Closed Bug 1545504 Opened 5 years ago Closed 5 years ago

Replace uses of select() or ensure array bounds checks

Categories

(Core :: General, defect, P2)

Product:
Core
Component:
General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox70 --- wontfix
firefox71 --- wontfix
firefox72 --- fixed

People

(Reporter: jld, Assigned: jld)

References

Details

(Keywords: sec-audit, Whiteboard: [adv-main72-] [post-critasmash-triage])

Attachments

(2 files)

Bug 1545504 - Use poll() instead of select() on the X11 socket.
47 bytes, text/x-phabricator-request
Details | Review
Bug 1545504 - Strengthen bounds check in WebRTC PhysicalSocketServer.
47 bytes, text/x-phabricator-request
Details | Review

This is a followup to bug 1516325. We have a few other uses of select that could cause problems as far as the array bounds for fd_set; they're generally not security-sensitive because they're specific to Linux (where glibc has bounds checks, so we'll crash safely) or apply to file descriptors allocated early (so the values will normally be in bounds) or in code that we're reasonably sure is dead in our usage. However, these should be fixed to avoid crashes and possible future security bugs.

I'm filing this bug as security-sensitive because bug 1516325 isn't on release yet, and landing these fixes is going to make it even more obvious than it already is what's going on there.

Keywords: sec-audit
Group: core-security → core-security-release

Status: I have patches, but I need to clean them up (and, at this point, rebase them); it's a little delicate because of the connection to a security bug and there always seem to be higher priorities….

The selects in WebRTC's video_capture subtree were independently fixed in bug 1590984 after they were encountered in the wild (and caught via glibc's bounds checks). I'll upload the other patches.

These are single-fd polls of the X server socket, which in practice will
be much smaller than FD_SETSIZE, but it's cleaner to just not have the
fixed-size array in the first place.

PhysicalSocketServer isn't currently used by Mozilla's WebRTC
integration, but just in case, let's make sure that this array index is
bounds-checked in actual use, not just in debug builds (which tend to
never see realistic test conditions).

Sounds like this fix can ride the trains, but feel free to nominate for uplift if you feel strongly otherwise.

status-firefox70: --- → wontfix
status-firefox71: --- → wontfix
status-firefox-esr68: --- → wontfix
Whiteboard: [adv-main72-]
Flags: qe-verify-
Whiteboard: [adv-main72-] → [adv-main72-] [post-critasmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: