WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
NEW
219434
[WebAuthn] Crash of the browser when rp.icon is too long and device is Yubikey (overflow?)
https://bugs.webkit.org/show_bug.cgi?id=219434
Summary
[WebAuthn] Crash of the browser when rp.icon is too long and device is Yubike...
Greg ORIOL
Reported
2020-12-02 09:28:53 PST
Created
attachment 415228
[details]
Data to pass to navigator.credentials.create to reproduce Hi, I'm not sure of the implications of this issue, but I believe someone might be interested to have a look as this js webauthn call generates a crash on most current browsers. The problem seems to happen with navigator.credentials.create(data) when providing the data with an rp.icon containing more than 8kb of base64 encoded png and using a Yubikey USB device (model "5 NFC" here), the browsers just crash. An example data to reproduce, with rp.icon being of 9kb, is attached to this bug, I encoded it with JSON.stringify to save it. It happens on Safari 14.0 (15610.1.28.1.9, 15610), Safari Technology Preview 116 (and also Chrome 87.0.4280.67, but not Firefox 83.0) on macOS Catalina 10.15.7. If the USB device is not connected, the browsers don't crash. I don't have any other USB webauthn device to check if this is specific to Yubikeys, but when using SoftU2F the call doesn't make the browsers crash. I also don't have a windows or linux to check if this is specific to macOS.
Attachments
Data to pass to navigator.credentials.create to reproduce
(9.50 KB, application/json)
2020-12-02 09:28 PST
,
Greg ORIOL
no flags
Details
Crashlog from Safari 14
(129.29 KB, text/plain)
2020-12-03 00:39 PST
,
Greg ORIOL
no flags
Details
Crashlog from Safari Technology Preview 14.1
(134.35 KB, text/plain)
2020-12-03 10:10 PST
,
Greg ORIOL
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1
2020-12-02 19:25:38 PST
This isn't trivial enough to reproduce (navigator.credentials doesn't seem to be available in Web Inspector). Could you please attach a complete crash log?
Greg ORIOL
Comment 2
2020-12-03 00:39:09 PST
You are right, it's a little bit tricky (needs https+button), so here is a working demonstration:
https://gregoriol.github.io/webkit-bug-219434
(with all code in the source of the html) And I'm also attaching a crashlog from Safari 14.
Greg ORIOL
Comment 3
2020-12-03 00:39:43 PST
Created
attachment 415280
[details]
Crashlog from Safari 14
Alexey Proskuryakov
Comment 4
2020-12-03 09:31:49 PST
Perfect, thank you! I couldn't actually reproduce (neither on a machine with a YubiKey nor on one with a Touch ID) though. Does the crash look the same every time this reproduces for you (SIGILL in CtapHidDriver::transact)?
Radar WebKit Bug Importer
Comment 5
2020-12-03 09:32:01 PST
<
rdar://problem/71939942
>
Greg ORIOL
Comment 6
2020-12-03 10:09:11 PST
Yes, same crashlog every time, reproduced 100% of the times. Btw, machine is mid-2014 Retina MacBook Pro (no Touch ID for webauthn). I'm attaching another crashlog with Safari Technology Preview for reference.
Greg ORIOL
Comment 7
2020-12-03 10:10:21 PST
Created
attachment 415309
[details]
Crashlog from Safari Technology Preview 14.1
login Llama
Comment 8
2021-03-03 10:57:46 PST
In webAuthn level 1 authenticators could ignore icon values greater than 128 bytes. In webAuthn level 2 icons were removed completely as they were never displayed by browsers. A guess off the top of my head is that if Safari is trying to send a 9kb value that is going to blow up the buffer. I did file another issue 220415 about Safari ignoring authenticators maxMsgSize. That was in the context of exclude lists however, the same bug would more than explain this. They Yubikey 5 has a maxMsgSize of 1200bytes. If Safari sends more than that it will get back an error. Over NFC a NFC layer error SW_DATA_INVALID Over USB a CTAP error is returned CTAP1_ERR_INVALID_LENGTH after the first APDU is received. In neither case is Safari gracefully dealing with the error. Safari shouldn't be exceeding maxMsgSize in the first place. I hope that solves the mystery of why there is an error. It also won't happen if the authenticator is U2F only, or may fail in CTAP2.0 then retry in U2F and succeed.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug