Closed Bug 934000 Opened 11 years ago Closed 11 years ago

Port bug 864558 to MobileMessageManager.cpp

Categories

(Firefox OS Graveyard :: Gaia::SMS, defect)

defect
Not set
normal

Tracking

(blocking-b2g:koi+, firefox26 unaffected, firefox27 unaffected, firefox28 unaffected, firefox-esr17 unaffected, firefox-esr24 disabled, b2g1826+ fixed, b2g-v1.1hd fixed, b2g-v1.2 fixed)

RESOLVED FIXED
1.3 Sprint 5 - 11/22
blocking-b2g koi+
Tracking Status
firefox26 --- unaffected
firefox27 --- unaffected
firefox28 --- unaffected
firefox-esr17 --- unaffected
firefox-esr24 --- disabled
b2g18 26+ fixed
b2g-v1.1hd --- fixed
b2g-v1.2 --- fixed

People

(Reporter: Waldo, Assigned: Waldo)

References

Details

(Keywords: sec-critical)

Attachments

(3 files, 5 obsolete files)

I'm not sure exactly what happened here, but when I fixed bug 864558, I did so wrt SmsManager.cpp. Apparently that file got forked -- but not deleted -- into MobileMessageManager.cpp, in bug 844431, which needs the same set of fixes performed to it. I'm really not sure why the searching I did at the time of that bug didn't uncover these uses -- the forking appears to have happened before that bug started, and before any activity happened on it. Bleh. Probably worth doing another set of searches to make sure nothing *else* escaped the dragnet, or something. :-(
Attached patch Trunk patch (obsolete) — Splinter Review
Straightforward enough. (Previous patches did s/array/object/ on the comment near the first bit -- turns out, at least on trunk now, there's a throw if obj && !array, so the comment's correct now. Might have been before, too, actually, but it's definitely not worth checking.)
Attachment #827731 - Flags: review?(mrbkap)
Attachment #827731 - Flags: review?(mrbkap) → review+
On doublecheck, this kills off all the remaining instances of "new JS::Value", "new jsval", "new Value" referring to JS::Value, etc. in Gecko. So I'm pretty sure it's a full fix.
Comment on attachment 827731 [details] [diff] [review] Trunk patch [Security approval request comment] How easily could an exploit be constructed based on the patch? Easy enough to trigger the crash, but exploiting it would require feeding in data just so to a privileged b2g app right now. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? It's obvious enough. Which older supported branches are affected by this flaw? If not all supported branches, which bug introduced the flaw? All b2g releases/repos/etc. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Yes, will post them seriatim after this. How likely is this patch to cause regressions; how much testing does it need? Unlikely, doesn't need much testing.
Attachment #827731 - Flags: sec-approval?
Attached patch esr24 (obsolete) — Splinter Review
[Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-critical User impact if declined: possible arbitrary code execution if the right inputs are fed to SMS code Testing completed: none except what it'll get after landing on trunk, but little to none required, this is straightforward Risk to taking this patch: low, just rewriting a little bit of code to use correct JSAPI idioms String or UUID changes made by this patch: N/A
Attachment #828410 - Flags: approval-mozilla-esr24?
Attached patch aurora (obsolete) — Splinter Review
All the branch-targeted patches here have the same approval-request characteristics, so I won't bother copy-pasting one comment N times. :-)
Attachment #828411 - Flags: approval-mozilla-aurora?
Attached patch beta (obsolete) — Splinter Review
Attachment #828412 - Flags: approval-mozilla-beta?
Attached patch b2g18 (obsolete) — Splinter Review
Attachment #828413 - Flags: approval-mozilla-b2g18?
If this is B2G only, is there a reason to take this in ESR24?
Flags: needinfo?(jwalden+bmo)
Not sure. I *think* this code gets built even on non-b2g, or at least one of the files in the SmsManager.cpp file fixed in the previous bug did. But I think the code might be unreachable there.
Flags: needinfo?(jwalden+bmo)
Comment on attachment 827731 [details] [diff] [review] Trunk patch sec-approval+ for trunk. I'm not sure if we need this on branches or not as a b2g only issue.
Attachment #827731 - Flags: sec-approval? → sec-approval+
blocking-b2g: koi? → koi+
Matt - is it possible for you to look into comment 9 and determine where this does get reached (and thus, need to land)?
Flags: needinfo?(mwobensmith)
Keywords: qawanted
QA Contact: mwobensmith
I'm afraid that I can't answer that question.
Flags: needinfo?(mwobensmith)
There's no possible way SMS is enabled on esr24. We're only even running tests on desktop, and I really doubt we support SMS from your desktop machine. ;) I mean, on the other hand it isn't like it would hurt to land this code there, as we're not even going to build it. Very low risk!
No, we only land necessary things on ESR after it forks.
(In reply to lsblakk@mozilla.com [:lsblakk] from comment #11) > Matt - is it possible for you to look into comment 9 and determine where > this does get reached (and thus, need to land)? The patch here really only affects B2G - unrelated to desktop & fxandroid. It involves the mobile message API, which is used by the SMS app for MMS.
Keywords: qawanted
(In reply to Jason Smith [:jsmith] from comment #15) > (In reply to lsblakk@mozilla.com [:lsblakk] from comment #11) > > Matt - is it possible for you to look into comment 9 and determine where > > this does get reached (and thus, need to land)? > > The patch here really only affects B2G - unrelated to desktop & fxandroid. > It involves the mobile message API, which is used by the SMS app for MMS. Oh and that means the patch needs to land on trunk, b2g26, and b2g18.
Attachment #828410 - Flags: approval-mozilla-esr24? → approval-mozilla-esr24-
Attachment #828411 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora-
Attachment #828412 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
minusing for beta, this can get direct uplift to b2g26 branch since it's a koi+ and should be found.
checkin-needed for m-c, m-b2g26, and m-b2g18
Attachment #828413 - Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18+
I'm told over IRC that the trunk patch will need s/JS_ValueToString/JS::ToString/ to work, just to note. Trying to round up all the patches here for pushing tonight, uploaded to bug, but may not have time -- we'll see, if I do I'll obsolete everything here and leave just the obvious targeted patches up.
Attached patch Trunk patchSplinter Review
Attachment #827731 - Attachment is obsolete: true
Attachment #8334244 - Flags: review+
Attachment #828413 - Attachment is obsolete: true
Attachment #8334245 - Flags: review+
Attachment #828410 - Attachment is obsolete: true
Attachment #828411 - Attachment is obsolete: true
Attachment #828412 - Attachment is obsolete: true
Attachment #8334247 - Flags: review+
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → 1.3 Sprint 5 - 11/22
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: