Closed Bug 834526 Opened 7 years ago Closed 7 years ago

IPC Channel uses debug-only check for number of FDs in a single message, could overwrite stack

Categories

(Core :: IPC, defect)

All
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla21
Tracking Status
firefox19 --- wontfix
firefox20 --- wontfix
firefox21 --- fixed
firefox-esr17 --- unaffected
b2g18 --- fixed

People

(Reporter: bent.mozilla, Assigned: bent.mozilla)

Details

(Keywords: sec-critical, Whiteboard: [adv-main21+])

Attachments

(1 file)

Attached patch Patch, v1Splinter Review
IPC Channel uses a debug-only check for number of FDs that may be transmitted in a single message. That's currently |FileDescriptorSet::MAX_DESCRIPTORS_PER_MESSAGE| (currently 4 in our code, 5 in chromium tip). It uses this to allocate some stack space, and if we exceed this limit then we will overwrite the stack.
Attachment #706173 - Flags: review?(jones.chris.g)
Comment on attachment 706173 [details] [diff] [review]
Patch, v1

Add a note that the return isn't reached.
Attachment #706173 - Flags: review?(jones.chris.g) → review+
Comment on attachment 706173 [details] [diff] [review]
Patch, v1

This shouldn't happen in current code, but if content can somehow force the b2g process to hit this path, then we'll overflow a stack buffer in an sg:crit way.  This check prevents that path from being reached.
Attachment #706173 - Flags: approval-mozilla-b2g18+
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Can we get a security rating on this issue?

I assume this only affects trunk and no previous versions?
If it were triggered, the vulnerability here would be sec-critical.

However, to the best of our knowledge it can't be triggered in current code.

The buggy code exists in gecko19 and gecko20 but all clients of IPC are fully trusted.  So I don't think we need to uplift the patch there, although there's no risk in doing so.
Keywords: sec-critical
Whiteboard: [adv-main21+]
Group: core-security
You need to log in before you can comment on or make changes to this bug.