Closed
Bug 1320894
Opened 8 years ago
Closed 8 years ago
CacheFileIOManager::WriteInternal writes uninitialised padding bytes to disk
Categories
(Core :: Networking: Cache, defect)
Core
Networking: Cache
Tracking
()
RESOLVED
FIXED
mozilla53
People
(Reporter: jseward, Assigned: michal)
Details
(Keywords: csectype-disclosure, privacy, sec-low, Whiteboard: [post-critsmash-triage][adv-main52+])
Attachments
(2 files, 3 obsolete files)
|
4.29 KB,
text/plain
|
Details | |
|
11.17 KB,
patch
|
michal
:
review+
jcristau
:
approval-mozilla-beta+
dveditz
:
sec-approval+
|
Details | Diff | Splinter Review |
In longer runs (10 mins+) of mochitests on valgrind, for the tests in layout/style/test, it is sometimes reported that the CacheFileIOManager is writing heap allocated uninitialised values to disk. In netwerk/cache2/CacheIndex.cpp, setting kMinUnwrittenChanges and kMinDumpInterval both to 1 causes it to be reported at every browser startup. The uninitialised values originate from alignment holes in struct CacheIndexRecord.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
The layout of struct CacheIndexRecord (I would guess) is SHA1Sum::Hash mHash; 0..19 uint32_t mFrecency; 20..23 uint32_t mExpirationTime; 24..27 // Alignment hole #1 28..31 OriginAttrsHash mOriginAttrsHash; 32..40 uint32_t mFlags; 40..43 // Alignment hole #2 44..47 on the assumption that OriginAttrsHash a.k.a. uint64_t forces 64-bit alignment and that the struct as a whole must have a 64-bit aligned size.
|
|
Reporter | |
Comment 3•8 years ago
|
||
A possible fix. This changes the layout to SHA1Sum::Hash mHash; 0..19 uint32_t mFrecency; 20..23 OriginAttrsHash mOriginAttrsHash; 24..31 uint32_t mExpirationTime; 32..35 uint32_t mFlags; 36..39 At least on x86_64-Linux, it stops Valgrind complaining, and the static assertion holds. I don't like it as a solution though. This surely changes the on-disk format, and it is fragile .. if the compilers change the layout it could fail again. It appears that the on-disk format created here is dependant on the layout that compilers choose for this struct. Is that intended, or do I misunderstand something?
|
|
Reporter | |
Updated•8 years ago
|
Attachment #8815218 -
Flags: feedback?(michal.novotny)
|
Assignee | |
Comment 4•8 years ago
|
||
- members are reordered so there are no holes - structs CacheIndexHeader and CacheIndexRecord are now properly serialized instead of using memcpy - parsing of cache index with holes would fail, but I bumped version so we won't even try to parse previously written index
Assignee: nobody → michal.novotny
Attachment #8815218 -
Attachment is obsolete: true
Attachment #8815218 -
Flags: feedback?(michal.novotny)
Attachment #8815375 -
Flags: review?(valentin.gosu)
Attachment #8815375 -
Flags: feedback?(jseward)
|
|
Reporter | |
Comment 5•8 years ago
|
||
Comment on attachment 8815375 [details] [diff] [review] fix Works OK for me.
Attachment #8815375 -
Flags: feedback?(jseward) → feedback+
|
||
Comment 6•8 years ago
|
||
Comment on attachment 8815375 [details] [diff] [review] fix Review of attachment 8815375 [details] [diff] [review]: ----------------------------------------------------------------- ::: netwerk/cache2/CacheIndex.cpp @@ +2014,5 @@ > > rv = indexFile->OpenNSPRFileDesc(PR_RDWR, 0600, &fd); > NS_ENSURE_SUCCESS(rv, rv); > > + int64_t offset = PR_Seek64(fd, 2 * sizeof(uint32_t), PR_SEEK_SET); Add comment mentioning why we seek to this position. Also add a static_assert to verify that offsetof(CacheIndexHeader, mIsDirty) is 2*sizeof(uint32_t). @@ +2154,3 @@ > } else { > + uint32_t * isDirty = reinterpret_cast<uint32_t *>( > + moz_xmalloc(sizeof(uint32_t))); We can probably avoid this extra allocation, right? @@ +2160,5 @@ > // nullptr is passed as the listener and the call doesn't fail > // synchronously. > + rv = CacheFileIOManager::Write(mIndexHandle, 2 * sizeof(uint32_t), > + reinterpret_cast<char *>(isDirty), > + sizeof(isDirty), true, false, nullptr); BUG: Since isDirty is a pointer, it's size isn't necessarily 4 bytes. Probably best to use sizeof(uint32_t).
Attachment #8815375 -
Flags: review?(valentin.gosu)
|
|
Assignee | |
Comment 7•8 years ago
|
||
Thanks for quick review. (In reply to Valentin Gosu [:valentin] from comment #6) > > + int64_t offset = PR_Seek64(fd, 2 * sizeof(uint32_t), PR_SEEK_SET); > > Add comment mentioning why we seek to this position. > Also add a static_assert to verify that offsetof(CacheIndexHeader, mIsDirty) > is 2*sizeof(uint32_t). fixed > @@ +2154,3 @@ > > } else { > > + uint32_t * isDirty = reinterpret_cast<uint32_t *>( > > + moz_xmalloc(sizeof(uint32_t))); > > We can probably avoid this extra allocation, right? No. When CacheFileIOManager::Write is called with the callback, the buffer is owned by the caller and must not be released until the callback is called. This is not our case here, we're neither interested in the result, nor we have a suitable buffer to be used for this. When CacheFileIOManager::Write is called without a callback, the buffer ownership is transferred and it is released by CacheFileIOManager, so we have to allocate the buffer here. > > + rv = CacheFileIOManager::Write(mIndexHandle, 2 * sizeof(uint32_t), > > + reinterpret_cast<char *>(isDirty), > > + sizeof(isDirty), true, false, nullptr); > > BUG: Since isDirty is a pointer, it's size isn't necessarily 4 bytes. > Probably best to use sizeof(uint32_t). Good catch! Fixed.
Attachment #8815375 -
Attachment is obsolete: true
Attachment #8815472 -
Flags: review?(valentin.gosu)
|
|
||
Comment 8•8 years ago
|
||
Comment on attachment 8815472 [details] [diff] [review] patch v2 Review of attachment 8815472 [details] [diff] [review]: ----------------------------------------------------------------- Looks good. Thanks!
Attachment #8815472 -
Flags: review?(valentin.gosu) → review+
|
|
Assignee | |
Comment 9•8 years ago
|
||
fixed a typo that cleared flags during writing in CacheIndexEntry::WriteToBuf
Attachment #8815472 -
Attachment is obsolete: true
Attachment #8815690 -
Flags: review+
|
|
Assignee | |
Comment 10•8 years ago
|
||
Comment on attachment 8815690 [details] [diff] [review] patch v3 I'm not sure whether this patch needs security-approval before landing. [Security approval request comment] How easily could an exploit be constructed based on the patch? I guess it's impossible. User have no control over the uninitialized data going to disk. When the data is read back it is stored again in the hole in the structure. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? I don't think this is really a security problem. Which older supported branches are affected by this flaw? This was introduced with bug 1201042 which was uplifted to 51. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? It's likely that the patch can be used on 51 as is. If not, it's easy to backport it. How likely is this patch to cause regressions; how much testing does it need? Cache index should be written to disk when running mochitests if there are enough changes to cache and if the tests run at least 60 seconds. But we don't have a test that would check the written data. I.e. any changes in cache data format are usually checked manually.
Attachment #8815690 -
Flags: sec-approval?
|
||
Updated•8 years ago
|
Group: core-security → network-core-security
|
|
||
Comment 11•8 years ago
|
||
Slight info leak, but fragmentary and only to local disk so doesn't seem too bad from a security POV.
|
|
||
Comment 12•8 years ago
|
||
Comment on attachment 8815690 [details] [diff] [review] patch v3 land away! (sec-approval+)
Attachment #8815690 -
Flags: sec-approval? → sec-approval+
|
||
Comment 13•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/331ca1a40ca2
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
|
|
||
Updated•7 years ago
|
Group: network-core-security → core-security-release
|
||
Comment 14•7 years ago
|
||
Can we nominate this for Beta approval please?
|
|
Assignee | |
Comment 15•7 years ago
|
||
Comment on attachment 8815690 [details] [diff] [review] patch v3 Approval Request Comment [Feature/Bug causing the regression]: 1201042 [User impact if declined]: uninitialized padding data is written to a local file [Is this code covered by automated tests?]: cache index is written when running automated tests but it is never read from the disk [Has the fix been verified in Nightly?]: the fix has been verified manually before landing and it is in the nightly already for quite a long time [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: no [Why is the change risky/not risky?]: small change in index format, in the worst case we would not be able to parse the index after startup and we would need to build it from the scratch [String changes made/needed]: none
Flags: needinfo?(michal.novotny)
Attachment #8815690 -
Flags: approval-mozilla-beta?
|
||
Comment 16•7 years ago
|
||
Comment on attachment 8815690 [details] [diff] [review] patch v3 avoid info leak, beta52+
Attachment #8815690 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 17•7 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/5dc896e5b700
|
|
||
Comment 18•7 years ago
|
||
https://hg.mozilla.org/releases/mozilla-esr52/rev/5dc896e5b700
status-firefox-esr52:
--- → fixed
|
||
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
||
Updated•7 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main52+]
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•