Closed
Bug 1168959
(CVE-2015-4517)
Opened 9 years ago
Closed 9 years ago
Memory-safety bugs in NetworkUtils.cpp generally
Categories
(Firefox OS Graveyard :: Wifi, defect)
Firefox OS Graveyard
Wifi
Tracking
(firefox39 wontfix, firefox40 wontfix, firefox41 fixed, b2g-v2.0 wontfix, b2g-v2.0M wontfix, b2g-v2.1 wontfix, b2g-v2.1S wontfix, b2g-v2.2 fixed, b2g-master fixed)
People
(Reporter: q1, Assigned: dimi)
References
Details
(Keywords: csectype-bounds, reporter-external, sec-moderate, Whiteboard: [b2g-adv-main2.2?][post-critsmash-triage][adv-main41+])
Attachments
(1 file, 1 obsolete file)
37.76 KB,
patch
|
dimi
:
review+
jocheng
:
approval-mozilla-b2g37+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows; rv:***) Gecko/20100101 Firefox/**.*
Build ID: 20150305021524
Steps to reproduce:
38.0.1\dom\system\gonk\NetworkUtils.cpp has several memory-safety bugs resulting from the use of snprintf. The problem is that it assumes that snprintf always null-terminates the stack-based destination string. This is not, however, guaranteed unless the result string length is < the specified character count, and, of course, automatic variables are generally uninitialized, so the result string won't be null-terminated by default.
There are 3 good examples of this bug in NetworkUtils::setAccessPoint, and several others throughout the module.
If any of the strings used as input to snprintf are under external control, this bug could cause the disclosure of sensitive information and/or allow an attacker to corrupt Firefox's address space and/or send attacker-designated network commands and/or allow execution of attacker-chosen code.
I've found other instances of this bug:
38.0.1\dom\camera\GonkCameraHwMgr.cpp:
GonkCameraHardware::Init line 173 will create an unterminated string if the decimal representation of mCameraId (a uint32_t) is >= 6, and then line 174 will pass it to the Android OS function __system_property_get, with unpredictable results.
38.0.1\dom\wifi\WifiUtils.cpp:
do_wifi_command potentially creates and sends to OS an unterminated string.
Really snprintf should be replaced app-wide with a variant that always null-terminates the resulting string, and that throws or returns status if the string was truncated.
Updated•9 years ago
|
Component: Untriaged → Networking
Flags: sec-bounty?
Product: Firefox → Core
Updated•9 years ago
|
Component: Networking → Wifi
Flags: needinfo?(dlee)
Product: Core → Firefox OS
Version: 38 Branch → unspecified
Comment 2•9 years ago
|
||
(In reply to q1 from comment #1)
> Really snprintf should be replaced app-wide with a variant that always
> null-terminates the resulting string, and that throws or returns status if
> the string was truncated.
We have one of those in NSPR, PL_strncpy(), and at one point people went through and converted all of the PL_ calls to ones that didn't require NSPR :-(
Assignee | ||
Comment 3•9 years ago
|
||
In this patch I use PR_snprintf to replace snprintf because PR_snprintf will handle null-terminated string.
I only update files I am familiar with, including NetworkUtils.cpp & WifiUtils.cpp
Flags: needinfo?(dlee)
Attachment #8614580 -
Flags: feedback?(mcmanus)
Comment 4•9 years ago
|
||
Comment on attachment 8614580 [details] [diff] [review]
Patch v1 - use PR_snprintf replace snprintf
Review of attachment 8614580 [details] [diff] [review]:
-----------------------------------------------------------------
sounds reasonable enough at first glance, but I think you need a gonk peer (this isn't platform code) to comment on how they feel about more nspr calls in their code.
Attachment #8614580 -
Flags: feedback?(mcmanus)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → dlee
Assignee | ||
Comment 5•9 years ago
|
||
Comment on attachment 8614580 [details] [diff] [review]
Patch v1 - use PR_snprintf replace snprintf
Review of attachment 8614580 [details] [diff] [review]:
-----------------------------------------------------------------
Hi Michael,
As Patrick suggested in comment 4, could you help review this patch ? Thanks!
Attachment #8614580 -
Flags: review?(mwu)
Comment 6•9 years ago
|
||
Comment on attachment 8614580 [details] [diff] [review]
Patch v1 - use PR_snprintf replace snprintf
Review of attachment 8614580 [details] [diff] [review]:
-----------------------------------------------------------------
Fabrice probably knows this code better than I do.
I think in general we like to avoid dependencies on NSPR and switch to XPCOM or MFBT things. nsTextFormatter provides a snprintf impl. No idea if it behaves better than normal snprintf though.
Attachment #8614580 -
Flags: review?(mwu) → review?(fabrice)
Comment 7•9 years ago
|
||
Comment on attachment 8614580 [details] [diff] [review]
Patch v1 - use PR_snprintf replace snprintf
Review of attachment 8614580 [details] [diff] [review]:
-----------------------------------------------------------------
Please use nsTextFormatter.snprintf instead. It guarantees null termination and error checking.
Attachment #8614580 -
Flags: review?(fabrice) → review-
Assignee | ||
Comment 8•9 years ago
|
||
Hi Fabrice,
nsTextFormatter::snprintf takes char16_t as input, but NetworkUtils.cpp use char for most cases, do you suggest use nsTextFormatter::snprintf and then convert char16_t to char8_t or there is other better option other than nsTextFormatter::snprintf ?
Flags: needinfo?(fabrice)
Comment 9•9 years ago
|
||
Hm, yeah that's annoying. The mfbt one is just a fix for windows, so doesn't help us there, and most of our code (including in dom/) uses PR_snprintf.
Flags: needinfo?(fabrice)
Comment 10•9 years ago
|
||
Comment on attachment 8614580 [details] [diff] [review]
Patch v1 - use PR_snprintf replace snprintf
Review of attachment 8614580 [details] [diff] [review]:
-----------------------------------------------------------------
Let's go with that then.
Attachment #8614580 -
Flags: review- → review+
Assignee | ||
Comment 11•9 years ago
|
||
Rebased to latest code
Attachment #8614580 -
Attachment is obsolete: true
Attachment #8616550 -
Flags: review+
Assignee | ||
Comment 12•9 years ago
|
||
Assignee | ||
Updated•9 years ago
|
Keywords: checkin-needed
Comment 13•9 years ago
|
||
At a minimum, this needs a security rating before it can land. Beyond that, it may also require additional approvals depending the severity and branches affected. See the link below:
https://wiki.mozilla.org/Security/Bug_Approval_Process
Keywords: checkin-needed
Assignee | ||
Comment 14•9 years ago
|
||
Comment on attachment 8616550 [details] [diff] [review]
Patch v2
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
I am not security expert so not pretty sure about this. Some of these 'snprintf' fixed in this patch are used internally by gecko so it should be fine, but in some cases data is read from android property system.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No.
Which older supported branches are affected by this flaw?
b2g version after 1.3
If not all supported branches, which bug introduced the flaw?
bug 864931
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
I think it will be straightforward
How likely is this patch to cause regressions; how much testing does it need?
This solution is straightforward, just replace snprintf by PR_snprintf so it unlikely cause regression. I have run Wifi emulator testcases locally and tests are passed
Attachment #8616550 -
Flags: sec-approval?
Comment 15•9 years ago
|
||
(In reply to Dimi Lee[:dimi][:dlee] from comment #3)
> I only update files I am familiar with, including NetworkUtils.cpp &
> WifiUtils.cpp
Not patching code you're not comfortable in is fine, but black-holing part of a security bug isn't. As the assignee for this bug if you're not going to patch part of it you need to make sure that part is passed along to someone else so it doesn't get lost. (Actually that should be tru for multi-symptom non-security bugs, too). For instance, you could clone this bug into a security bug in the Camera component and make this bug "depend on" that new one. The the security team will search for an appropriate owner of the new bug.
Comment 16•9 years ago
|
||
Confirming, the presence of the patch clearly proves we agree there's a problem here.
I'm tempted to call this sec-low because I'm dubious wifi protocols support fields long enough to add up to overflowing a 4K MAX_COMMAND_SIZE buffer. The ones using the SSID might get that from user input but we're not that worried about self-hacking (Mozilla is all about hacking your own stuff). Still, the potential for creating unterminated strings and reading extra Heartbleed-style is there should something be that long, and I don't know wifi protocol details enough to be sure so we'll go with sec-moderate.
Comment 17•9 years ago
|
||
Comment on attachment 8616550 [details] [diff] [review]
Patch v2
Clearing sec-approval? on the patch since sec-moderate issues do not require sec-approval+
Attachment #8616550 -
Flags: sec-approval?
Assignee | ||
Comment 18•9 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #15)
> (In reply to Dimi Lee[:dimi][:dlee] from comment #3)
> > I only update files I am familiar with, including NetworkUtils.cpp &
> > WifiUtils.cpp
>
> Not patching code you're not comfortable in is fine, but black-holing part
> of a security bug isn't. As the assignee for this bug if you're not going to
> patch part of it you need to make sure that part is passed along to someone
> else so it doesn't get lost. (Actually that should be tru for multi-symptom
> non-security bugs, too). For instance, you could clone this bug into a
> security bug in the Camera component and make this bug "depend on" that new
> one. The the security team will search for an appropriate owner of the new
> bug.
create Bug 1173640 for Camera component
Comment 19•9 years ago
|
||
Thanks!
Assignee | ||
Updated•9 years ago
|
Keywords: checkin-needed
Comment 20•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/13f5dda0175b
Does this affect older B2G releases too?
status-b2g-v2.2:
--- → ?
status-b2g-master:
--- → affected
Flags: needinfo?(dlee)
Keywords: checkin-needed
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox41:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 2.2 S14 (12june)
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
Assignee | ||
Comment 22•9 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #20)
> https://hg.mozilla.org/integration/mozilla-inbound/rev/13f5dda0175b
>
> Does this affect older B2G releases too?
Sorry for late reply.
Yes, as mentioned in Comment 14, this also affect B2G release after 1.3 (1.3 not included)
Flags: needinfo?(dlee)
Comment 23•9 years ago
|
||
Josh, how far back do you want to take this?
status-b2g-v2.0:
--- → affected
status-b2g-v2.0M:
--- → affected
status-b2g-v2.1:
--- → affected
status-b2g-v2.1S:
--- → affected
status-b2g-v2.5:
--- → fixed
status-firefox39:
--- → wontfix
status-firefox40:
--- → wontfix
Flags: needinfo?(jocheng)
Comment 24•9 years ago
|
||
Hi Ryan,
Let's just uplift to b2g-37 for this issue as no plan for 2.0/2.1 device now.
Thanks!
Flags: needinfo?(jocheng)
Updated•9 years ago
|
Flags: needinfo?(ryanvm)
Comment 25•9 years ago
|
||
Comment on attachment 8616550 [details] [diff] [review]
Patch v2
NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 864931
User impact if declined: possibly sec issues
Testing completed: On master for nearly 3 weeks now without any known regressions
Risk to taking this patch (and alternatives if risky): Per comment 14, low-risk
String or UUID changes made by this patch: None
Flags: needinfo?(ryanvm)
Attachment #8616550 -
Flags: approval-mozilla-b2g37?
Updated•9 years ago
|
Comment 26•9 years ago
|
||
Updated•9 years ago
|
Attachment #8616550 -
Flags: approval-mozilla-b2g37? → approval-mozilla-b2g37+
Comment 27•9 years ago
|
||
Ryan, has the patch made it into the 2.2 release?
Flags: needinfo?(ryanvm)
Whiteboard: [b2g-adv-main2.2?]
Comment 28•9 years ago
|
||
Comment 26 right above yours and status-b2g-v2.2: fixed say that it did.
Flags: needinfo?(ryanvm)
Updated•9 years ago
|
Whiteboard: [b2g-adv-main2.2?] → [b2g-adv-main2.2?][post-critsmash-triage]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Whiteboard: [b2g-adv-main2.2?][post-critsmash-triage] → [b2g-adv-main2.2?][post-critsmash-triage][adv-main41+]
Updated•9 years ago
|
Alias: CVE-2015-4517
Comment 29•9 years ago
|
||
removing the b2g 2.5 flag since this commit has been reverted due to an incorrect merge, sorry for the confusion
status-b2g-v2.5:
fixed → ---
Updated•8 years ago
|
Group: core-security-release
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•