Closed Bug 1343772 Opened 7 years ago Closed 7 years ago

Stack Buffer Overflow [@mozilla::LogModuleManager::Print]

Categories

(Core :: XPCOM, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- fixed

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: Only if logging enabled (fixed by bug 1341017))

Attachments

(1 file)

Attached file index.html
Stack buffer overflow found via fuzzing.  Testcase requires the "MOZ_LOG=DataChannel:4" environment variable in order to reproduce issue.

==28794==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc882986b0 at pc 0x7fb106b10eda bp 0x7ffc882979b0 sp 0x7ffc882979a8
READ of size 1 at 0x7ffc882986b0 thread T0
    #0 0x7fb106b10ed9 in mozilla::LogModuleManager::Print(char const*, mozilla::LogLevel, char const*, __va_list_tag*) /home/worker/workspace/build/src/xpcom/base/Logging.cpp:379:30
    #1 0x7fb106b0eeb4 in Printv /home/worker/workspace/build/src/xpcom/base/Logging.cpp:565:3
    #2 0x7fb106b0eeb4 in mozilla::detail::log_print(mozilla::LogModule const*, mozilla::LogLevel, char const*, ...) /home/worker/workspace/build/src/xpcom/base/Logging.cpp:62
    #3 0x7fb1079dba2a in mozilla::DataChannelConnection::Open(nsACString_internal const&, nsACString_internal const&, mozilla::DataChannelConnection::Type, bool, unsigned int, mozilla::DataChannelListener*, nsISupports*, bool, unsigned short) /home/worker/workspace/build/src/netwerk/sctp/datachannel/DataChannel.cpp:1952:3
    #4 0x7fb1108d8857 in mozilla::PeerConnectionImpl::CreateDataChannel(nsAString_internal const&, nsAString_internal const&, unsigned short, bool, unsigned short, unsigned short, bool, unsigned short, nsDOMDataChannel**) /home/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:1306:17
    #5 0x7fb1108d83e9 in mozilla::PeerConnectionImpl::CreateDataChannel(nsAString_internal const&, nsAString_internal const&, unsigned short, bool, unsigned short, unsigned short, bool, unsigned short, mozilla::ErrorResult&) /home/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:1278:8
    #6 0x7fb109e7d8ee in mozilla::dom::PeerConnectionImplBinding::createDataChannel(JSContext*, JS::Handle<JSObject*>, mozilla::PeerConnectionImpl*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/PeerConnectionImplBinding.cpp:1428:48
    #7 0x7fb10b03d787 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13
    #8 0x7fb110b3b43f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
    #9 0x7fb110b3b43f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
    #10 0x7fb110b21d60 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
    #11 0x7fb110b21d60 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2955
    #12 0x7fb110b0708b in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
    #13 0x7fb110b3b756 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15
    #14 0x7fb110b3be32 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
    #15 0x7fb11150d16c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2878:12
    #16 0x7fb109fb0892 in mozilla::dom::RTCPeerConnectionJSImpl::CreateDataChannel(nsAString_internal const&, mozilla::dom::RTCDataChannelInit const&, mozilla::ErrorResult&, JSCompartment*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/RTCPeerConnectionBinding.cpp:7058:8
...truncated...

Address 0x7ffc882986b0 is located in stack of thread T0 at offset 3312 in frame
    #0 0x7fb106b1054f in mozilla::LogModuleManager::Print(char const*, mozilla::LogLevel, char const*, __va_list_tag*) /home/worker/workspace/build/src/xpcom/base/Logging.cpp:358

  This frame has 6 object(s):
    [32, 2080) 'buf.i'
    [2208, 2248) 'ss.i'
    [2288, 3312) 'buff' <== Memory access at offset 3312 overflows this variable
    [3440, 3464) 'argsCopy'
    [3504, 3544) 'noNameThread'
    [3584, 3624) 'now'
Flags: in-testsuite?
Component: XPCOM → WebRTC: Networking
Group: core-security → media-core-security
Flags: needinfo?(rjesup)
I'm guessing that the most likely cause is invalid arguments being passed to the log function, rather than a bug in the log function itself, but I could be wrong.
Eric says we have (and are fixing) a known regression in log printing... please recheck when that's fixed or make this depend on that bug.
Flags: needinfo?(jkratzer)
Keywords: sec-moderate
Whiteboard: Only if logging enabled
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Eric says we have (and are fixing) a known regression in log printing...
> please recheck when that's fixed or make this depend on that bug.

I think bug 1341017 should fix this.
Component: WebRTC: Networking → XPCOM
Flags: needinfo?(rjesup)
Was the source of the bug the bug 1060419 landing?
Flags: needinfo?(erahm)
(In reply to Randell Jesup [:jesup] from comment #4)
> Was the source of the bug the bug 1060419 landing?

Yes (at least for bug 1341017).
Flags: needinfo?(erahm)
Per erahm's comment about bug 1060419, marking as 54-only.  We can close this when that gets to m-c I assume
Depends on: 1341017
Flags: needinfo?(jkratzer)
Just retested and this appears to be fixed on mozilla-central rev 20170302225754.
Blocks: 1060419
Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 7 years ago
Keywords: regression
Resolution: --- → FIXED
Whiteboard: Only if logging enabled → Only if logging enabled (fixed by bug 1341017)
Group: core-security-release
Blocks: domino
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: