Open
Bug 1490450
Opened 6 years ago
Updated 2 years ago
Rogue Content Process appears to be able to connect to any GMP Process
Categories
(Core :: Audio/Video: GMP, enhancement, P3)
Core
Audio/Video: GMP
Tracking
()
NEW
Fission Milestone | Future |
People
(Reporter: tjr, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
In https://searchfox.org/mozilla-central/source/dom/media/gmp/PGMPService.ipdl#28 LaunchGMP and LaunchGMPForNodeId accepts a nodeId which is used to look up a GMP Process if one exists, or create one if not. (GetGMPNodeId seems to be another similar function with smaller consequences.) It seems like a rogue Content Process could supply fraudulent information in this field and use it to connect to another origin's GMP Process. We should validate the nodeId that comes from a Content Process and assert that its data is permissible to have come from that Content Process.
Comment 1•6 years ago
|
||
Bryce, jya, can someone have a closer look at this one?
Flags: needinfo?(jyavenard)
Flags: needinfo?(bvandyk)
Priority: -- → P2
Reporter | ||
Updated•6 years ago
|
Depends on: fission-ipc-map
Updated•5 years ago
|
Flags: needinfo?(jyavenard)
Reassigning so a new owner can be found.
Flags: needinfo?(bvandyk) → needinfo?(jmathies)
Updated•2 years ago
|
Updated•2 years ago
|
No longer blocks: media-triage
You need to log in
before you can comment on or make changes to this bug.
Description
•