Crash in mozilla::PrintfTarget::cvt_s when buffer is not zero terminated, because it uses strlen
Categories
(Core :: MFBT, defect)
Tracking
()
People
(Reporter: KaiE, Assigned: KaiE)
References
Details
(Keywords: csectype-bounds, sec-low, Whiteboard: [adv-main149-])
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-esr140+
|
Details | Review |
I got SIGSEGV in MOZ_LOG. I used a format string that contains "%.*s" - a string with a precision - to limit the maximum buffer of characters that are printed.
The input is a buffer that is not zero terminated.
I assumed that specifying the precision would be sufficient to avoid reading beyond the end of the buffer.
However, mozilla::PrintfTarget::cvt_s calls strlen. I think it must not do that.
mozilla::PrintfTarget::cvt_s intends to check for an end of the string that is ealier than the specified precision.
IMHO, the function should use strnlen instead, to limit the number of characters checked.
| Assignee | ||
Comment 1•5 months ago
|
||
Are we worried this could be exploited?
If not, feel free to open the bug.
| Assignee | ||
Comment 2•5 months ago
|
||
Updated•5 months ago
|
| Assignee | ||
Updated•5 months ago
|
Updated•5 months ago
|
Comment 3•5 months ago
|
||
I doubt this could happen in practice (without being caught in development, as you instance was), and moz-log() is off by default. sec-low at best?
Updated•5 months ago
|
Updated•5 months ago
|
Updated•5 months ago
|
Comment 6•5 months ago
|
||
Backed out for causing lint failures @ Printf.cpp
Backout link: https://hg.mozilla.org/integration/autoland/rev/3725039fbc4d91b69ff17f2937c920c1324e1d9c
Comment 7•5 months ago
|
||
strnlen is missing in tools/lint/includes/std.py
Comment 8•4 months ago
|
||
Which should be fixed by bug 2016335
| Assignee | ||
Comment 9•4 months ago
|
||
IIUC it should be fine if we land it again.
Comment 10•4 months ago
|
||
Comment 11•4 months ago
|
||
| bugherder | ||
Comment 12•4 months ago
|
||
The patch landed in nightly and beta is affected.
:KaiE, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
- If no, please set
status-firefox148towontfix.
For more information, please visit BugBot documentation.
| Assignee | ||
Updated•4 months ago
|
Updated•4 months ago
|
Updated•4 months ago
|
Updated•3 months ago
|
Comment 13•16 days ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D280910
Updated•16 days ago
|
Comment 14•16 days ago
|
||
firefox-esr140 Uplift Approval Request
- User impact if declined/Reason for urgency: Prerequisite for bug 2029761
- Code covered by automated testing?: yes
- Fix verified in Nightly?: yes
- Needs manual QE testing?: no
- Steps to reproduce for manual QE testing:
- Risk associated with taking this patch: low
- Explanation of risk level: Limited change to text output harness.
- String changes made/needed?: N/A
- Is Android affected?: yes
Updated•15 days ago
|
Updated•15 days ago
|
Comment 15•15 days ago
|
||
| uplift | ||
Description
•