Prevent integer truncation bugs at nsCString APIs by accepting size_t in public APIs
Categories
(Core :: XPCOM, defect, P1)
Tracking
()
People
(Reporter: nika, Assigned: nika)
References
Details
(Keywords: sec-want, Whiteboard: [post-critsmash-triage][adv-main97-][adv-esr91.6-])
Attachments
(2 files, 1 obsolete file)
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
There are some potential bugs which can be caused by callers passing a size_t
which overflows uint32_t
to a nsTString API like SetLength()
or EnsureMutable()
, which will end up creating a string with a much smaller buffer than the input string. To avoid this, this bug proposes changing nsTStringRepr::size_type
to be size_t
, while still storing the length at-rest as a uint32_t
, to allow for the relevant size checks to be performed in these cases.
Because the underlying size of a nsTString
is still required to fit within an int32_t
(due to kMaxCapacity
), this shouldn't break any call-sites which convert a string's length to uint32_t
, and will instead just help callers which are implicitly truncating a size_t
on 64-bit platforms.
Changing nsTString
to actually use a size_t
length is not in scope for this bug, as it would require massive audits across the codebase of places where a string's length is used to make sure it handles larger lengths properly.
In addition, the Rust API is not changed in this bug, as rust does not have implicit integer casts. It will probably be updated in a future patch to more closely align with the C++ API, however. As the string type's representation did not change, the existing FFI code should continue to function.
Updated•3 years ago
|
Assignee | ||
Comment 1•3 years ago
|
||
Updated•3 years ago
|
Assignee | ||
Comment 2•3 years ago
|
||
Assignee | ||
Comment 3•3 years ago
|
||
Assignee | ||
Comment 4•3 years ago
|
||
:mccr8 I can't seem to re-request review on the patch, but it's changed enough I think you should look at it again after thanksgiving weekend.
Updated•3 years ago
|
Updated•3 years ago
|
Comment 6•3 years ago
|
||
[Tracking Requested - why for this release]: I think Nika is going to land this on Nightly soon. We should also try to fix this on ESR (and on beta if we can), because it is possible that this fixes a number of security issues we haven't found yet (there are over 700 calls to SetLength() alone).
Updated•3 years ago
|
Comment 7•3 years ago
|
||
Align nsCString's public size_type better with other C++ APIs, r=mccr8,geckoview-reviewers,agi
https://hg.mozilla.org/integration/autoland/rev/43563b9a5f5d132449ec86456cf246b85ccf8306
https://hg.mozilla.org/mozilla-central/rev/43563b9a5f5d
Comment 8•3 years ago
|
||
The patch landed in nightly and beta is affected.
:nika, is this bug important enough to require an uplift?
If not please set status_beta
to wontfix
.
For more information, please visit auto_nag documentation.
Comment 9•3 years ago
|
||
This has been in a Nightly or two, and I don't see any crashes on crash-stats where the crash reason contains "string is too large", so that's good.
Updated•3 years ago
|
Assignee | ||
Comment 10•3 years ago
|
||
The patches which I currently have attached for ESR and Beta are no longer up to date with the landed version. I think that the landed version of the patch should be able to rebase relatively cleanly onto beta, however some tweaks will be required to get it to land onto ESR.
I unfortunately may not get around to doing this rebase or uplift request before I go on PTO for the holidays tomorrow.
Comment 11•3 years ago
|
||
Per Slack discussion with Nika, we're just going to let this go out in 97/91.6esr.
Comment 12•3 years ago
|
||
Not super urgent at the moment, but we can take an ESR patch for 91.6 whenever you've got cycles to rebase.
Updated•3 years ago
|
Updated•3 years ago
|
Assignee | ||
Comment 13•3 years ago
|
||
Comment on attachment 9252175 [details]
Bug 1741665 - (ESR91) Align nsCString's public size_type better with other C++ APIs
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: Potential security issues due to string overflows in ESR
- Fix Landed on Version: 97
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): Patch is fairly large and required rebasing to apply, but has been largely tested on 97 through nightly and beta and hasn't caused issues.
Patch hasn't been properly tested yet, but seemed to build locally.
Comment 14•3 years ago
|
||
Comment on attachment 9252175 [details]
Bug 1741665 - (ESR91) Align nsCString's public size_type better with other C++ APIs
Approved for 91.6esr.
Comment 15•3 years ago
|
||
uplift |
Updated•3 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Description
•