In this post, we will discuss a security vulnerability discovered in Mozilla's Thunderbird, Firefox, and Firefox ESR applications. This flaw, known as CVE-2022-28285, pertains to the incorrect generation of assembly code for MLoadTypedArrayElementHole. When exploited, this vulnerability can potentially result in an out-of-bounds memory read, leading to information disclosure. The affected versions are Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.

Background

In the MLoadTypedArrayElementHole, an improper AliasSet was utilized. This incorrect use of AliasSet led to a potential security issue that can be exploited in conjunction with another vulnerability. The compromised component is responsible for generating the assembly code that deals with typed arrays in JavaScript.

Details about MLoadTypedArrayElementHole

The MLoadTypedArrayElementHole is a part of the Mozilla Firefox IonMonkey JIT compiler, responsible for optimizing JavaScript code. Typed arrays provide a buffer to work with binary data efficiently, and the flaw has the potential to be used with a second vulnerability for an out-of-bounds memory read.

Here's a simplified snippet of code showing the incorrect AliasSet in use

MLoadTypedArrayElementHole* MLoadTypedArrayElementHole::New(TempAllocator& alloc, MDefinition* elements, MDefinition* index, ...)
{
    // Incorrect AliasSet being used
    MLoadTypedArrayElementHole* ins = new(alloc) MLoadTypedArrayElementHole(...);
    
    ...
    
    return ins;
}

Exploit and Impact

An attacker could potentially craft malicious JavaScript code on a webpage or in an email viewed in Thunderbird. The user's interaction with the malicious code can provide the attacker access to their confidential information through an out-of-bounds memory read.

When this vulnerability is combined with another, the attacker may gain the capability to cause more harm, such as executing arbitrary code, or disclosing sensitive data.

Mitigations

Mozilla has released updates to mitigate this vulnerability. Users are advised to update their software to the latest versions:

1. Mozilla Foundation Security Advisory 2022-12
2. Mozilla Foundation Security Advisory 2022-13
3. NIST National Vulnerability Database (NVD) - CVE-2022-28285

Conclusion

CVE-2022-28285 is a security flaw in the popular Thunderbird, Firefox, and Firefox ESR applications. This vulnerability arises from the improper use of AliasSet in assembly code generation for MLoadTypedArrayElementHole. Users are strongly recommended to update their software to the latest versions to protect their systems and information from this security risk.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 20:46:00 UTC