nsLocalFile::GetNativeTarget can silently truncate the link target
Categories
(Core :: XPCOM, defect)
Tracking
()
People
(Reporter: jld, Assigned: beth)
References
Details
(Keywords: csectype-bounds, sec-moderate, Whiteboard: [adv-main121+][adv-esr115.6+])
Attachments
(2 files, 3 obsolete files)
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr115+
|
Details | Review |
|
313 bytes,
text/plain
|
Details |
The basic problem is the same as in bug 1791029 — we don't check if the buffer passed to readlink was actually big enough. If there's a race with changing the symlink, or if lstat doesn't give the actual length (e.g., Linux procfs): bug 1791029 took care of the case where the actual value is shorter than expected, but if it's longer than expected, we'll silently truncate it.
The approach that GNU ls seems to take is: allocate the buffer 1 byte longer than expected, so we can distinguish the expected result from the string being longer, and then in case of overflow, double the buffer length and retry until it works. GNU readlink, in contrast, doesn't stat the symlink and just starts with 64 and doubles the buffer size until it fits.
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 2•1 year ago
|
||
Yes, this fell off my plate, but I'll put a patch up soon.
|
|
Assignee | |
Comment 3•1 year ago
|
||
|
||
Comment 5•11 months ago
|
||
|
||
Comment 6•11 months ago
|
||
The patch landed in nightly and beta is affected.
:barret, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox120towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Updated•11 months ago
|
|
||
Updated•10 months ago
|
|
|
||
Comment 7•10 months ago
|
||
Please request ESR115 approval on this when you get a chance. It grafts cleanly.
|
|
Assignee | |
Comment 8•10 months ago
|
||
Comment on attachment 9358412 [details]
Bug 1796023 - Compare return value of readlink in nsLocalFileUnix::GetNativeTarget r?#xpcom-reviewers
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: The patch is small and grafts cleanly.
- User impact if declined: Low to no impact.
- Fix Landed on Version: 121
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This is not risky becuase this patch has ridden all the way to beta with no issues.
|
|
||
Comment 9•10 months ago
|
||
Comment on attachment 9358412 [details]
Bug 1796023 - Compare return value of readlink in nsLocalFileUnix::GetNativeTarget r?#xpcom-reviewers
Approved for 115.6esr.
|
||
Comment 10•10 months ago
|
||
| uplift | ||
|
|
||
Updated•10 months ago
|
|
||
Updated•10 months ago
|
|
|
||
Updated•10 months ago
|
|
|
||
Comment 11•10 months ago
|
||
|
|
||
Comment 12•10 months ago
|
||
|
|
||
Comment 13•10 months ago
|
||
|
|
||
Comment 14•10 months ago
|
||
|
||
Updated•10 months ago
|
|
||
Comment 15•5 months ago
|
||
Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter
Description
•