CVE-2023-29535 - Memory Corruption due to Accessing Weak Maps after Garbage Collector Compaction in Firefox, Focus for Android, Firefox ESR, Firefox for Android, and Thunderbird

The CVE-2023-29535 is a critical security vulnerability affecting multiple Mozilla products, including Firefox, Focus for Android, Firefox ESR, Firefox for Android, and Thunderbird. It occurs due to weak maps being accessed before they are correctly traced after a Garbage Collector compaction, leading to memory corruption and a potentially exploitable crash. This post will dive into the details of the vulnerability, provide code snippets, original references, and exploit details.

Original References

This vulnerability was initially reported to Mozilla by an anonymous security researcher. The details can be found in the following security advisory:

- Mozilla Foundation Security Advisory 2023-08

Code Snippet

The vulnerability occurs due to a failure in properly tracing weak maps after a Garbage Collector compaction. In JavaScript, weak maps are used for creating a key-value association without preventing garbage collection on the keys. The following code snippet demonstrates a situation where this vulnerability can be exploited:

function exploitWeakMap() {
    let weakMap = new WeakMap();
    let keyObject = {};

    // Set a key-value pair in the weak map
    weakMap.set(keyObject, "This is a value");

    // Force garbage collection
    keyObject = null;
    gc();

    // Attempt to access the weak map value
    let value = weakMap.get(keyObject);
}

In this code snippet, a key-value pair is added to a weak map. The key object is then set to null, effectively removing the reference to the key object. After this, the garbage collector is forced to run using the gc() function. Since the keyObject reference has been removed, this should trigger a Garbage Collector compaction. However, the issue CVE-2023-29535 results in the weak map having been accessed before being correctly traced, leading to memory corruption.

Exploit Details

An attacker who successfully exploits this vulnerability could potentially cause arbitrary code execution within the context of the affected software. The exploit would involve crafting a malicious website or email containing JavaScript code that intentionally triggers the bug in weak maps handling, combined with additional exploit code to take advantage of the resulting memory corruption.

To protect yourself from this vulnerability, it is highly recommended to update the affected Mozilla products to their latest versions, as follows:

Conclusion

CVE-2023-29535 is a critical vulnerability in multiple Mozilla products that can lead to memory corruption and potentially exploitable crashes. By updating your Mozilla software to the latest available versions, you can protect yourself from this security risk.

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/09/2023 03:57:00 UTC