected versions, I believe.
Attachment #8350805 -
Flags: sec-approval?
Flags: needinfo?(dkeeler)
Comment 16•10 years ago
|
||
Comment on attachment 8350805 [details] [diff] [review] test sec-approval+ to check in the test.
Attachment #8350805 -
Flags: sec-approval? → sec-approval+
Assignee | ||
Comment 17•10 years ago
|
||
Thanks, Al. https://hg.mozilla.org/integration/mozilla-inbound/rev/8526c7a38761 https://hg.mozilla.org/releases/mozilla-aurora/rev/24f26d63819a https://hg.mozilla.org/releases/mozilla-beta/rev/c26f88fa740f
Updated•10 years ago
|
Flags: in-testsuite+
And backed out from all three for not passing the tests: https://hg.mozilla.org/integration/mozilla-inbound/rev/41a0bf080410 https://hg.mozilla.org/releases/mozilla-aurora/rev/1f9d7af12960 https://hg.mozilla.org/releases/mozilla-beta/rev/e75d291a556f Example failures: https://tbpl.mozilla.org/php/getParsedLog.php?id=33202802&tree=Mozilla-Beta https://tbpl.mozilla.org/php/getParsedLog.php?id=33202668&tree=Mozilla-Aurora
Updated•10 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 19•10 years ago
|
||
OS X and Windows were complaining because a pref wasn't set (which was because this test can't rely on some services, etc. that are commonly available, because they would keep the certificate db alive past the scope of the pointer in the test, which defeats the whole point of the test (which tests that if the db is destructed before NSS is shut down, it does the appropriate cleanup)). Carrying over r+. https://tbpl.mozilla.org/?tree=Try&rev=f47f89cfab86
Attachment #8350805 -
Attachment is obsolete: true
Attachment #8363334 -
Flags: review+
Assignee | ||
Comment 20•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/da1b1e747466
Updated•10 years ago
|
Group: crypto-core-security
Updated•10 years ago
|
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 22•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/2ad0044f9976 https://hg.mozilla.org/releases/mozilla-beta/rev/1bca9c9e0ae7
Reporter | ||
Comment 23•10 years ago
|
||
Both FF27 and FF28 look good, but FF29 ASan produces this crash.
Reporter | ||
Updated•10 years ago
|
Reporter | ||
Updated•10 years ago
|
Flags: needinfo?(dkeeler)
Assignee | ||
Comment 24•10 years ago
|
||
That looks like a new bug - I filed bug 965379.
Flags: needinfo?(dkeeler)
Reporter | ||
Comment 25•10 years ago
|
||
Thanks Keeler. I'll go ahead and mark this one verified for 29, based on that. Much appreciated.
Status: RESOLVED → VERIFIED
Updated•10 years ago
|
Group: crypto-core-security
Updated•10 years ago
|
status-b2g-v1.3T:
--- → fixed
status-b2g-v1.4:
--- → fixed
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•