Closed
Bug 978177
Opened 11 years ago
Closed 11 years ago
ASSERTION: nsTDependentString must wrap only null-terminated strings, in InterposeNtCreateFile() (via VideoCaptureDS::SetCameraOutput() / CreatePin())
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
FIXED
mozilla30
Tracking | Status | |
---|---|---|
firefox28 | --- | unaffected |
firefox29 | --- | fixed |
firefox30 | --- | fixed |
firefox-esr24 | --- | unaffected |
People
(Reporter: jib, Assigned: bugzilla)
References
()
Details
Attachments
(2 files)
5.96 KB,
text/plain
|
Details | |
1.80 KB,
patch
|
benjamin
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
This may be a dup of sorts of Bug 124987, since the string appears properly zero-terminated here too, but this assert is getting in my way trying to debug gUM on windows so I wanted to point it out to see if there's anything we can do.
Given the location of the code, I decided to mark it a security bug until we're sure there's no problem, just in case. We can always remove sec that later.
STR:
1. Open URL.
2. Hit "Capture!" + OK
[10368] ###!!! ASSERTION: nsTDependentString must wrap only null-terminated stri
ngs. You are probably looking for nsTDependentSubstring.: 'mData[mLength] == 0',
file c:\moz\mozilla-central\obj-i686-pc-mingw32-debug\dist\include\nsTString.h,
line 397
See attached callstack + vars
Reporter | ||
Comment 1•11 years ago
|
||
Hitting Continue appears to work.
Updated•11 years ago
|
Summary: ASSERTION: nsTDependentString must wrap only null-terminated strings, in VideoCaptureDS::SetCameraOutput() / CreatePin() → ASSERTION: nsTDependentString must wrap only null-terminated strings, in InterposeNtCreateFile() (via VideoCaptureDS::SetCameraOutput() / CreatePin())
Reporter | ||
Updated•11 years ago
|
Assignee: nobody → aklotz
Comment 2•11 years ago
|
||
regressed when this function was added via bug 902587 (landed in 29). Note: the system library calling us here likely has a bug itself, which caused it to fail to terminate the GUID string.
The ObjectName is a PUNICODE_STRING, and per http://msdn.microsoft.com/en-us/library/windows/desktop/aa380518%28v=vs.85%29.aspx those do not have to be null-terminated, so we can't assign it to an nsDependentString.
Assignee | ||
Comment 3•11 years ago
|
||
As bsmedberg pointed out on IRC, we should be using nsDependentSubstring instead.
Component: WebRTC → General
Comment 4•11 years ago
|
||
aklotz: how likely do you think there's a real security risk here? The nsDependentString is used only for WinIOAutoObservation timer(IOInterposeObserver::OpCreateOrOpen, filename);
Updated•11 years ago
|
status-firefox28:
--- → unaffected
status-firefox29:
--- → affected
status-firefox30:
--- → affected
Flags: needinfo?(aklotz)
Assignee | ||
Comment 5•11 years ago
|
||
This fix handles the two interposed functions that have UNICODE_STRING pathname parameters. All the other interposed functions use handles.
Attachment #8383859 -
Flags: review?(benjamin)
Assignee | ||
Comment 6•11 years ago
|
||
(In reply to Randell Jesup [:jesup] from comment #4)
> aklotz: how likely do you think there's a real security risk here? The
> nsDependentString is used only for WinIOAutoObservation
> timer(IOInterposeObserver::OpCreateOrOpen, filename);
That string is eventually fed into Telemetry but that feature is enabled only in Nightly.
Flags: needinfo?(aklotz)
Updated•11 years ago
|
Attachment #8383859 -
Flags: review?(benjamin) → review+
Assignee | ||
Comment 7•11 years ago
|
||
Assignee | ||
Comment 8•11 years ago
|
||
Comment on attachment 8383859 [details] [diff] [review]
fix
[Approval Request Comment]
Bug caused by (feature/regressing bug #): 902587
User impact if declined: Potential security issue if this feature is triggered
Testing completed (on m-c, etc.): Locally
Risk to taking this patch (and alternatives if risky): None, simple fix
String or IDL/UUID changes made by this patch: None
Attachment #8383859 -
Flags: approval-mozilla-aurora?
Comment 9•11 years ago
|
||
(In reply to Aaron Klotz [:aklotz] from comment #6)
> (In reply to Randell Jesup [:jesup] from comment #4)
> > aklotz: how likely do you think there's a real security risk here? The
> > nsDependentString is used only for WinIOAutoObservation
> > timer(IOInterposeObserver::OpCreateOrOpen, filename);
> That string is eventually fed into Telemetry but that feature is enabled
> only in Nightly.
So does this still qualify as a sec bug then? If so, severity?
(testing the update now)
Assignee | ||
Comment 10•11 years ago
|
||
(In reply to Randell Jesup [:jesup] from comment #9)
> So does this still qualify as a sec bug then? If so, severity?
> (testing the update now)
I think that it's better classified as a crasher than as a security bug.
Comment 11•11 years ago
|
||
My concern would be if the nsDependentString were fed to telemetry without null termination, it that could cause telemetry to read memory it's not supposed to, overrun a buffer, or send random memory to us (or crash).
If this is only done on nightly, that's far less important. And if it's an error but nothing bad will happen, then it probably doesn't need to be a sec bug. Of course figuring this out might be more trouble than it's worth. :-)
Comment 12•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Updated•11 years ago
|
Attachment #8383859 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•11 years ago
|
status-firefox-esr24:
--- → unaffected
Comment 13•11 years ago
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•