Last Comment Bug 769265 - (CVE-2012-3979) Audit for incorrect uses of __android_log_print
(CVE-2012-3979)
: Audit for incorrect uses of __android_log_print
Status: RESOLVED FIXED
[advisory-tracking+]
: sec-audit, sec-high
Product: Core
Classification: Components
Component: DOM (show other bugs)
: unspecified
: ARM Android
: -- normal (vote)
: mozilla16
Assigned To: Blake Kaplan (:mrbkap)
:
: Andrew Overholt [:overholt]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-28 07:13 PDT by Blake Kaplan (:mrbkap)
Modified: 2012-10-21 20:46 PDT (History)
7 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
fixed
fixed
wontfix


Attachments
Fix (2.72 KB, patch)
2012-06-28 07:14 PDT, Blake Kaplan (:mrbkap)
bent.mozilla: review+
lukasblakk+bugs: approval‑mozilla‑aurora-
lukasblakk+bugs: approval‑mozilla‑beta+
mrbkap: checkin+
Details | Diff | Splinter Review

Description Blake Kaplan (:mrbkap) 2012-06-28 07:13:52 PDT
Debugging something today, I realized that we have a few places where we incorrectly call __android_log_print in potentially exploitable ways. The fix is easy and coming up.
Comment 1 Blake Kaplan (:mrbkap) 2012-06-28 07:14:48 PDT
Created attachment 637506 [details] [diff] [review]
Fix
Comment 3 Ed Morley [:emorley] 2012-06-29 00:49:27 PDT
https://hg.mozilla.org/mozilla-central/rev/b3ee916d45c3
Comment 4 Daniel Veditz [:dveditz] 2012-07-12 08:36:41 PDT
We should fix this in Firefox 15.
Comment 5 Lukas Blakk [:lsblakk] use ?needinfo 2012-07-12 15:55:16 PDT
Please nominate for aurora uplift so we can look at getting this in before merge day on Monday July 16th.
Comment 6 Blake Kaplan (:mrbkap) 2012-07-27 16:19:58 PDT
Comment on attachment 637506 [details] [diff] [review]
Fix

[Approval Request Comment]
User impact if declined: Possible problems if people use dump in evil ways on Android.
Testing completed (on m-c, etc.): The patch has been in m-c for a while.
Risk to taking this patch (and alternatives if risky): Very low risk.
Comment 7 Lukas Blakk [:lsblakk] use ?needinfo 2012-07-27 16:43:59 PDT
Comment on attachment 637506 [details] [diff] [review]
Fix

This is already fixed in Aurora (16) so only approving for Beta (15)
Comment 8 Blake Kaplan (:mrbkap) 2012-07-30 18:04:23 PDT
https://hg.mozilla.org/releases/mozilla-beta/rev/a3391345c86a
Comment 9 Daniel Veditz [:dveditz] 2012-08-17 07:42:47 PDT
Will this do anything bad if people aren't actively debugging android? I'm guessing that __android_log_print bails out if not actually being used before doing the dangerous printf family stuff, and if so that reduces the severity here to sec-moderate since you could only target a handful of people debugging  while visiting attack sites.
Comment 10 Blake Kaplan (:mrbkap) 2012-08-22 13:31:46 PDT
As far as I know, __android_log_print always prints stuff to the logcat. However, I don't know if there's anything that controls whether or not that's on. dougt might know more.
Comment 11 Christian Holler (:decoder) 2012-08-25 02:39:44 PDT
The advisory here says that this can only be exploited through dump() which is disabled by default. If this is the case, then this isn't sec-high. Of course if there's another way to supply the string from content, then that rating is perfectly valid.
Comment 12 :Gavin Sharp [email: gavin@gavinsharp.com] 2012-08-25 14:25:28 PDT
As far as I know none of the dump() implementations touched in attachment 637506 [details] [diff] [review] are exposed to content, except maybe the Worker* ones.

WorkerPrivate.cpp's implementation only uses it as a fallback if reporting to the console service fails, which shouldn't really ever happen in practice. 

WorkerScope.cpp's implementation looks to not be pref-controlled, which means that workers calling dump() can spam stdout in release builds, which seems like a bug we should fix regardless of the security implementations.
Comment 13 :Gavin Sharp [email: gavin@gavinsharp.com] 2012-08-25 14:38:39 PDT
I confirmed that it's exposed to content (using http://gavinsharp.com/tmp/worker.html) and filed bug 785656.

Note You need to log in before you can comment on or make changes to this bug.