Closed
Bug 855335
Opened 12 years ago
Closed 12 years ago
Audit SIPCC printf-style formatting strings
Categories
(Core :: WebRTC: Signaling, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla23
Tracking | Status | |
---|---|---|
firefox19 | --- | disabled |
firefox20 | --- | disabled |
firefox21 | --- | disabled |
firefox22 | --- | disabled |
firefox23 | --- | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: abr, Assigned: ehugg)
Details
(Keywords: sec-audit, Whiteboard: [WebRTC][blocking-webrtc-][qa-][adv-main23-])
Attachments
(4 files, 1 obsolete file)
57.06 KB,
text/plain
|
Details | |
2.88 KB,
patch
|
Details | Diff | Splinter Review | |
79.40 KB,
patch
|
jesup
:
review+
|
Details | Diff | Splinter Review |
14.95 KB,
patch
|
jesup
:
review+
|
Details | Diff | Splinter Review |
Compiling the SIPCC code with log macros expanded directly to printf() yields approximately 300 formatting-related warnings. Most of these are benign, but some could be problematic. This bug represents an audit task to examine and fix (or suppress) these warnings.
Comment 1•12 years ago
|
||
marking s-s since we expect there will be some log messages that invoke memory errors. Note however that any security issue would only apply if logging is turned on, which means debug builds or private builds typically, unless the module is forcing PR_LOGGING on. Likely anything found would be sec-low or at most sec-moderate for that reason
Group: core-security
Updated•12 years ago
|
status-firefox19:
--- → disabled
status-firefox20:
--- → disabled
status-firefox21:
--- → disabled
status-firefox22:
--- → disabled
Assignee | ||
Comment 2•12 years ago
|
||
Output of the format-related warnings in the signaling code of Mozilla-Central as of today - rev 7c3cb087620b
Assignee | ||
Comment 3•12 years ago
|
||
Looking at this list I see a bunch that could cause crashes in the future. I'm going to take this bug and start with a patch that resolves the -Wformat warnings. After that we can tackle the -Wformat-security and -Wformat-extra-args
Assignee: adam → ethanhugg
Reporter | ||
Comment 4•12 years ago
|
||
(In reply to Ethan Hugg [:ehugg] from comment #3) > Looking at this list I see a bunch that could cause crashes in the future. > > I'm going to take this bug and start with a patch that resolves the -Wformat > warnings. After that we can tackle the -Wformat-security and > -Wformat-extra-args Excellent, thanks. I would propose that the first step is to run debugging all the way up to 9, run a text call, and then fix the first message that causes a segfault. Repeat as necessary.
Assignee | ||
Comment 5•12 years ago
|
||
Assignee | ||
Comment 6•12 years ago
|
||
Assignee | ||
Updated•12 years ago
|
Attachment #735884 -
Attachment is obsolete: true
Assignee | ||
Comment 7•12 years ago
|
||
Assignee | ||
Comment 8•12 years ago
|
||
Comment on attachment 735936 [details] [diff] [review] Signaling - fix Wformat warnings in logging This should fix all of the -Wformat warnings, but not the -Wformat-extra-args or -Wformat-security ones. You can now run with NSPR_LOG_MODULES=signaling:9 without crashing. There is a test patch above that redefines the logging to printf if you want to check the warnings on your build.
Attachment #735936 -
Flags: review?(rjesup)
Updated•12 years ago
|
Attachment #735936 -
Flags: review?(rjesup) → review+
Assignee | ||
Comment 9•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/146c6ca0aa6d
Comment 10•12 years ago
|
||
Assuming from comment 8 that this is leave-open for now
Whiteboard: [WebRTC][blocking-webrtc-] → [WebRTC][blocking-webrtc-][leave-open]
Comment 11•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/146c6ca0aa6d
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox23:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Comment 12•12 years ago
|
||
reopening since this is [leave-open]
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Updated•12 years ago
|
status-firefox23:
fixed → ---
Assignee | ||
Comment 13•12 years ago
|
||
Assignee | ||
Comment 14•12 years ago
|
||
Comment on attachment 736506 [details] [diff] [review] Patch 2 - Signaling fix warnings format-extra-args and format-security Review of attachment 736506 [details] [diff] [review]: ----------------------------------------------------------------- This fixes all of the -Wformat-extra-args warnings and all of the -Wformat-security warnings except the ones in fsmcnf.c and fsmdef.c which are caused by the format parameter being the return of another function (get_debug_string). I chose not to address those since that would entail getting replacing all of the get_debug_string calls with literals. I don't think this patch fixes anything that would cause a crash, those were fixed in the first patch.
Attachment #736506 -
Flags: review?(rjesup)
Updated•12 years ago
|
Attachment #736506 -
Flags: review?(rjesup) → review+
Assignee | ||
Comment 15•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/16b7c4a657df
Whiteboard: [WebRTC][blocking-webrtc-][leave-open] → [WebRTC][blocking-webrtc-]
Comment 16•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/16b7c4a657df Sorry about that, don't know how I missed the [leave open].
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
status-firefox23:
--- → fixed
Resolution: --- → FIXED
Comment 17•12 years ago
|
||
(In reply to Adam Roach [:abr] from comment #0) > Compiling the SIPCC code with log macros expanded directly to printf() > yields approximately 300 formatting-related warnings. Most of these are BTW, you know you can get gcc to generate these warnings without such hackery, right? See the "format" attribute at http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html
Updated•12 years ago
|
Whiteboard: [WebRTC][blocking-webrtc-] → [WebRTC][blocking-webrtc-][qa-]
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Updated•11 years ago
|
Whiteboard: [WebRTC][blocking-webrtc-][qa-] → [WebRTC][blocking-webrtc-][qa-][adv-main23-]
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•