Closed Bug 1456947 Opened 2 years ago Closed 1 year ago
Heap buffer overflow WRITE in Content
Parent::Recv Get System Colors on android
This issue was found by manual review. It is an IPC security issue, so it's only an issue on platforms with sandboxed content processes on Android. https://searchfox.org/mozilla-central/source/dom/ipc/ContentParent.cpp#2736 ensures |colors| has at least |colorsCount| elements -- however colorsCount is controlled by the attacker. At https://searchfox.org/mozilla-central/source/dom/ipc/ContentParent.cpp#2740 a raw ptr is extracted from the array and then passed to https://searchfox.org/mozilla-central/source/widget/android/AndroidBridge.cpp#413 That code then writes to the array: https://searchfox.org/mozilla-central/source/widget/android/AndroidBridge.cpp#425-435 The number of elements it writes to the array is _not_ bounded by the actual length of the array.
Group: firefox-core-security → core-security
Component: General → IPC
OS: Unspecified → Android
Product: Firefox for Android → Core
Hardware: Unspecified → All
Snorp, do we use IPC on Android anywhere? Maybe the web view thing?
We do want to use e10s in GeckoView, but it's not shipping anywhere yet. Would be good to fix this regardless.
This was fixed by deleting all this code in bug 1500876.
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Whiteboard: [geckoview:klar] → [geckoview:klar][adv-main64+]
You need to log in before you can comment on or make changes to this bug.