Closed
Bug 1173640
Opened 9 years ago
Closed 6 years ago
Memory-safety bugs in GonkCameraHwMgr.cpp generally
Categories
(Firefox OS Graveyard :: Gaia::Camera, defect)
Firefox OS Graveyard
Gaia::Camera
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: dlee, Unassigned)
References
Details
(Keywords: csectype-bounds, sec-moderate)
User Story
Cloned from a bug about NetworkUtils, this was spun off because the reporter found the same problematic use of snprintf in the camera code. from bug 1168959 comment 1: 38.0.1\dom\camera\GonkCameraHwMgr.cpp: GonkCameraHardware::Init line 173 will create an unterminated string if the decimal representation of mCameraId (a uint32_t) is >= 6, and then line 174 will pass it to the Android OS function __system_property_get, with unpredictable results. When you're fixing that location make sure we're not using it elsewhere in that code. It's much easier to switch to a safe implementation like PR_snprintf() than to try to prove to yourself that any given use is "safe" (and then you'd have to leave copious comments containing that proof so everyone after you doesn't have to go through the same exercise).
+++ This bug was initially created as a clone of Bug #1168959 +++ User Agent: Mozilla/5.0 (Windows; rv:***) Gecko/20100101 Firefox/**.* Build ID: 20150305021524 Steps to reproduce: 38.0.1\dom\system\gonk\NetworkUtils.cpp has several memory-safety bugs resulting from the use of snprintf. The problem is that it assumes that snprintf always null-terminates the stack-based destination string. This is not, however, guaranteed unless the result string length is < the specified character count, and, of course, automatic variables are generally uninitialized, so the result string won't be null-terminated by default. There are 3 good examples of this bug in NetworkUtils::setAccessPoint, and several others throughout the module. If any of the strings used as input to snprintf are under external control, this bug could cause the disclosure of sensitive information and/or allow an attacker to corrupt Firefox's address space and/or send attacker-designated network commands and/or allow execution of attacker-chosen code.
Reporter | ||
Comment 1•9 years ago
|
||
clone this bug according to https://bugzilla.mozilla.org/show_bug.cgi?id=1168959#c1
Reporter | ||
Updated•9 years ago
|
No longer depends on: CVE-2015-4517
Reporter | ||
Updated•9 years ago
|
Blocks: CVE-2015-4517
Updated•9 years ago
|
User Story: (updated)
Updated•9 years ago
|
Group: core-security → b2g-core-security
Comment 2•6 years ago
|
||
FirefoxOS is no longer under active development.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
Updated•6 years ago
|
Group: b2g-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•