Closed Bug 1456947 Opened 2 years ago Closed 1 year ago

Heap buffer overflow WRITE in ContentParent::RecvGetSystemColors on android

Categories

(Core :: IPC, defect)

All
Android
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla65
Tracking Status
fennec ? ---
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox59 --- unaffected
firefox60 --- unaffected
firefox61 --- unaffected
firefox63 --- wontfix
firefox64 --- fixed
firefox65 --- fixed

People

(Reporter: Alex_Gaynor, Assigned: m_kato)

References

Details

(Keywords: csectype-bounds, sec-high, Whiteboard: [geckoview:klar][adv-main64+])

This issue was found by manual review. It is an IPC security issue, so it's only an issue on platforms with sandboxed content processes on Android.

https://searchfox.org/mozilla-central/source/dom/ipc/ContentParent.cpp#2736 ensures |colors| has at least |colorsCount| elements -- however colorsCount is controlled by the attacker.

At https://searchfox.org/mozilla-central/source/dom/ipc/ContentParent.cpp#2740 a raw ptr is extracted from the array and then passed to https://searchfox.org/mozilla-central/source/widget/android/AndroidBridge.cpp#413

That code then writes to the array: https://searchfox.org/mozilla-central/source/widget/android/AndroidBridge.cpp#425-435

The number of elements it writes to the array is _not_ bounded by the actual length of the array.
Group: firefox-core-security → core-security
Component: General → IPC
OS: Unspecified → Android
Product: Firefox for Android → Core
Hardware: Unspecified → All
Snorp, do we use IPC on Android anywhere? Maybe the web view thing?
Flags: needinfo?(snorp)
We do want to use e10s in GeckoView, but it's not shipping anywhere yet. Would be good to fix this regardless.
Flags: needinfo?(snorp)
Whiteboard: [geckoview:klar]
Group: core-security → dom-core-security
tracking-fennec: --- → ?
This was fixed by deleting all this code in bug 1500876.
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Assignee: nobody → m_kato
Depends on: 1500876
Target Milestone: --- → mozilla65
Group: dom-core-security → core-security-release
Whiteboard: [geckoview:klar] → [geckoview:klar][adv-main64+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.