Closed
Bug 782982
Opened 12 years ago
Closed 6 years ago
Parent process should never abort upon receiving invalid data from child
Categories
(Core :: IPC, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 777067
People
(Reporter: justin.lebar+bug, Unassigned)
References
Details
The child process can trivially cause the parent to abort by e.g. sending an invalid enum. See for example bug 782971. (Nearly) every instance of NS_ABORT_IF_FALSE in IPDL-generated code run on the parent must be removed, if I understand correctly. I don't know if bug 746280 is the right metabug -- do we have a different one specifically for "sandboxing"-type stuff?
Reporter | ||
Updated•12 years ago
|
blocking-basecamp: --- → ?
Reporter | ||
Comment 1•12 years ago
|
||
> (Nearly) every instance of NS_ABORT_IF_FALSE
and NS_RUNTIMEABORT, etc.
Reporter | ||
Comment 2•12 years ago
|
||
> See for example bug 782971.
This is actually an example of the parent process crashing itself by trying to send bad data.
But it's still not clear to me what the parent will do upon receiving a bad enum from the child.
Comment 3•12 years ago
|
||
The parent aborting on bad data is a bug we should fix, but I don't think it's common. We've been pretty careful about the kinds of data/state manipulations that should and shouldn't abort. We fixed one case in plugins a while back, see bug 767775. But whether there is a real bug here or not, I don't think that this needs to block basecamp: *common* aborts will show up in crash-stats, and uncommon ones are just unfortunate DOSes.
Reporter | ||
Comment 4•12 years ago
|
||
> I don't think that this needs to block basecamp: *common* aborts will show up in crash-stats, and
> uncommon ones are just unfortunate DOSes.
I understand that hardening the parent process so that a malicious child process cannot crash the phone is a basecamp blocker. If it's not, then of course this bug should not block.
Comment 5•12 years ago
|
||
We discussed this in triage and decided it is basically a meta bug which we don't block on. Please open dependent bugs.
blocking-basecamp: ? → ---
Summary: Parent process should never abort upon receiving invalid data from child → [meta] Parent process should never abort upon receiving invalid data from child
However, note that DoS-ing the parent process is not a blocker. Reading sensitive data or causing sensitive actions is a blocker, but just DoS-ing isn't.
Comment 7•12 years ago
|
||
(In reply to Justin Lebar [:jlebar] from comment #2) > > See for example bug 782971. > > This is actually an example of the parent process crashing itself by trying > to send bad data. > > But it's still not clear to me what the parent will do upon receiving a bad > enum from the child. Instead of aborting, it can just call FatalError and kill the child process.
Comment 8•12 years ago
|
||
Do we need this bug? Is there anything actionable we need to do?
We need to audit the places we abort on encountering bogus data (like byte sequences that claim to have a length in the billions) and kill the child process instead of aborting.
Updated•7 years ago
|
Priority: -- → P3
Summary: [meta] Parent process should never abort upon receiving invalid data from child → Parent process should never abort upon receiving invalid data from child
Comment 10•6 years ago
|
||
Hey Christoph, would you consider this to be a dupe of the work you're doing and closable?
Flags: needinfo?(cdiehl)
Comment 11•6 years ago
|
||
Basically, yes. There will be component specific follow up bugs (at least from my side) where such conditions failed. Besides that, NS_ABORT_IF_FALSE got removed in https://bugzilla.mozilla.org/show_bug.cgi?id=1127201.
Flags: needinfo?(cdiehl)
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•