Closed Bug 1813583 Opened 2 years ago Closed 2 years ago

Out-Of-Bounds Access in ConvertSidToBytes

Categories

(Core :: Audio/Video: GMP, defect)

Product:
Core
Component:
Audio/Video: GMP
Version:
Firefox 111
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: kirtikumar.a.r, Unassigned)

Details

(Keywords: csectype-bounds, testcase-wanted)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36

Steps to reproduce:

This is found during the manual source code analysis. Please find the details below:
https://searchfox.org/mozilla-central/source/dom/media/gmp/rlz/win/lib/machine_id_win.cc#107

On line 107, it will cause OOB Access. It is quite weird how it will cause OOB when it is trying to retrieve information about a Windows computer for use in an identifier or ID

Actual results:

Out-Of-Bound Access

Expected results:

https://source.chromium.org/chromium/chromium/src/+/main:rlz/win/lib/machine_id_win.cc;l=18;bpv=0

Group: firefox-core-security → media-core-security
Component: Untriaged → Audio/Video: GMP
Product: Firefox → Core
Summary: Out-Of-Bounds Access → Out-Of-Bounds Access in ConvertSidToBytes

I think there are multiple out-of-bounds lying in that directory. One more can be found below:
https://searchfox.org/mozilla-central/source/dom/media/gmp/rlz/mac/lib/machine_id_mac.cc#314

In this, I think the idsize() in the data->assign(&id[0], &id[id.size()]); will go out of bounds. Because ifid.size()returns a value that is larger than the actual size of theidvector, accessing the element&id[id.size()], it would result in OOB. After which thedata->assign(&id[0], &id[id.size()]);` will attempt to copy elements from an invalid memory location.

Please bisect the bug if you can verify this as well.

Flags: needinfo?(continuation)

Thanks for the report. Hopefully somebody who is familiar with this code will be able to look at this bug soon.

Flags: needinfo?(continuation)

Thanks!

Blocks: media-triage

I looked at this. sid_string has type std::wstring. size is the number of characters in the string. That specific constructor for std::vector works as follows: "Constructs the container with the contents of the range [first, last).". In other words, it is not copying the size()th element of the array, but only up to one before it. This code is written correctly as far as I can tell.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
No longer blocks: media-triage
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.