Closed Bug 2013230 Opened 5 months ago Closed 4 months ago

Crash in mozilla::PrintfTarget::cvt_s when buffer is not zero terminated, because it uses strlen

Categories

(Core :: MFBT, defect)

defect

Tracking

()

RESOLVED FIXED
149 Branch
Tracking Status
firefox-esr115 --- wontfix
firefox-esr140 --- fixed
firefox147 --- wontfix
firefox148 --- wontfix
firefox149 --- fixed

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

(Keywords: csectype-bounds, sec-low, Whiteboard: [adv-main149-])

Attachments

(2 files)

I got SIGSEGV in MOZ_LOG. I used a format string that contains "%.*s" - a string with a precision - to limit the maximum buffer of characters that are printed.

The input is a buffer that is not zero terminated.
I assumed that specifying the precision would be sufficient to avoid reading beyond the end of the buffer.

However, mozilla::PrintfTarget::cvt_s calls strlen. I think it must not do that.

mozilla::PrintfTarget::cvt_s intends to check for an end of the string that is ealier than the specified precision.

IMHO, the function should use strnlen instead, to limit the number of characters checked.

Are we worried this could be exploited?

If not, feel free to open the bug.

Assignee: nobody → kaie
Status: NEW → ASSIGNED
Summary: Crash in mozilla::PrintfTarget::cvt_s when because it uses strlen → Crash in mozilla::PrintfTarget::cvt_s when buffer is not zero terminated, because it uses strlen
Group: core-security → dom-core-security

I doubt this could happen in practice (without being caught in development, as you instance was), and moz-log() is off by default. sec-low at best?

Group: dom-core-security
Attachment #9540838 - Attachment description: (secure) → Bug 2013230 - Use strnlen in mozilla::PrintfTarget::cvt_s. r=mh+mozilla@glandium.org
Attachment #9540838 - Attachment description: Bug 2013230 - Use strnlen in mozilla::PrintfTarget::cvt_s. r=mh+mozilla@glandium.org → Bug 2013230 - Use strnlen in mozilla::PrintfTarget::cvt_s. r=glandium
Pushed by smolnar@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/5a51f0e21f21 https://hg.mozilla.org/integration/autoland/rev/3725039fbc4d Revert "Bug 2013230 - Use strnlen in mozilla::PrintfTarget::cvt_s. r=glandium" for causing lint failures @ Printf.cpp

strnlen is missing in tools/lint/includes/std.py

Flags: needinfo?(sguelton)
Depends on: 2016335

Which should be fixed by bug 2016335

IIUC it should be fine if we land it again.

Flags: needinfo?(kaie)
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → 149 Branch

The patch landed in nightly and beta is affected.
:KaiE, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(kaie)
Flags: needinfo?(kaie)
Flags: needinfo?(sguelton)
QA Whiteboard: [qa-triage-done-c150/b149]
Whiteboard: [adv-main149-]
Attachment #9600701 - Flags: approval-mozilla-esr140?

firefox-esr140 Uplift Approval Request

  • User impact if declined/Reason for urgency: Prerequisite for bug 2029761
  • Code covered by automated testing?: yes
  • Fix verified in Nightly?: yes
  • Needs manual QE testing?: no
  • Steps to reproduce for manual QE testing:
  • Risk associated with taking this patch: low
  • Explanation of risk level: Limited change to text output harness.
  • String changes made/needed?: N/A
  • Is Android affected?: yes
Attachment #9600701 - Flags: approval-mozilla-esr140? → approval-mozilla-esr140+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: