Closed
Bug 1168938
Opened 9 years ago
Closed 9 years ago
Memory safety bug in NetworkUtils::postTetherInterfaceList
Categories
(Firefox OS Graveyard :: RIL, defect)
Firefox OS Graveyard
RIL
Tracking
(firefox42 fixed, b2g-v2.0 wontfix, b2g-v2.0M wontfix, b2g-v2.1 wontfix, b2g-v2.1S wontfix, b2g-v2.2 wontfix, b2g-master fixed)
RESOLVED
FIXED
FxOS-S2 (10Jul)
People
(Reporter: q1, Assigned: dimi)
References
Details
(Keywords: regression)
Attachments
(1 file, 1 obsolete file)
|
1.27 KB,
patch
|
dimi
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows; rv:***) Gecko/20100101 Firefox/**.*
Build ID: 20150305021524
Steps to reproduce:
NetworkUtils::postTetherInterfaceList (38.0.1\dom\system\gonk\NetworkUtils.cpp lines 809-11) copies a variable-length string into a fixed-length stack buffer without checking that it fits. If the variable-length string's length can be manipulated by an attacker, this bug could cause a crash and/or execution of attacker-chosen code:
801: void NetworkUtils::postTetherInterfaceList(CommandChain* aChain,
802: CommandCallback aCallback,
803: NetworkResultOptions& aResult)
804: {
805: // Send the dummy command to continue the function chain.
806: char command[MAX_COMMAND_SIZE];
807: snprintf(command, MAX_COMMAND_SIZE - 1, "%s", DUMMY_COMMAND);
808:
809: char buf[BUF_SIZE];
810: NS_ConvertUTF16toUTF8 reason(aResult.mResultReason);
811: memcpy(buf, reason.get(), reason.Length() + 1);
812: ...
|
||
Updated•9 years ago
|
Flags: sec-bounty?
|
|
||
Updated•9 years ago
|
Flags: needinfo?(dveditz)
|
||
Updated•9 years ago
|
Component: Untriaged → RIL
Product: Firefox → Firefox OS
Version: 38 Branch → unspecified
|
|
||
Comment 1•9 years ago
|
||
Fabrice, do you know who might be able to investigate this? Thanks.
Flags: needinfo?(fabrice)
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → dlee
Flags: needinfo?(dlee)
|
|
Assignee | |
Comment 3•9 years ago
|
||
In this patch I just make sure the length copied will not exceed buf size. If |reason| is somehow too big, it will only be copied partially and error will occur when netd execute it.
Attachment #8628164 -
Flags: review?(fabrice)
(In reply to Dimi Lee[:dimi][:dlee] from comment #3) > Created attachment 8628164 [details] [diff] [review] > Patch v1 > > In this patch I just make sure the length copied will not exceed buf size. > If |reason| is somehow too big, it will only be copied partially and error > will occur when netd execute it. You might also want to fix the snprintf on line 807, which won't terminate command if it truncates.
|
|
Assignee | |
Comment 5•9 years ago
|
||
(In reply to q1 from comment #4) > (In reply to Dimi Lee[:dimi][:dlee] from comment #3) > > Created attachment 8628164 [details] [diff] [review] > > Patch v1 > > > > In this patch I just make sure the length copied will not exceed buf size. > > If |reason| is somehow too big, it will only be copied partially and error > > will occur when netd execute it. > > You might also want to fix the snprintf on line 807, which won't terminate > command if it truncates. This issue is handled in bug 1168959 which using PR_snprintf instead of snprintf
|
||
Comment 6•9 years ago
|
||
Comment on attachment 8628164 [details] [diff] [review] Patch v1 Review of attachment 8628164 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/system/gonk/NetworkUtils.cpp @@ +817,5 @@ > > char buf[BUF_SIZE]; > NS_ConvertUTF16toUTF8 reason(aResult.mResultReason); > + > + uint32_t length = reason.Length() + 1 < BUF_SIZE ? reason.Length() + 1 : BUF_SIZE; nit: use size_t instead of uint32_t
Attachment #8628164 -
Flags: review?(fabrice) → review+
|
|
Assignee | |
Comment 7•9 years ago
|
||
Address nits
Attachment #8628164 -
Attachment is obsolete: true
Attachment #8628737 -
Flags: review+
|
|
Assignee | |
Comment 8•9 years ago
|
||
try : https://treeherder.mozilla.org/#/jobs?repo=try&revision=77a942b4b77e
|
|
Assignee | |
Comment 9•9 years ago
|
||
Comment on attachment 8628737 [details] [diff] [review] Patch v2 [Security approval request comment] How easily could an exploit be constructed based on the patch? Not easy, this security issue requires hack to the netd and fake the return result from previous command of postTetherInterfaceList Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. Which older supported branches are affected by this flaw? b2g version after 1.3 If not all supported branches, which bug introduced the flaw? bug 864931 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? I think it will be straightforward How likely is this patch to cause regressions; how much testing does it need? It is hard to cause regression because the solution is quite simple that we just check copied size before doing memory copy.
Attachment #8628737 -
Flags: sec-approval?
|
|
||
Comment 10•9 years ago
|
||
Defense in depth is good, but this appears to be messages we send to ourselves and not something an attacker could send us.
Blocks: 864931
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(dveditz)
Keywords: regression
|
|
||
Comment 11•9 years ago
|
||
Comment on attachment 8628737 [details] [diff] [review] Patch v2 Check in any time, sec-approval not needed.
Attachment #8628737 -
Flags: sec-approval?
|
|
Assignee | |
Updated•9 years ago
|
Keywords: checkin-needed
|
||
Updated•9 years ago
|
Attachment #8628737 -
Attachment is patch: true
|
|
||
Comment 12•9 years ago
|
||
Probably worth getting this on v2.2 given the low risk. Not as sure about v2.1/v2.1s.
status-b2g-v2.0:
--- → wontfix
status-b2g-v2.0M:
--- → wontfix
status-b2g-v2.1:
--- → affected
status-b2g-v2.1S:
--- → affected
status-b2g-v2.2:
--- → affected
status-b2g-master:
--- → affected
|
||
Comment 13•9 years ago
|
||
https://hg.mozilla.org/integration/b2g-inbound/rev/05afb37c7f62
Keywords: checkin-needed
|
|
||
Comment 14•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/05afb37c7f62
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox42:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → FxOS-S2 (10Jul)
|
|
||
Comment 15•9 years ago
|
||
Do you want this backported to any other branches, Josh?
Flags: needinfo?(jocheng)
|
||
Comment 16•9 years ago
|
||
Hi Ryan, It seems the issue is very edge per comment 9 from Dimi. I am fine with not uplift to previous version unless someone have different opinion. Thanks!
Flags: needinfo?(jocheng) → needinfo?(ryanvm)
|
|
||
Updated•9 years ago
|
Flags: needinfo?(ryanvm)
|
||
Comment 17•9 years ago
|
||
Minusing for bounty because this isn't regarded to be a security issue by us since they are internal messages only and can't be used for escalation.
Flags: sec-bounty? → sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•