Closed
Bug 934000
Opened 11 years ago
Closed 11 years ago
Port bug 864558 to MobileMessageManager.cpp
Categories
(Firefox OS Graveyard :: Gaia::SMS, defect)
Firefox OS Graveyard
Gaia::SMS
Tracking
(blocking-b2g:koi+, firefox26 unaffected, firefox27 unaffected, firefox28 unaffected, firefox-esr17 unaffected, firefox-esr24 disabled, b2g1826+ fixed, b2g-v1.1hd fixed, b2g-v1.2 fixed)
Tracking | Status | |
---|---|---|
firefox26 | --- | unaffected |
firefox27 | --- | unaffected |
firefox28 | --- | unaffected |
firefox-esr17 | --- | unaffected |
firefox-esr24 | --- | disabled |
b2g18 | 26+ | fixed |
b2g-v1.1hd | --- | fixed |
b2g-v1.2 | --- | fixed |
People
(Reporter: Waldo, Assigned: Waldo)
References
Details
(Keywords: sec-critical)
Attachments
(3 files, 5 obsolete files)
1.70 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
1.61 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
1.66 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
I'm not sure exactly what happened here, but when I fixed bug 864558, I did so wrt SmsManager.cpp. Apparently that file got forked -- but not deleted -- into MobileMessageManager.cpp, in bug 844431, which needs the same set of fixes performed to it.
I'm really not sure why the searching I did at the time of that bug didn't uncover these uses -- the forking appears to have happened before that bug started, and before any activity happened on it. Bleh. Probably worth doing another set of searches to make sure nothing *else* escaped the dragnet, or something. :-(
Assignee | ||
Comment 1•11 years ago
|
||
Straightforward enough. (Previous patches did s/array/object/ on the comment near the first bit -- turns out, at least on trunk now, there's a throw if obj && !array, so the comment's correct now. Might have been before, too, actually, but it's definitely not worth checking.)
Attachment #827731 -
Flags: review?(mrbkap)
Updated•11 years ago
|
Attachment #827731 -
Flags: review?(mrbkap) → review+
Updated•11 years ago
|
Keywords: sec-critical
Updated•11 years ago
|
blocking-b2g: --- → koi?
status-b2g18:
--- → affected
status-b2g-v1.1hd:
--- → affected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → unaffected
tracking-b2g18:
--- → ?
Assignee | ||
Comment 2•11 years ago
|
||
On doublecheck, this kills off all the remaining instances of "new JS::Value", "new jsval", "new Value" referring to JS::Value, etc. in Gecko. So I'm pretty sure it's a full fix.
Assignee | ||
Comment 3•11 years ago
|
||
Comment on attachment 827731 [details] [diff] [review]
Trunk patch
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Easy enough to trigger the crash, but exploiting it would require feeding in data just so to a privileged b2g app right now.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
It's obvious enough.
Which older supported branches are affected by this flaw? If not all supported branches, which bug introduced the flaw?
All b2g releases/repos/etc.
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Yes, will post them seriatim after this.
How likely is this patch to cause regressions; how much testing does it need?
Unlikely, doesn't need much testing.
Attachment #827731 -
Flags: sec-approval?
Assignee | ||
Comment 4•11 years ago
|
||
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-critical
User impact if declined: possible arbitrary code execution if the right inputs are fed to SMS code
Testing completed: none except what it'll get after landing on trunk, but little to none required, this is straightforward
Risk to taking this patch: low, just rewriting a little bit of code to use correct JSAPI idioms
String or UUID changes made by this patch: N/A
Attachment #828410 -
Flags: approval-mozilla-esr24?
Assignee | ||
Comment 5•11 years ago
|
||
All the branch-targeted patches here have the same approval-request characteristics, so I won't bother copy-pasting one comment N times. :-)
Attachment #828411 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 6•11 years ago
|
||
Attachment #828412 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 7•11 years ago
|
||
Attachment #828413 -
Flags: approval-mozilla-b2g18?
Comment 8•11 years ago
|
||
If this is B2G only, is there a reason to take this in ESR24?
Updated•11 years ago
|
Flags: needinfo?(jwalden+bmo)
Assignee | ||
Comment 9•11 years ago
|
||
Not sure. I *think* this code gets built even on non-b2g, or at least one of the files in the SmsManager.cpp file fixed in the previous bug did. But I think the code might be unreachable there.
Flags: needinfo?(jwalden+bmo)
Comment 10•11 years ago
|
||
Comment on attachment 827731 [details] [diff] [review]
Trunk patch
sec-approval+ for trunk. I'm not sure if we need this on branches or not as a b2g only issue.
Attachment #827731 -
Flags: sec-approval? → sec-approval+
Updated•11 years ago
|
blocking-b2g: koi? → koi+
Comment 11•11 years ago
|
||
Matt - is it possible for you to look into comment 9 and determine where this does get reached (and thus, need to land)?
Updated•11 years ago
|
tracking-firefox-esr24:
--- → ?
Updated•11 years ago
|
Comment 12•11 years ago
|
||
I'm afraid that I can't answer that question.
Flags: needinfo?(mwobensmith)
Comment 13•11 years ago
|
||
There's no possible way SMS is enabled on esr24. We're only even running tests on desktop, and I really doubt we support SMS from your desktop machine. ;) I mean, on the other hand it isn't like it would hurt to land this code there, as we're not even going to build it. Very low risk!
tracking-firefox-esr24:
? → ---
Comment 14•11 years ago
|
||
No, we only land necessary things on ESR after it forks.
Comment 15•11 years ago
|
||
(In reply to lsblakk@mozilla.com [:lsblakk] from comment #11)
> Matt - is it possible for you to look into comment 9 and determine where
> this does get reached (and thus, need to land)?
The patch here really only affects B2G - unrelated to desktop & fxandroid. It involves the mobile message API, which is used by the SMS app for MMS.
Keywords: qawanted
Comment 16•11 years ago
|
||
(In reply to Jason Smith [:jsmith] from comment #15)
> (In reply to lsblakk@mozilla.com [:lsblakk] from comment #11)
> > Matt - is it possible for you to look into comment 9 and determine where
> > this does get reached (and thus, need to land)?
>
> The patch here really only affects B2G - unrelated to desktop & fxandroid.
> It involves the mobile message API, which is used by the SMS app for MMS.
Oh and that means the patch needs to land on trunk, b2g26, and b2g18.
Updated•11 years ago
|
Updated•11 years ago
|
Attachment #828410 -
Flags: approval-mozilla-esr24? → approval-mozilla-esr24-
Updated•11 years ago
|
Attachment #828411 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora-
Updated•11 years ago
|
Updated•11 years ago
|
Attachment #828412 -
Flags: approval-mozilla-beta? → approval-mozilla-beta-
Comment 17•11 years ago
|
||
minusing for beta, this can get direct uplift to b2g26 branch since it's a koi+ and should be found.
Updated•11 years ago
|
Attachment #828413 -
Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18+
Assignee | ||
Comment 19•11 years ago
|
||
I'm told over IRC that the trunk patch will need s/JS_ValueToString/JS::ToString/ to work, just to note. Trying to round up all the patches here for pushing tonight, uploaded to bug, but may not have time -- we'll see, if I do I'll obsolete everything here and leave just the obvious targeted patches up.
Assignee | ||
Comment 20•11 years ago
|
||
Attachment #827731 -
Attachment is obsolete: true
Attachment #8334244 -
Flags: review+
Assignee | ||
Comment 21•11 years ago
|
||
Attachment #828413 -
Attachment is obsolete: true
Attachment #8334245 -
Flags: review+
Assignee | ||
Comment 22•11 years ago
|
||
Attachment #828410 -
Attachment is obsolete: true
Attachment #828411 -
Attachment is obsolete: true
Attachment #828412 -
Attachment is obsolete: true
Attachment #8334247 -
Flags: review+
Comment 23•11 years ago
|
||
Keywords: checkin-needed
Comment 24•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → 1.3 Sprint 5 - 11/22
Comment 25•11 years ago
|
||
Comment 26•11 years ago
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•