Closed
Bug 1342730
Opened 7 years ago
Closed 7 years ago
MIPS cpu detection code in libyuv is buggy
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
mozilla54
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox52 | --- | unaffected |
firefox-esr52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | --- | fixed |
People
(Reporter: jesup, Assigned: jesup)
References
Details
(Keywords: csectype-nullptr, csectype-uaf, sec-moderate)
Attachments
(1 file, 1 obsolete file)
3.39 KB,
patch
|
sotaro
:
review+
|
Details | Diff | Splinter Review |
Caused by the libyuv import in bug 1341543 While it's possible that no real MIPS CPU Firefox runs on would trigger it, the cpu_id code in libyuv has a bug that can cause null derefs or a UAF. These only apply if the CPU does not support either MSA or DSPR2. It opens /proc/cpuinfo, and then fgets() from it. It will null-deref if the file doesn't open, and the default ASE doesn't include MSA or DSPR2. It will UAF if the file opens, and the ASEs implemented line doesn't include MSA or DSPR2.
Assignee | ||
Comment 1•7 years ago
|
||
MozReview-Commit-ID: 2EwQHcN8gfF
Attachment #8841297 -
Flags: review?(sotaro.ikeda.g)
Assignee | ||
Comment 2•7 years ago
|
||
MozReview-Commit-ID: 2EwQHcN8gfF
Attachment #8841298 -
Flags: review?(sotaro.ikeda.g)
Assignee | ||
Updated•7 years ago
|
Attachment #8841297 -
Attachment is obsolete: true
Attachment #8841297 -
Flags: review?(sotaro.ikeda.g)
Assignee | ||
Comment 3•7 years ago
|
||
https://bugs.chromium.org/p/libyuv/issues/detail?id=687 There's no way for external people to submit hidden sec issues ...
Updated•7 years ago
|
Attachment #8841298 -
Flags: review?(sotaro.ikeda.g) → review+
Assignee | ||
Comment 4•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/f29dad38621ed4462b4416ffa090d25e9c017cde
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Comment 5•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/f29dad38621e
status-firefox54:
--- → fixed
Target Milestone: --- → mozilla54
Updated•7 years ago
|
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Updated•7 years ago
|
Group: core-security → core-security-release
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•