Closed
Bug 1269246
Opened 8 years ago
Closed 8 years ago
Possible use-after-free in nsCollationMacUC::AllocateRawSortKey
Categories
(Core :: Internationalization, defect)
Tracking
()
RESOLVED
FIXED
mozilla49
Tracking | Status | |
---|---|---|
firefox49 | --- | fixed |
People
(Reporter: m_kato, Assigned: m_kato)
References
Details
(Keywords: csectype-uaf, sec-other, Whiteboard: [post-critsmash-triage][adv-main49-])
Attachments
(1 file)
2.00 KB,
patch
|
hsivonen
:
review+
|
Details | Diff | Splinter Review |
https://dxr.mozilla.org/mozilla-central/rev/1461a4071341c282afcf7b72e33036412d2251d4/intl/locale/mac/nsCollationMacUC.cpp#178 NS_IMETHODIMP nsCollationMacUC::AllocateRawSortKey(int32_t strength, const nsAString& stringIn, uint8_t** key, uint32_t* outLen) ... const UChar* str = (const UChar*)PromiseFlatString(stringIn).get(); int32_t keyLength = ucol_getSortKey(mCollatorICU, str, stringInLen, nullptr, 0); str is already free when using it at ucol_getSortKey if stringIn isn't null-terminated string.
Assignee | ||
Comment 1•8 years ago
|
||
I believe that this isn't critical because AllocateRawSortKey isn't scriptable and this method is used on xpath only (xpath uses nsString that is null-terminated)
Assignee | ||
Comment 2•8 years ago
|
||
1045958
Assignee | ||
Comment 3•8 years ago
|
||
Unnecessary to use PromiseFlatString. ICU don't require null terminated string that has length parameter.
Attachment #8747592 -
Flags: review?(hsivonen)
Assignee | ||
Updated•8 years ago
|
Attachment #8747592 -
Attachment is patch: true
Updated•8 years ago
|
Attachment #8747592 -
Flags: review?(hsivonen) → review+
Updated•8 years ago
|
Group: core-security → dom-core-security
Updated•8 years ago
|
Summary: Possible use-after-tree in nsCollationMacUC::AllocateRawSortKey → Possible use-after-free in nsCollationMacUC::AllocateRawSortKey
Comment 4•8 years ago
|
||
It sounds like this is not a danger right now, so I'm going to mark it sec-other.
Keywords: sec-other
Assignee | ||
Comment 5•8 years ago
|
||
Comment on attachment 8747592 [details] [diff] [review] Remove unnecessary PromiseFlatString. r?hsivonen [Security approval request comment] How easily could an exploit be constructed based on the patch? This is possible use-after-free. But this interface doesn't export to extensions and web, so I think that attacker cannot create exploit code via this issue. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? This code causes possible use-after-free. const UChar* str = (const UChar*)PromiseFlatString(stringIn).get(); It means { PromiseFlatString nullstr(stringIn); const UChar* str = (const UChar*)nullstr.get(); } ... If stringIn isn't null terminated nsAString, it causes use-after-free. But This method uses from XPath only now, then it uses nsString that is null-terminated. So use-after-free won't occur on real situation. Which older supported branches are affected by this flaw? This code is from bug 1045958. So all branches has this bug. If not all supported branches, which bug introduced the flaw? Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Yet. But we can port this to branches by same patch. How likely is this patch to cause regressions; how much testing does it need? Too low. This code is used for XPath only. xpath's test code covers this.
Attachment #8747592 -
Flags: sec-approval?
Comment 6•8 years ago
|
||
This is a sec-other, which doesn't need sec-approval to go in. Is there a specific reason you're asking for sec-approval? https://wiki.mozilla.org/Security/Bug_Approval_Process
Flags: needinfo?(m_kato)
Assignee | ||
Comment 7•8 years ago
|
||
(In reply to Al Billings [:abillings] from comment #6) > This is a sec-other, which doesn't need sec-approval to go in. Is there a > specific reason you're asking for sec-approval? > > https://wiki.mozilla.org/Security/Bug_Approval_Process Ah, OK, This is no reason for sec-approval.
Flags: needinfo?(m_kato)
Assignee | ||
Updated•8 years ago
|
Attachment #8747592 -
Flags: sec-approval?
Assignee | ||
Comment 8•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b521ea59645deecc4befae3ad58f9ec6f3558147
Comment 9•8 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1269246
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Updated•8 years ago
|
Group: dom-core-security → core-security-release
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage]
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main49-]
Updated•7 years ago
|
Group: core-security-release
Updated•7 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•