Closed Bug 834526 Opened 7 years ago Closed 7 years ago
IPC Channel uses debug-only check for number of FDs in a single message, could overwrite stack
IPC Channel uses a debug-only check for number of FDs that may be transmitted in a single message. That's currently |FileDescriptorSet::MAX_DESCRIPTORS_PER_MESSAGE| (currently 4 in our code, 5 in chromium tip). It uses this to allocate some stack space, and if we exceed this limit then we will overwrite the stack.
Attachment #706173 - Flags: review?(jones.chris.g)
Comment on attachment 706173 [details] [diff] [review] Patch, v1 Add a note that the return isn't reached.
Attachment #706173 - Flags: review?(jones.chris.g) → review+
Comment on attachment 706173 [details] [diff] [review] Patch, v1 This shouldn't happen in current code, but if content can somehow force the b2g process to hit this path, then we'll overflow a stack buffer in an sg:crit way. This check prevents that path from being reached.
Attachment #706173 - Flags: approval-mozilla-b2g18+
7 years ago
Can we get a security rating on this issue? I assume this only affects trunk and no previous versions?
If it were triggered, the vulnerability here would be sec-critical. However, to the best of our knowledge it can't be triggered in current code. The buggy code exists in gecko19 and gecko20 but all clients of IPC are fully trusted. So I don't think we need to uplift the patch there, although there's no risk in doing so.
You need to log in before you can comment on or make changes to this bug.