Closed Bug 1134088 Opened 5 years ago Closed 5 years ago

Possible use-after-free by bug 933588

Categories

(Firefox OS Graveyard :: NFC, defect)

All
Gonk (Firefox OS)
defect
Not set

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: m_kato, Assigned: allstars.chh)

References

Details

(Keywords: sec-moderate)

http://mxr.mozilla.org/mozilla-central/source/dom/nfc/gonk/NfcMessageHandler.cpp?mark=44-44#44

44   const char* type = NS_ConvertUTF16toUTF8(aOptions.mType).get();
45 
46   if (!strcmp(type, kChangeRFStateRequest)) {
47     result = ChangeRFStateRequest(aParcel, aOptions);

This code is possible use-after-free.

This code means

const char* type;
{
  NS_ConvertUTF16toUTF8 utf8Type(aOptions.mType);
  type = utf8Type.get();
}

if (!strcmp(type, kChangeRFStateRequest)) {
...


So this becomes possible use-after-free.  type is already free when using it.
This is probably hard to exploit given the tight timing, but yeah, this is a uaf and potentially exploitable if things are going on in other threads that affect allocations.
Assignee: nobody → allstars.chh
Keywords: sec-moderate
Should be WONTFIX since Bug 1137107 should be landed soon.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.