Closed Bug 1796023 (CVE-2023-6857) Opened 2 years ago Closed 9 months ago

nsLocalFile::GetNativeTarget can silently truncate the link target

Categories

(Core :: XPCOM, defect)

defect

Tracking

()

RESOLVED FIXED
121 Branch
Tracking Status
firefox-esr115 121+ fixed
firefox119 --- wontfix
firefox120 --- wontfix
firefox121 + fixed

People

(Reporter: jld, Assigned: beth)

References

Details

(Keywords: csectype-bounds, sec-moderate, Whiteboard: [adv-main121+][adv-esr115.6+])

Attachments

(2 files, 3 obsolete files)

The basic problem is the same as in bug 1791029 — we don't check if the buffer passed to readlink was actually big enough. If there's a race with changing the symlink, or if lstat doesn't give the actual length (e.g., Linux procfs): bug 1791029 took care of the case where the actual value is shorter than expected, but if it's longer than expected, we'll silently truncate it.

The approach that GNU ls seems to take is: allocate the buffer 1 byte longer than expected, so we can distinguish the expected result from the string being longer, and then in case of overflow, double the buffer length and retry until it works. GNU readlink, in contrast, doesn't stat the symlink and just starts with 64 and doubles the buffer size until it fits.

Group: core-security → dom-core-security
Severity: -- → S2
Assignee: nobody → brennie

Barret, are you still working on this?

Flags: needinfo?(brennie)

Yes, this fell off my plate, but I'll put a patch up soon.

Flags: needinfo?(brennie)
Pushed by brennie@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bc1ea88587af
Compare return value of readlink in nsLocalFileUnix::GetNativeTarget r=xpcom-reviewers,nika
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → 121 Branch

The patch landed in nightly and beta is affected.
:barret, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox120 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(brennie)
Flags: needinfo?(brennie)
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-

Please request ESR115 approval on this when you get a chance. It grafts cleanly.

Flags: needinfo?(brennie)

Comment on attachment 9358412 [details]
Bug 1796023 - Compare return value of readlink in nsLocalFileUnix::GetNativeTarget r?#xpcom-reviewers

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: The patch is small and grafts cleanly.
  • User impact if declined: Low to no impact.
  • Fix Landed on Version: 121
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is not risky becuase this patch has ridden all the way to beta with no issues.
Flags: needinfo?(brennie)
Attachment #9358412 - Flags: approval-mozilla-esr115?

Comment on attachment 9358412 [details]
Bug 1796023 - Compare return value of readlink in nsLocalFileUnix::GetNativeTarget r?#xpcom-reviewers

Approved for 115.6esr.

Attachment #9358412 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Whiteboard: [adv-main121+]
Whiteboard: [adv-main121+] → [adv-main121+][adv-esr115.6+]
Attached file advisory.txt (obsolete) —
Attached file advisory.txt (obsolete) —
Attachment #9367990 - Attachment is obsolete: true
Attached file advisory.txt (obsolete) —
Attachment #9368019 - Attachment is obsolete: true
Attached file advisory.txt
Attachment #9368022 - Attachment is obsolete: true
Alias: CVE-2023-6857
No longer regressions: 1874700

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: