Closed Bug 775777 Opened 13 years ago Closed 13 years ago

IPDL actor deserialization allows type punning from maliciously-constructed packets

Categories

(Core :: IPC, defect)

Product:
Core
Component:
IPC
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla18
Project Flags:
blocking-basecamp +

People

(Reporter: cjones, Assigned: cjones)

References

Details

(Whiteboard: [WebAPI:P0][LOE:S])

Attachments

(2 files, 1 obsolete file)

Test
10.20 KB, patch
bent.mozilla
: review+
Details | Diff | Splinter Review
Check dynamic actor type when deserializing, v1.1
7.39 KB, patch
bent.mozilla
: review+
Details | Diff | Splinter Review
No description provided.
Whups, fat-fingered enter. Currently all managed actors are stored in a single hash, and on deserialization we statically cast the lookup-up generic pointer to the more specific type specified by the message decl. This is fine for trusted content, but with compromised processes can send specifically-crafted messages that allow type-punning a concrete PFooParent* as PBarParent*, with predicable dangerous results. To fix this, we need either managee-specific storage, or need to store type information along with the actor map and then do a dynamic type check on lookup. The latter is probably easier.
A good target for IPC fuzzing is finding this bug independently. However, I need to fix it sooner rather than later.
blocking-basecamp: --- → +
Assignee: nobody → jones.chris.g
Whiteboard: [WebAPI:P0]
Whiteboard: [WebAPI:P0] → [WebAPI:P0][LOE:S]
Attached patch TestSplinter Review
This is a fairly nontrivial test, so important to get on the same page before the fix.
Attachment #662491 - Flags: review?(bent.mozilla)
Urge ... to ... refactor ... building ...
$ MOZ_IPC_MESSAGE_LOG=1 ~/mozilla/iff-dbg/dist/bin/run-mozilla.sh ~/mozilla/iff-dbg/dist/bin/ipdlunittest TestActorPunning [snip] [time:1348105394788337][27305][PTestActorPunningParent] Received Msg_Pun([TODO]) Protocol error: actor that should be of type PTestActorPunning has different type
Attachment #662768 - Flags: review?(bent.mozilla)
Comment on attachment 662768 [details] [diff] [review] Check dynamic actor type when deserializing Oops, there's a bug here that the rest of the tests caught. Sorry for the spam.
Attachment #662768 - Attachment is obsolete: true
Attachment #662768 - Flags: review?(bent.mozilla)
Attachment #662776 - Flags: review?(bent.mozilla)
Attachment #662491 - Flags: review?(bent.mozilla) → review+
Comment on attachment 662776 [details] [diff] [review] Check dynamic actor type when deserializing, v1.1 Review of attachment 662776 [details] [diff] [review]: ----------------------------------------------------------------- Looks great! ::: ipc/glue/AsyncChannel.h @@ +72,5 @@ > virtual Result OnMessageReceived(const Message& aMessage) = 0; > virtual void OnProcessingError(Result aError) = 0; > + // FIXME/bug 792652: this doesn't really belong here, but a > + // large refactoring is needed to put it where it belongs. > + virtual int32_t GetTypeTag() = 0; Nit: Can we make this more explicit (GetProtocolId? GetProtocolTypeId?)
Attachment #662776 - Flags: review?(bent.mozilla) → review+
https://hg.mozilla.org/mozilla-central/rev/7c9af3e022da https://hg.mozilla.org/mozilla-central/rev/b68455ccdd9a
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: