Closed
Bug 949843
Opened 10 years ago
Closed 10 years ago
Don't use "char* str = NS_ConvertUTF16toUTF8(aBdAddress).get();"
Categories
(Firefox OS Graveyard :: Bluetooth, defect)
Tracking
(blocking-b2g:1.3+, firefox27 wontfix, firefox28 fixed, firefox29 fixed, firefox-esr24 unaffected, b2g18 unaffected, b2g-v1.1hd unaffected, b2g-v1.2 unaffected, b2g-v1.3 fixed, b2g-v1.3T fixed, b2g-v1.4 fixed)
| Tracking | Status | |
|---|---|---|
| firefox27 | --- | wontfix |
| firefox28 | --- | fixed |
| firefox29 | --- | fixed |
| firefox-esr24 | --- | unaffected |
| b2g18 | --- | unaffected |
| b2g-v1.1hd | --- | unaffected |
| b2g-v1.2 | --- | unaffected |
| b2g-v1.3 | --- | fixed |
| b2g-v1.3T | --- | fixed |
| b2g-v1.4 | --- | fixed |
People
(Reporter: m_kato, Assigned: ben.tian)
References
Details
(Keywords: sec-critical, Whiteboard: [adv-main28+])
Attachments
(1 file)
|
2.51 KB,
patch
|
echou
:
review+
m_kato
:
feedback+
|
Details | Diff | Splinter Review |
This means,
char *str;
{
NS_ConvertUTF16toUTF8 tmp(aBdAddress);
str = tmp;
}
... (use str) ...
so when using str, buffer is already freed. This becomes use-after-free.
/dom/bluetooth/bluedroid/gonk/BluetoothServiceBluedroid.cpp (View Hg log or Hg annotations)
line 249 -- const char* str = NS_ConvertUTF16toUTF8(aBdAddress).get();
line 1004 -- const char* name = NS_ConvertUTF16toUTF8(str).get();
|
Reporter | |
Updated•10 years ago
|
Assignee: nobody → m_kato
|
|
Reporter | |
Updated•10 years ago
|
Assignee: m_kato → nobody
|
||
Updated•10 years ago
|
Component: DOM → Bluetooth
Product: Core → Firefox OS
Version: Trunk → unspecified
|
||
Comment 1•10 years ago
|
||
Thanks for reporting. I've talked to Ben and he will take this over.
Assignee: nobody → btian
|
Assignee | |
Comment 2•10 years ago
|
||
Attachment #8347861 -
Flags: review?(echou)
Attachment #8347861 -
Flags: feedback?(m_kato)
|
|
Reporter | |
Updated•10 years ago
|
Attachment #8347861 -
Flags: feedback?(m_kato) → feedback+
|
|
||
Comment 3•10 years ago
|
||
Comment on attachment 8347861 [details] [diff] [review] [final] Patch 1: Declare local UTF8 string variable, r=echou Review of attachment 8347861 [details] [diff] [review]: ----------------------------------------------------------------- Thanks.
Attachment #8347861 -
Flags: review?(echou) → review+
|
|
Assignee | |
Updated•10 years ago
|
Attachment #8347861 -
Attachment description: Patch 1 (v1): Declare local UTF8 string variable → [final] Patch 1: Declare local UTF8 string variable, r=echou
|
|
Assignee | |
Comment 5•10 years ago
|
||
try server: https://tbpl.mozilla.org/?tree=Try&rev=aceba6bd8795
|
|
Assignee | |
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/b2g-inbound/rev/e769b355870f
|
||
Comment 7•10 years ago
|
||
landed on central: https://hg.mozilla.org/mozilla-central/rev/e769b355870f
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
|
||
Comment 8•10 years ago
|
||
Paul - Can you provide input from a security perspective if this is a blocker for 1.3?
Flags: needinfo?(ptheriault)
|
||
Comment 9•10 years ago
|
||
If this is remotely exploitable I would say this is sec-critical, otherwise maybe sec-high. From a very quick skim of this code, it seems that StringToBdAddressType is called using the remote address value[1], so this may be remotely exploitable, so I would err on the side of sec-critical. [1] http://dxr.mozilla.org/mozilla-central/source/dom/bluetooth/bluedroid/gonk/BluetoothServiceBluedroid.cpp#1033
Flags: needinfo?(ptheriault)
Keywords: sec-critical
|
|
||
Comment 10•10 years ago
|
||
Although that said, bluetooth would need to be enabled, and attacker would have to be local. So maybe it is a sec-high. Either way I think we need to get this on 1.3, especially since its already patched and the patch is public.
|
|
||
Updated•10 years ago
|
blocking-b2g: 1.3? → 1.3+
|
|
Assignee | |
Comment 11•10 years ago
|
||
(In reply to Ben Tian [:btian] from comment #2) > Created attachment 8347861 [details] [diff] [review] > [final] Patch 1: Declare local UTF8 string variable, r=echou Request to uplift the patch to 1.3.
Keywords: checkin-needed
|
||
Comment 12•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/1105948b00e8 FWIW, you don't need to explicitly request uplift. We have bug queries to assist with such things :) https://wiki.mozilla.org/Release_Management/B2G_Landing
status-b2g-v1.3:
--- → fixed
status-firefox27:
--- → wontfix
status-firefox28:
--- → fixed
status-firefox29:
--- → fixed
Keywords: checkin-needed
Target Milestone: --- → 1.3 C2/1.4 S2(17jan)
|
|
||
Comment 13•10 years ago
|
||
Pretty sure bluedroid wasnt added until 1.3. (And I can't see this file in the 1.2 source repo)
status-b2g18:
--- → unaffected
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → unaffected
|
||
Updated•9 years ago
|
Whiteboard: [adv-main28+]
|
||
Comment 14•9 years ago
|
||
Does it impact also ESR24?
|
|
||
Comment 15•9 years ago
|
||
Isn't this b2g only?
|
|
Reporter | |
Comment 16•9 years ago
|
||
(In reply to Al Billings [:abillings] from comment #15) > Isn't this b2g only? Yes.
|
|
||
Updated•9 years ago
|
status-firefox-esr24:
--- → unaffected
|
|
||
Updated•9 years ago
|
status-b2g-v1.3T:
--- → fixed
status-b2g-v1.4:
--- → fixed
|
||
Updated•8 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•