Closed Bug 1342730 Opened 3 years ago Closed 3 years ago

MIPS cpu detection code in libyuv is buggy

Categories

(Core :: Graphics, defect)

52 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla54
Tracking Status
firefox-esr45 --- unaffected
firefox52 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- fixed

People

(Reporter: jesup, Assigned: jesup)

References

Details

(Keywords: csectype-nullptr, csectype-uaf, sec-moderate)

Attachments

(1 file, 1 obsolete file)

Caused by the libyuv import in bug 1341543

While it's possible that no real MIPS CPU Firefox runs on would trigger it, the cpu_id code in libyuv has a bug that can cause null derefs or a UAF.  These only apply if the CPU does not support either MSA or DSPR2.

It opens /proc/cpuinfo, and then fgets() from it.  It will null-deref if the file doesn't open, and the default ASE doesn't include MSA or DSPR2.  It will UAF if the file opens, and the ASEs implemented line doesn't include MSA or DSPR2.
Attached patch clean up MipsCpuCaps (obsolete) — Splinter Review
MozReview-Commit-ID: 2EwQHcN8gfF
Attachment #8841297 - Flags: review?(sotaro.ikeda.g)
MozReview-Commit-ID: 2EwQHcN8gfF
Attachment #8841298 - Flags: review?(sotaro.ikeda.g)
Attachment #8841297 - Attachment is obsolete: true
Attachment #8841297 - Flags: review?(sotaro.ikeda.g)
https://bugs.chromium.org/p/libyuv/issues/detail?id=687
There's no way for external people to submit hidden sec issues ...
Attachment #8841298 - Flags: review?(sotaro.ikeda.g) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/f29dad38621ed4462b4416ffa090d25e9c017cde
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.