Closed Bug 1318012 Opened 8 years ago Closed 7 years ago

SandboxBrokerCommon::SendWithFd sends uninitialised stack-allocated data out of process

Categories

(Core :: Security: Process Sandboxing, defect)

Product:
Core
Component:
Security: Process Sandboxing
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox51 --- wontfix
firefox52 --- disabled
firefox-esr52 --- disabled
firefox53 --- fixed

People

(Reporter: jseward, Assigned: jseward)

Details

(Keywords: csectype-uninitialized, sec-moderate, Whiteboard: sblc2, [post-critsmash-triage])

Attachments

(2 files, 1 obsolete file)

Valgrind complaints
3.46 KB, text/plain
Details
bug1318012-2.cset
1.64 KB, patch
jld
: review+
Details | Diff | Splinter Review
Attached file Valgrind complaints 
I ran gtests on valgrind and noticed that SandboxBrokerCommon::SendWithFd can
send uninitialised stack allocated data out of process.  I suspect this is due
to alignment holes in char cmsg_buf[] in that function.

Partly because it seems ungood to have an information leak, and partly
to stop valgrind complaining, I'd prefer to zero initialise that array.
It's only 24 bytes, at least on x86_64-linux.
Attached patch bug1318012-1.cset (obsolete) — Splinter Review 
A possible fix.
Running gtests on valgrind is a bit tricky.  STR:

run valgrind-listener in a different shell.  This listens on port 1500.

export MOZVFLAGS="--num-transtab-sectors=24 --px-default=allregs-at-mem-access \
  --px-file-backed=unwindregs-at-mem-access --fair-sched=yes \
  --fullpath-after=/MOZ/ --trace-children=yes --show-mismatched-frees=no"

DISPLAY=:1.0 G_SLICE=always-malloc v312BRANCH $MOZVFLAGS \
  "--trace-children-skip=/usr/bin/which,/usr/bin/file,/usr/bin/uname,/sbin/ldconfig,/usr/bin/cat,/usr/bin/awk,/usr/bin/sed,/usr/bin/whoami,/usr/bin/true,/*/bin/gcc,/usr/bin/gmake" \
  --track-origins=yes --log-socket=127.0.0.1:1500 --num-callers=40 \
  ./mach gtest

        Attachment #8811327 -
        Attachment is obsolete: true

        Attachment #8811617 -
        Flags: review?(jld)

    
  
Whiteboard: sblc2
Assignee: nobody → jseward

        Attachment #8811617 -
        Flags: review?(jld) → review+
Group: core-security → dom-core-security
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED

    
    

    
  
The sec-* keywords on this bug might be a bit on the high side — at worst it's an information leak of a few bytes (and I haven't verified that the bytes actually are copied to the other process), it always reads from the same place on the broker thread's stack, _and_ it needs to be combined with a sec-critical to do anything.
Group: dom-core-security → core-security-release

    
    

    
  
Should we consider backporting this to 52 for the next ESR?

          status-firefox51:
          --- → wontfix

          status-firefox52:
          --- → affected
Flags: needinfo?(jseward)

    
    

    
  
Thanks for checking, but there's no benefit to uplifting this.  The file broker is used only for content processes, and content sandboxing won't be enabled for non-nightly builds until 53 at the earliest.  (I'm not sure if "unaffected" is the right flag, because nightly 52 *was* affected, but aurora/beta/release/etc. 52 aren't.)

          status-firefox52:
          affectedunaffected
Flags: needinfo?(jseward)

    
    

    
  
We generally use the disabled status for features that aren't riding that train. Thanks!

          status-firefox52:
          unaffecteddisabled
Flags: qe-verify-
Whiteboard: sblc2 → sblc2, [post-critsmash-triage]
Group: core-security-release

          status-firefox-esr52:
          --- → disabled

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: