Open Bug 1490450 Opened 6 years ago Updated 2 years ago

Rogue Content Process appears to be able to connect to any GMP Process

Categories

(Core :: Audio/Video: GMP, enhancement, P3)

Product:
Core
Component:
Audio/Video: GMP
Type:
enhancement

Tracking

()

Project Flags:
Fission Milestone Future

People

(Reporter: tjr, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

In https://searchfox.org/mozilla-central/source/dom/media/gmp/PGMPService.ipdl#28 LaunchGMP and LaunchGMPForNodeId accepts a nodeId which is used to look up a GMP Process if one exists, or create one if not.  (GetGMPNodeId seems to be another similar function with smaller consequences.)

It seems like a rogue Content Process could supply fraudulent information in this field and use it to connect to another origin's GMP Process.

We should validate the nodeId that comes from a Content Process and assert that its data is permissible to have come from that Content Process.
Bryce, jya, can someone have a closer look at this one?
Flags: needinfo?(jyavenard)
Flags: needinfo?(bvandyk)
Priority: -- → P2
Flags: needinfo?(jyavenard)

This bug is not a Fission MVP blocker.

Fission Milestone: --- → Future

Reassigning so a new owner can be found.

Flags: needinfo?(bvandyk) → needinfo?(jmathies)
Blocks: media-triage
Severity: normal → S4
Flags: needinfo?(jmathies)
Priority: P2 → P3
No longer blocks: media-triage
You need to log in before you can comment on or make changes to this bug.