Closed
Bug 1438425
Opened 6 years ago
Closed 6 years ago
PDocumentRenderer __delete__() passes a size and a buffer, without length checks
Categories
(Core :: Graphics, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla60
People
(Reporter: jesup, Assigned: jrmuizel)
References
Details
(Keywords: csectype-bounds, sec-high, Whiteboard: [post-critsmash-triage][adv-main59+][adv-esr52.7+])
Attachments
(3 files, 1 obsolete file)
|
2.32 KB,
patch
|
jrmuizel
:
review-
|
Details | Diff | Splinter Review |
|
26.98 KB,
patch
|
jesup
:
review+
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr52+
|
Details | Diff | Splinter Review |
|
30.80 KB,
patch
|
jgilbert
:
review+
RyanVM
:
approval-mozilla-esr52+
|
Details | Diff | Splinter Review |
In PDocumentRenderer (part of Canvas), on __delete() it passes a buffer (as an nsCString; sigh) and a size (nsIntSize). It then sets up an DataSourceSurface using the raw ptr to the buffer and the size -- but doesn't check that the "string's" size is large enough. With a crafted __delete__ from an owned content process, this could cause the render of the canvas to grab data from memory following the buffer used by the IPC reception. This would then be rendered as part of the page, and could be captured via several mechanisms. Doing something useful with this might be tough, but seems possible, if combined with other issues.
|
Reporter | |
Comment 1•6 years ago
|
||
We need a general 'failed validation; kill sender and log' method we can call from lots of places, but not part of this bug. On validation fail, don't kill the Master process.
Attachment #8951148 -
Flags: review?(jmuizelaar)
Attachment #8951148 -
Flags: review?(jmathies)
|
|
Reporter | |
Updated•6 years ago
|
Assignee: nobody → rjesup
Status: NEW → ASSIGNED
|
||
Updated•6 years ago
|
Priority: -- → P3
|
Assignee | |
Comment 2•6 years ago
|
||
Attachment #8951372 -
Flags: review?(rjesup)
|
|
Assignee | |
Comment 3•6 years ago
|
||
Comment on attachment 8951148 [details] [diff] [review] Error-checking I'd prefer my approach
Attachment #8951148 -
Flags: review?(jmuizelaar) → review-
|
|
Reporter | |
Comment 4•6 years ago
|
||
Comment on attachment 8951372 [details] [diff] [review] Remove DocumentRenderer Review of attachment 8951372 [details] [diff] [review]: ----------------------------------------------------------------- Remove it? Sure, if it's not needed; I presumed it was! We should consider uplifting this if we believe there's no use of DocumentRenderer, though the risk of it riding the trains isn't huge I think
Attachment #8951372 -
Flags: review?(rjesup) → review+
|
||
Comment 5•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/0db116b21ac09675a37a4904fa75777b6bc19b3d https://hg.mozilla.org/mozilla-central/rev/0db116b21ac0
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
|
||
Comment 6•6 years ago
|
||
Uplifting the removal patch to ESR52 makes me nervous, but Beta sounds reasonable. Given that this is sec-high, should we consider taking Randell's patch for ESR52 at least?
Flags: needinfo?(jmuizelaar)
|
|
Assignee | |
Comment 8•6 years ago
|
||
It should be fine to take the removal patch. This code hasn't been used for a long time. If for some reason it's deemed to risky we don't need Randell's patch we can just unconditionally early return.
Flags: needinfo?(jmuizelaar)
|
|
Reporter | |
Comment 9•6 years ago
|
||
I think taking the removal on beta should be safe, in that it's on inbound with no fallout and it's a removal (and straightforward)
|
||
Updated•6 years ago
|
Group: core-security → core-security-release
|
|
||
Comment 10•6 years ago
|
||
Please request Beta & ESR52 approval on the removal patch. Sounds like it's pretty safe to land everywhere.
Flags: needinfo?(rjesup)
|
|
Reporter | |
Comment 11•6 years ago
|
||
Jeff actually wrote the patch
Assignee: rjesup → jmuizelaar
Flags: needinfo?(rjesup) → needinfo?(jmuizelaar)
|
|
Assignee | |
Updated•6 years ago
|
Flags: needinfo?(jmuizelaar)
Attachment #8951148 -
Flags: review?(jmathies)
|
|
Assignee | |
Comment 12•6 years ago
|
||
Comment on attachment 8951372 [details] [diff] [review] Remove DocumentRenderer [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: N/A User impact if declined: A rogue content process could potentially use this code to escalate. Fix Landed on Version: 60 Risk to taking this patch (and alternatives if risky): Very low risk String or UUID changes made by this patch: None
Attachment #8951372 -
Flags: approval-mozilla-esr52?
Attachment #8951372 -
Flags: approval-mozilla-beta?
|
|
||
Comment 13•6 years ago
|
||
Comment on attachment 8951372 [details] [diff] [review] Remove DocumentRenderer According to bug 1282177, this has been unused for a really long time, so removing the dangerous code in question seems like the safest option for backport. Taking for Beta and ESR52.
Attachment #8951372 -
Flags: approval-mozilla-esr52?
Attachment #8951372 -
Flags: approval-mozilla-esr52+
Attachment #8951372 -
Flags: approval-mozilla-beta?
Attachment #8951372 -
Flags: approval-mozilla-beta+
|
|
||
Comment 14•6 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/56c70e546295
|
|
||
Comment 15•6 years ago
|
||
Jeff, this is going to need a rebased patch for ESR52.
Flags: needinfo?(jmuizelaar)
|
||
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
|
Assignee | |
Comment 16•6 years ago
|
||
Here's an ESR patch
Flags: needinfo?(jmuizelaar)
Attachment #8955646 -
Flags: approval-mozilla-esr52+
|
|
Assignee | |
Updated•6 years ago
|
Flags: needinfo?(ryanvm)
|
|
||
Comment 17•6 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr52/rev/6531ca6690e5
tracking-firefox59:
--- → +
tracking-firefox60:
--- → +
tracking-firefox-esr52:
--- → 59+
Flags: needinfo?(ryanvm)
|
|
||
Comment 18•6 years ago
|
||
Backed out from ESR52 for bustage. https://hg.mozilla.org/releases/mozilla-esr52/rev/7a0654f127ca https://treeherder.mozilla.org/logviewer.html#?job_id=165632970&repo=mozilla-esr52
Flags: needinfo?(jmuizelaar)
|
|
Assignee | |
Comment 19•6 years ago
|
||
Here's a try attempt at something that builds on ESR: https://treeherder.mozilla.org/#/jobs?repo=try&revision=6b0d93856005ce4bc03008f2475b0a17f9e462d4
Flags: needinfo?(jmuizelaar)
|
|
Assignee | |
Comment 20•6 years ago
|
||
Jeff can you look at the WebGL parts of this (specifically the weird cycle collector change)?
Attachment #8956511 -
Flags: review?(jgilbert)
|
||
Updated•6 years ago
|
Attachment #8956511 -
Flags: review?(jgilbert) → review+
|
|
||
Updated•6 years ago
|
Attachment #8955646 -
Attachment is obsolete: true
Flags: needinfo?(ryanvm)
Attachment #8955646 -
Flags: approval-mozilla-esr52+
|
|
||
Comment 22•6 years ago
|
||
Comment on attachment 8956511 [details] [diff] [review] Remove DocumentRenderer ESR Thanks, Jeff!
Attachment #8956511 -
Flags: approval-mozilla-esr52+
|
|
||
Comment 23•6 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr52/rev/8a16f439117c
|
||
Updated•6 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main59+][adv-esr52.7+]
|
|
||
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•