Closed
Bug 1240904
Opened 9 years ago
Closed 9 years ago
Infoleak when unserializing type NPString
Categories
(Core Graveyard :: Plug-ins, defect)
Core Graveyard
Plug-ins
Tracking
(firefox47 fixed)
RESOLVED
FIXED
mozilla47
| Tracking | Status | |
|---|---|---|
| firefox47 | --- | fixed |
People
(Reporter: tedd, Assigned: mccr8)
References
Details
(Keywords: sec-audit, Whiteboard: [adv-main47-])
Attachments
(1 file)
|
5.57 KB,
patch
|
mccr8
:
review+
|
Details | Diff | Splinter Review |
When unserializing an NPString object, memory is leaked because two pointers are used backwards when calling memcpy[1].
ReadBytes returns a pointer into the serialized object and this pointer is stored in |messageBuffer|, |newBuffer| is the newly created buffer that is also returned as part of the unserialized object [2].
But the memcpy [1] first copies data from |newBuffer| into |messageBuffer|, which effectively overwrites the serialized data (ReadBytes has a bound check so we can't write past the end of the serialized message)
When |newBuffer| is then returned, its memory is still unitialized and contains whatever was previously in memory there.
As far as the impact is concerned, I haven't found any usage of NPString, according to git blame Ben Turner introduced the code way back in 2009, but the code that used it vanished over the years.
Which leaves the question if this is dead code, or if it is planned to use it later on again.
[1] https://dxr.mozilla.org/mozilla-central/rev/b67316254602a63bf4e568198a5c7d3288a9db27/dom/plugins/ipc/PluginMessageUtils.h#435
[2] https://dxr.mozilla.org/mozilla-central/rev/b67316254602a63bf4e568198a5c7d3288a9db27/dom/plugins/ipc/PluginMessageUtils.h#436
|
||
Updated•9 years ago
|
Group: core-security → dom-core-security
|
||
Comment 1•9 years ago
|
||
The PPluginScriptableObject Variant type uses nsCString, so I doubt that this code is used. If removing it compiles, r=me to do that.
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → continuation
Component: IPC → Plug-ins
|
|
Assignee | |
Comment 2•9 years ago
|
||
As bsmedberg said, Firefox seems to compile just fine if ParamTraits<NPString> and ParamTraits<NPVariant> are deleted.
|
|
Assignee | |
Comment 3•9 years ago
|
||
I'm going to go ahead and unhide this because it is dead code. Thanks for finding this issue!
Group: dom-core-security
|
|
Assignee | |
Comment 5•9 years ago
|
||
Keywords: checkin-needed
Keywords: checkin-needed
|
||
Comment 7•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox47:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
|
|
||
Comment 8•9 years ago
|
||
| bugherder | ||
|
||
Updated•9 years ago
|
Whiteboard: [adv-main47-]
|
||
Updated•3 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•