Closed Bug 1173640 Opened 9 years ago Closed 6 years ago

Memory-safety bugs in GonkCameraHwMgr.cpp generally

Categories

(Firefox OS Graveyard :: Gaia::Camera, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::Camera
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: dlee, Unassigned)

References

Details

(Keywords: csectype-bounds, sec-moderate)

User Story

Cloned from a bug about NetworkUtils, this was spun off because the reporter found the same problematic use of snprintf in the camera code. from bug 1168959 comment 1:

   38.0.1\dom\camera\GonkCameraHwMgr.cpp:

   GonkCameraHardware::Init line 173 will create an unterminated string if the decimal
   representation of mCameraId (a uint32_t) is >= 6, and then line 174 will pass it to
   the Android OS function __system_property_get, with unpredictable results.

When you're fixing that location make sure we're not using it elsewhere in that code. It's much easier to switch to a safe implementation like PR_snprintf() than to try to prove to yourself that any given use is "safe" (and then you'd have to leave copious comments containing that proof so everyone after you doesn't have to go through the same exercise).
+++ This bug was initially created as a clone of Bug #1168959 +++

User Agent: Mozilla/5.0 (Windows; rv:***) Gecko/20100101 Firefox/**.*
Build ID: 20150305021524

Steps to reproduce:

38.0.1\dom\system\gonk\NetworkUtils.cpp has several memory-safety bugs resulting from the use of snprintf. The problem is that it assumes that snprintf always null-terminates the stack-based destination string. This is not, however, guaranteed unless the result string length is < the specified character count, and, of course, automatic variables are generally uninitialized, so the result string won't be null-terminated by default.

There are 3 good examples of this bug in NetworkUtils::setAccessPoint, and several others throughout the module.

If any of the strings used as input to snprintf are under external control, this bug could cause the disclosure of sensitive information and/or allow an attacker to corrupt Firefox's address space and/or send attacker-designated network commands and/or allow execution of attacker-chosen code.
No longer depends on: CVE-2015-4517
Blocks: CVE-2015-4517
User Story: (updated)
Group: core-security → b2g-core-security
FirefoxOS is no longer under active development.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
Group: b2g-core-security
You need to log in before you can comment on or make changes to this bug.