Closed Bug 855335 Opened 12 years ago Closed 12 years ago

Audit SIPCC printf-style formatting strings

Categories

(Core :: WebRTC: Signaling, defect, P3)

Product:
Core
Component:
WebRTC: Signaling
Version:
21 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla23
Tracking Flags:
Tracking Status
firefox19 --- disabled
firefox20 --- disabled
firefox21 --- disabled
firefox22 --- disabled
firefox23 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: abr, Assigned: ehugg)

Details

(Keywords: sec-audit, Whiteboard: [WebRTC][blocking-webrtc-][qa-][adv-main23-])

Attachments

(4 files, 1 obsolete file)

Format Warnings from Signaling code
57.06 KB, text/plain
Details
Patch for testing only. Sends logging to printf
2.88 KB, patch
Details | Diff | Splinter Review
Signaling - fix Wformat warnings in logging
79.40 KB, patch
jesup
: review+
Details | Diff | Splinter Review
Patch 2 - Signaling fix warnings format-extra-args and format-security
14.95 KB, patch
jesup
: review+
Details | Diff | Splinter Review 
Compiling the SIPCC code with log macros expanded directly to printf() yields approximately 300 formatting-related warnings. Most of these are benign, but some could be problematic. This bug represents an audit task to examine and fix (or suppress) these warnings.
marking s-s since we expect there will be some log messages that invoke memory errors.  Note however that any security issue would only apply if logging is turned on, which means debug builds or private builds typically, unless the module is forcing PR_LOGGING on.

Likely anything found would be sec-low or at most sec-moderate for that reason
Group: core-security
Keywords: sec-audit
Output of the format-related warnings in the signaling code of Mozilla-Central as of today - rev 7c3cb087620b
Looking at this list I see a bunch that could cause crashes in the future.  

I'm going to take this bug and start with a patch that resolves the -Wformat warnings.  After that we can tackle the -Wformat-security and -Wformat-extra-args
Assignee: adam → ethanhugg
(In reply to Ethan Hugg [:ehugg] from comment #3)
> Looking at this list I see a bunch that could cause crashes in the future.  
> 
> I'm going to take this bug and start with a patch that resolves the -Wformat
> warnings.  After that we can tackle the -Wformat-security and
> -Wformat-extra-args

Excellent, thanks.

I would propose that the first step is to run debugging all the way up to 9, run a text call, and then fix the first message that causes a segfault. Repeat as necessary.

    
  

        Attachment #735884 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 735936 [details] [diff] [review]
Signaling - fix Wformat warnings in logging


This should fix all of the -Wformat warnings, but not the -Wformat-extra-args or -Wformat-security ones.

You can now run with NSPR_LOG_MODULES=signaling:9 without crashing.

There is a test patch above that redefines the logging to printf if you want to check the warnings on your build.

        Attachment #735936 -
        Flags: review?(rjesup)

        Attachment #735936 -
        Flags: review?(rjesup) → review+

    
    

    
  
Assuming from comment 8 that this is leave-open for now
Whiteboard: [WebRTC][blocking-webrtc-] → [WebRTC][blocking-webrtc-][leave-open]

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/146c6ca0aa6d
Status: NEW → RESOLVED
Closed: 12 years ago

          status-firefox23:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla23

    
    

    
  
reopening since this is [leave-open]
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
Comment on attachment 736506 [details] [diff] [review]
Patch 2 - Signaling fix warnings format-extra-args and format-security

Review of attachment 736506 [details] [diff] [review]:
-----------------------------------------------------------------

This fixes all of the -Wformat-extra-args warnings and all of the -Wformat-security warnings except the ones in fsmcnf.c and fsmdef.c which are caused by the format parameter being the return of another function (get_debug_string).  I chose not to address those since that would entail getting replacing all of the get_debug_string calls with literals.

I don't think this patch fixes anything that would cause a crash, those were fixed in the first patch.

        Attachment #736506 -
        Flags: review?(rjesup)

        Attachment #736506 -
        Flags: review?(rjesup) → review+

    
    

    
  
https://hg.mozilla.org/integration/mozilla-inbound/rev/16b7c4a657df
Whiteboard: [WebRTC][blocking-webrtc-][leave-open] → [WebRTC][blocking-webrtc-]

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/16b7c4a657df

Sorry about that, don't know how I missed the [leave open].
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago

          status-firefox23:
          --- → fixed
Resolution: --- → FIXED

    
    

    
  
(In reply to Adam Roach [:abr] from comment #0)
> Compiling the SIPCC code with log macros expanded directly to printf()
> yields approximately 300 formatting-related warnings. Most of these are

BTW, you know you can get gcc to generate these warnings without such hackery, right? See the "format" attribute at http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html
Whiteboard: [WebRTC][blocking-webrtc-] → [WebRTC][blocking-webrtc-][qa-]
Whiteboard: [WebRTC][blocking-webrtc-][qa-] → [WebRTC][blocking-webrtc-][qa-][adv-main23-]
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: