Bug 769265 (CVE-2012-3979)

Audit for incorrect uses of __android_log_print

RESOLVED FIXED in Firefox 15

Status

()

Core
DOM
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: mrbkap, Assigned: mrbkap)

Tracking

({sec-audit, sec-high})

unspecified
mozilla16
ARM
Android
sec-audit, sec-high
Points:
---

Firefox Tracking Flags

(firefox15+ fixed, firefox16 fixed, firefox-esr10 wontfix)

Details

(Whiteboard: [advisory-tracking+])

Attachments

(1 attachment)

Fix
2.72 KB, patch
Ben Turner (not reading bugmail, use the needinfo flag!)
: review+
mrbkap
: checkin+
Details | Diff | Splinter Review
(Assignee)

Description

5 years ago
Debugging something today, I realized that we have a few places where we incorrectly call __android_log_print in potentially exploitable ways. The fix is easy and coming up.
(Assignee)

Comment 1

5 years ago
Created attachment 637506 [details] [diff] [review]
Fix
Attachment #637506 - Flags: review?(bent.mozilla)
Attachment #637506 - Flags: review?(bent.mozilla) → review+
(Assignee)

Comment 2

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/b3ee916d45c3
(Assignee)

Updated

5 years ago
Attachment #637506 - Flags: checkin+

Comment 3

5 years ago
https://hg.mozilla.org/mozilla-central/rev/b3ee916d45c3
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox16: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla16

Updated

5 years ago
status-firefox-esr10: --- → unaffected

Updated

5 years ago
status-firefox-esr10: unaffected → wontfix
We should fix this in Firefox 15.
status-firefox15: --- → affected
tracking-firefox15: --- → ?
Keywords: sec-audit, sec-high
Please nominate for aurora uplift so we can look at getting this in before merge day on Monday July 16th.
tracking-firefox15: ? → +
(Assignee)

Comment 6

5 years ago
Comment on attachment 637506 [details] [diff] [review]
Fix

[Approval Request Comment]
User impact if declined: Possible problems if people use dump in evil ways on Android.
Testing completed (on m-c, etc.): The patch has been in m-c for a while.
Risk to taking this patch (and alternatives if risky): Very low risk.
Attachment #637506 - Flags: approval-mozilla-beta?
Attachment #637506 - Flags: approval-mozilla-aurora?
Comment on attachment 637506 [details] [diff] [review]
Fix

This is already fixed in Aurora (16) so only approving for Beta (15)
Attachment #637506 - Flags: approval-mozilla-beta?
Attachment #637506 - Flags: approval-mozilla-beta+
Attachment #637506 - Flags: approval-mozilla-aurora?
Attachment #637506 - Flags: approval-mozilla-aurora-
(Assignee)

Comment 8

5 years ago
https://hg.mozilla.org/releases/mozilla-beta/rev/a3391345c86a
status-firefox15: affected → fixed
Whiteboard: [advisory-tracking+]
Will this do anything bad if people aren't actively debugging android? I'm guessing that __android_log_print bails out if not actually being used before doing the dangerous printf family stuff, and if so that reduces the severity here to sec-moderate since you could only target a handful of people debugging  while visiting attack sites.
Alias: CVE-2012-3979
(Assignee)

Comment 10

5 years ago
As far as I know, __android_log_print always prints stuff to the logcat. However, I don't know if there's anything that controls whether or not that's on. dougt might know more.
The advisory here says that this can only be exploited through dump() which is disabled by default. If this is the case, then this isn't sec-high. Of course if there's another way to supply the string from content, then that rating is perfectly valid.
As far as I know none of the dump() implementations touched in attachment 637506 [details] [diff] [review] are exposed to content, except maybe the Worker* ones.

WorkerPrivate.cpp's implementation only uses it as a fallback if reporting to the console service fails, which shouldn't really ever happen in practice. 

WorkerScope.cpp's implementation looks to not be pref-controlled, which means that workers calling dump() can spam stdout in release builds, which seems like a bug we should fix regardless of the security implementations.
I confirmed that it's exposed to content (using http://gavinsharp.com/tmp/worker.html) and filed bug 785656.
Group: core-security
You need to log in before you can comment on or make changes to this bug.