Closed Bug 1059168 Opened 10 years ago Closed 10 years ago

B2G NFC: Make sure the techList and origin string won't overflow in NfcService

Categories

(Firefox OS Graveyard :: NFC, defect)

Product:
Firefox OS Graveyard
Component:
NFC
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(blocking-b2g:2.1+, firefox33 wontfix, firefox34 fixed, firefox35 fixed, b2g-v2.1 fixed, b2g-v2.2 fixed)

Status:
RESOLVED FIXED
Milestone:
2.1 S4 (12sep)
Project Flags:
blocking-b2g 2.1+
Tracking Flags:
Tracking Status
firefox33 --- wontfix
firefox34 --- fixed
firefox35 --- fixed
b2g-v2.1 --- fixed
b2g-v2.2 --- fixed

People

(Reporter: allstars.chh, Assigned: allstars.chh)

References

Details

(Keywords: regression, Whiteboard: [p=2])

Attachments

(1 file, 2 obsolete files)

Patch v3.
6.70 KB, patch
allstars.chh
: review+
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
It's possible that there's something wrong while unmarshalling parcels from nfcd, so it might overflow when convert the ints to String.
[Blocking Requested - why for this release]:

regression from Bug 933588
blocking-b2g: --- → 2.1?
Assignee: nobody → allstars.chh
triage: per comment1, this is a potential regression
blocking-b2g: 2.1? → 2.1+
Yoshi, 

Do you mean [1] and [2]? It seems converting |mEvent.mOriginType| 
to string is already safe. Only [1] may cause out-of-bounds 
array access. I can pick this as my first nfc bug even though
it's not quite relevant to nfc :p Thanks!

[1] http://hg.mozilla.org/mozilla-central/file/c360f3d1c00d/dom/nfc/gonk/NfcService.cpp#l132
[2] http://hg.mozilla.org/mozilla-central/file/c360f3d1c00d/dom/nfc/gonk/NfcService.cpp#l176
Flags: needinfo?(allstars.chh)
yeah, but I already had patch for this. :P
Flags: needinfo?(allstars.chh)
Comment on attachment 8482658 [details] [diff] [review]
Patch

Review of attachment 8482658 [details] [diff] [review]:
-----------------------------------------------------------------

Hi smaug
Bug 1053732 is still under review in Gaia part, so this patch is base on m-c.
Could you review this for me?

Thanks
Attachment #8482658 - Flags: review?(bugs)
Comment on attachment 8482658 [details] [diff] [review]
Patch

>   notifyHCIEventTransaction: function notifyHCIEventTransaction(message) {
>+    message.origin = message.originType + message.originIndex;
This really needs some explanation. What does the origin mean here?
Why can't all the users of the API use originType + originIndex?
Or if they can't, why do we need originType + originIndex and not just origin

>-static const nsLiteralString SEOriginString[] = {
>-  NS_LITERAL_STRING("SIM"),
>-  NS_LITERAL_STRING("ESE"),
So here you have "ESE", but the new webidl enum has "eSE". Why that difference?


> 
>     // HCI Event Transaction parameters.
>-    int size = sizeof(SEOriginString) / sizeof(nsLiteralString);
>-    // TODO: We need a map or something to more rigorously validate against
>-    // Gonk Message header values from inside NfcService.
>-    if ((mEvent.mOriginType != -1) && (mEvent.mOriginType < size)) {
>-      mEvent.mOrigin.Assign(SEOriginString[mEvent.mOriginType]);
>-      mEvent.mOrigin.AppendInt(mEvent.mOriginIndex, 16 /* radix */);
>-      event.mOrigin.Construct();
>-      event.mOrigin.Value() = mEvent.mOrigin;
I have no idea what this old code does, but getting rid of it looks good.

> enum NFCTechType {
>+  "NDEF",
>+  "NDEF_WRITABLE",
>+  "NDEF_FORMATABLE",
>+  "P2P",
>   "NFC_A",
>   "NFC_B",
>-  "NFC_ISO_DEP",
>   "NFC_F",
>   "NFC_V",
>-  "NDEF",
>-  "NDEF_FORMATABLE",
>+  "NFC_ISO_DEP",
>   "MIFARE_CLASSIC",
>   "MIFARE_ULTRALIGHT",
>-  "NFC_BARCODE",
>-  "P2P",
>-  "UNKNOWN_TECH"
> };
Why the reordering and why dropping NFC_BARCODE?


r- just because I want some explanations (I'm not too familiar with some of this code).
Attachment #8482658 - Flags: review?(bugs) → review-
(In reply to Olli Pettay [:smaug] from comment #7)
Hi Smaug
Sorry for not being clear.


> >   notifyHCIEventTransaction: function notifyHCIEventTransaction(message) {
> >+    message.origin = message.originType + message.originIndex;
> This really needs some explanation. What does the origin mean here?

It's from GSMA spec, [1]
Origin means the source of event, it could be from SIM, embedded SE, or ASSD (SD card with Secure element).
And in case that more than one of Secure Elements are of the same kind , from the specification it uses a digit to indentify them, like SIM1, SIM2.

> Why can't all the users of the API use originType + originIndex?
Also from the same specification, it uses a String to represent the origin, so users of this API will expect they get a String like 'SIM1', so I concat them.

> Or if they can't, why do we need originType + originIndex and not just origin
> 
That also works(just origin), that's pretty what the original code is doing.

> >-static const nsLiteralString SEOriginString[] = {
> >-  NS_LITERAL_STRING("SIM"),
> >-  NS_LITERAL_STRING("ESE"),
> So here you have "ESE", but the new webidl enum has "eSE". Why that
> difference?
>
From the specification it uses the term 'eSE' so that's why I do the renaming here.
But I'll file another bug to fix the typo since it's not quite related to this bug.


> > enum NFCTechType {
> >+  "NDEF",
> >+  "NDEF_WRITABLE",
> >+  "NDEF_FORMATABLE",
> >+  "P2P",
> >   "NFC_A",
> >   "NFC_B",
> >-  "NFC_ISO_DEP",
> >   "NFC_F",
> >   "NFC_V",
> >-  "NDEF",
> >-  "NDEF_FORMATABLE",
> >+  "NFC_ISO_DEP",
> >   "MIFARE_CLASSIC",
> >   "MIFARE_ULTRALIGHT",
> >-  "NFC_BARCODE",
> >-  "P2P",
> >-  "UNKNOWN_TECH"
> > };
> Why the reordering and why dropping NFC_BARCODE?

Basically the same idea from your comment https://bugzilla.mozilla.org/show_bug.cgi?id=1053732#c9

The original code from NfcOptions.webidl uses sequence<DOMString> techList, I thought I might reuse the 'enum NFCTechType', and the reordering is to make sure it could also work in lower level deserialization in NfcService.cpp, to make it have the order of the 'nsLiteralString NfcTechString[]' defined NfcService.cpp, so I could remove NfcTechString since WebIDL binding code has already defined that.

And dropping NFC_BARCODE is the same reason, NfcTechString[] doesn't define this, but to prevent confusion I'll create another part of patch to remove these non-used enums defined in MozNFCTag.webidl.

Thanks for the review and sorry for the confusion here.
I'll try to use a DOMString origin in NfcOptions.webidl to see if it's easier.


[1] : http://www.gsma.com/newsroom/wp-content/uploads/2014/03/TS26v5-0.pdf
(In reply to Yoshi Huang[:allstars.chh] from comment #8)
> And dropping NFC_BARCODE is the same reason, NfcTechString[] doesn't define
> this, but to prevent confusion I'll create another part of patch to remove
> these non-used enums defined in MozNFCTag.webidl.
>
Actualy NFC_BARCODE is defined in NfcService but called 'BARCODE', I'll add it back.
Attached patch Patch v2. (obsolete) — Splinter Review 
Use DOMString origin
Attachment #8482658 - Attachment is obsolete: true
Comment on attachment 8483380 [details] [diff] [review]
Patch v2.

> enum SecureElementOrigin {
>   SIM = 0,
>   ESE = 1,
>   ASSD = 2,
>+  OriginEndGuard
maybe set to = 3 explicitly
Attachment #8483380 - Flags: review?(bugs) → review+
Keywords: regression
Attached patch Patch v3.Splinter Review 
assign OriginEndGuard = 3
Attachment #8483380 - Attachment is obsolete: true
Attachment #8483907 - Flags: review+
Note that due to recent policy changes, all patches must have approval for uplift regardless of blocking status. Please request aurora approval on this patch when you get a chance. Sorry for the inconvenience :(
status-b2g-v2.1: --- → affected
status-b2g-v2.2: --- → fixed
status-firefox33: --- → wontfix
status-firefox34: --- → affected
status-firefox35: --- → fixed
Comment on attachment 8483907 [details] [diff] [review]
Patch v3.

Approval Request Comment
[Feature/regressing bug #]:
933588, 979767

[User impact if declined]:
Prevent crash by buffer overflow

[Describe test coverage new/current, TBPL]:
Demo Wallet app

[Risks and why]: 
No

[String/UUID change made/needed]:
No
Attachment #8483907 - Flags: approval-mozilla-aurora?
(In reply to Yoshi Huang[:allstars.chh] from comment #16)
> Comment on attachment 8483907 [details] [diff] [review]
> Patch v3.
> 
> Approval Request Comment
> [Feature/regressing bug #]:
> 933588, 979767
> 
> [User impact if declined]:
> Prevent crash by buffer overflow
> 
> [Describe test coverage new/current, TBPL]:
> Demo Wallet app
> 
> [Risks and why]: 
> No
> 
> [String/UUID change made/needed]:
> No

Do we have any automation tests for this ?
Flags: needinfo?(allstars.chh)
(In reply to bhavana bajaj [:bajaj] from comment #17)
> > Approval Request Comment
> > [Feature/regressing bug #]:
> > 933588, 979767
> > [Describe test coverage new/current, TBPL]:
> > Demo Wallet app
Sorry, should be Marionette-webapi + Demo Wallet app

> > 
> Do we have any automation tests for this ?

For the 'techList' part check (from Bug 933588), marionette-webapi also covers it.
But from the 'origin' (from Bug 979767), there's no automation test yet, so using a demo app to verify this.
Flags: needinfo?(allstars.chh)
(In reply to Yoshi Huang[:allstars.chh] from comment #18)
> (In reply to bhavana bajaj [:bajaj] from comment #17)
> > > Approval Request Comment
> > > [Feature/regressing bug #]:
> > > 933588, 979767
> > > [Describe test coverage new/current, TBPL]:
> > > Demo Wallet app
> Sorry, should be Marionette-webapi + Demo Wallet app
> 
> > > 
> > Do we have any automation tests for this ?
> 
> For the 'techList' part check (from Bug 933588), marionette-webapi also
> covers it.
> But from the 'origin' (from Bug 979767), there's no automation test yet, so
> using a demo app to verify this.

Can you please file a separate bug to add missing automation tests here and check that in ?
Attachment #8483907 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: