Closed
Bug 834526
Opened 11 years ago
Closed 11 years ago
IPC Channel uses debug-only check for number of FDs in a single message, could overwrite stack
Categories
(Core :: IPC, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
Tracking | Status | |
---|---|---|
firefox19 | --- | wontfix |
firefox20 | --- | wontfix |
firefox21 | --- | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | fixed |
People
(Reporter: bent.mozilla, Assigned: bent.mozilla)
Details
(Keywords: sec-critical, Whiteboard: [adv-main21+])
Attachments
(1 file)
1.11 KB,
patch
|
cjones
:
review+
cjones
:
approval-mozilla-b2g18+
|
Details | Diff | Splinter Review |
IPC Channel uses a debug-only check for number of FDs that may be transmitted in a single message. That's currently |FileDescriptorSet::MAX_DESCRIPTORS_PER_MESSAGE| (currently 4 in our code, 5 in chromium tip). It uses this to allocate some stack space, and if we exceed this limit then we will overwrite the stack.
Attachment #706173 -
Flags: review?(jones.chris.g)
Comment on attachment 706173 [details] [diff] [review] Patch, v1 Add a note that the return isn't reached.
Attachment #706173 -
Flags: review?(jones.chris.g) → review+
Comment on attachment 706173 [details] [diff] [review] Patch, v1 This shouldn't happen in current code, but if content can somehow force the b2g process to hit this path, then we'll overflow a stack buffer in an sg:crit way. This check prevents that path from being reached.
Attachment #706173 -
Flags: approval-mozilla-b2g18+
Assignee | ||
Comment 3•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4b48effcf696 https://hg.mozilla.org/releases/mozilla-b2g18/rev/fb2bb1320ac7
Assignee | ||
Updated•11 years ago
|
Comment 4•11 years ago
|
||
Can we get a security rating on this issue? I assume this only affects trunk and no previous versions?
If it were triggered, the vulnerability here would be sec-critical. However, to the best of our knowledge it can't be triggered in current code. The buggy code exists in gecko19 and gecko20 but all clients of IPC are fully trusted. So I don't think we need to uplift the patch there, although there's no risk in doing so.
Keywords: sec-critical
Comment 6•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4b48effcf696
status-firefox19:
--- → affected
status-firefox20:
--- → affected
status-firefox21:
--- → fixed
Target Milestone: --- → mozilla21
Updated•11 years ago
|
Updated•11 years ago
|
status-firefox-esr17:
--- → unaffected
Updated•11 years ago
|
Whiteboard: [adv-main21+]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•