Closed Bug 1066570 Opened 11 years ago Closed 11 years ago

b2g NFC uninitialized memory bug

Categories

(Firefox OS Graveyard :: NFC, defect)

Product:
Firefox OS Graveyard
Component:
NFC
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox-esr31 unaffected)

Status:
RESOLVED FIXED
Milestone:
2.1 S5 (26sep)
Tracking Flags:
Tracking Status
firefox-esr31 --- unaffected

People

(Reporter: bugcatcherchristopher, Assigned: allstars.chh)

References

Details

(Keywords: sec-low, Whiteboard: [p=1])

Attachments

(1 file, 1 obsolete file)

Patch v2.
1.07 KB, patch
allstars.chh
: review+
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0 Build ID: 20140716183446 Steps to reproduce: While auditing the NFC service I came across a potential uninitialized pointer in NfcMessageHandler::GeneralResponse. bool NfcMessageHandler::GeneralResponse(const Parcel& aParcel, EventOptions& aOptions) { const char* type; //type can go uninitalized due to missing default NS_ENSURE_TRUE(!mPendingReqQueue.IsEmpty(), false); int pendingReq = mPendingReqQueue[0]; mPendingReqQueue.RemoveElementAt(0); switch (pendingReq) { case NfcRequest::WriteNDEFReq: type = kWriteNDEFResponse; break; case NfcRequest::MakeReadOnlyNDEFReq: type = kMakeReadOnlyNDEFResponse; break;q case NfcRequest::ConnectReq: type = kConnectResponse; break; case NfcRequest::CloseReq: type = kCloseResponse; break; } Actual results: The switch statement has no default case. If the attacker can send arbitrary NFC messages they could pass over the switch leaving "const char* type" uninitialized. The variable is then accessed here, "aOptions.mType = NS_ConvertUTF8toUTF16(type). Could lead to DoS and maybe info leak? Working on proof of concept... Expected results: The switch statement should have a default case that catches non-existent request types.
Sandip, Ken: Can you help with verifying and triage?
Component: General → NFC
Blocks: 1066595
CCing a few more people from the NFC team. Wesley and Howie, can either you help us get some engineers to verify this?
Yoshi, it's look like you wrote the code, could you have a look at it?
Flags: needinfo?(allstars.chh)
Assignee: nobody → allstars.chh
Blocks: b2g-nfc
Flags: needinfo?(allstars.chh)
Keywords: sec-low
looks like Stephanie is correct. mPendingReqQueue only adds requests on the client side and Marshall() doesn't give any opportunity to add an invalid type. this won't triggerable in real world but may want to add default handling in switch statement just incase an exploitable condition is born later
mPendingReqQueue only adds requests on the server* side
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Comment on attachment 8493533 [details] [diff] [review] Patch Review of attachment 8493533 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/nfc/gonk/NfcMessageHandler.cpp @@ +131,5 @@ > type = kCloseResponse; > break; > + default: > + CHROMIUM_LOG("Nfcd, unknown general response %d", pendingReq); > + return false; Nits. indention
Attachment #8493533 - Flags: review?(dlee) → review+
Whiteboard: [p=1]
Target Milestone: --- → 2.1 S5 (26sep)
Attached patch Patch v2.Splinter Review
nits addressed.
Attachment #8493533 - Attachment is obsolete: true
Attachment #8493666 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/34247879cf78
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: