Open Bug 1216830 Opened 9 years ago Updated 2 years ago

Possible OOB read in |nsCSPContext::GetAllowsInline| when logging is enabled

Categories

(Core :: DOM: Security, defect, P3)

defect

Tracking

()

Tracking Status
firefox44 --- affected

People

(Reporter: erahm, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: coverity, Whiteboard: [CID 1324688], [domsecurity-backlog2])

Coverity indicates that |nsCSPContext::GetAllowsInline| can trigger an OOB read [1] in |nsCSPPolicy::allows| [2] when logging by calling |CSP_EnumToKeyword| [3] with the type |CSP_HASH|.

Details are provided about CSP_HASH being treated differently [4], and we can see where this has [5] and has not [6,7,8,9,10] been worked around previously.

As this is only exposed when the CSP logger is enabled, this should have minimal impact on end users.

[1] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.h#146
[2] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPContext.cpp#
[3] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.cpp#1036-1037
[4] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.h#125-128,137,143-145
[5] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.cpp#343
[6] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.cpp#597
[7] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.cpp#657
[8] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.cpp#691
[9] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.cpp#790
[10] https://dxr.mozilla.org/mozilla-central/rev/f7b746b4e91307448cb0746a41f677bfc23908b0/dom/security/nsCSPUtils.cpp#1037
Thanks Eric, we should look into that and bail out early (not just using the static assert) in those cases.
Whiteboard: [CID 1324688] → [CID 1324688], [domsecurity-backlog]
Priority: -- → P2
Priority: P2 → P3
Whiteboard: [CID 1324688], [domsecurity-backlog] → [CID 1324688], [domsecurity-backlog2]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.