Closed
Bug 1456947
Opened 6 years ago
Closed 6 years ago
Heap buffer overflow WRITE in ContentParent::RecvGetSystemColors on android
Categories
(Core :: IPC, defect)
Tracking
()
RESOLVED
FIXED
mozilla65
Tracking | Status | |
---|---|---|
fennec | ? | --- |
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | unaffected |
firefox59 | --- | unaffected |
firefox60 | --- | unaffected |
firefox61 | --- | unaffected |
firefox63 | --- | wontfix |
firefox64 | --- | fixed |
firefox65 | --- | fixed |
People
(Reporter: Alex_Gaynor, Assigned: m_kato)
References
Details
(Keywords: csectype-bounds, sec-high, Whiteboard: [geckoview:klar][adv-main64+])
This issue was found by manual review. It is an IPC security issue, so it's only an issue on platforms with sandboxed content processes on Android. https://searchfox.org/mozilla-central/source/dom/ipc/ContentParent.cpp#2736 ensures |colors| has at least |colorsCount| elements -- however colorsCount is controlled by the attacker. At https://searchfox.org/mozilla-central/source/dom/ipc/ContentParent.cpp#2740 a raw ptr is extracted from the array and then passed to https://searchfox.org/mozilla-central/source/widget/android/AndroidBridge.cpp#413 That code then writes to the array: https://searchfox.org/mozilla-central/source/widget/android/AndroidBridge.cpp#425-435 The number of elements it writes to the array is _not_ bounded by the actual length of the array.
Updated•6 years ago
|
Group: firefox-core-security → core-security
Component: General → IPC
OS: Unspecified → Android
Product: Firefox for Android → Core
Hardware: Unspecified → All
Comment 1•6 years ago
|
||
Snorp, do we use IPC on Android anywhere? Maybe the web view thing?
Flags: needinfo?(snorp)
We do want to use e10s in GeckoView, but it's not shipping anywhere yet. Would be good to fix this regardless.
Flags: needinfo?(snorp)
Whiteboard: [geckoview:klar]
Updated•6 years ago
|
Group: core-security → dom-core-security
tracking-fennec: --- → ?
status-firefox59:
--- → unaffected
status-firefox60:
--- → unaffected
status-firefox61:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Keywords: csectype-bounds,
sec-high
Reporter | ||
Comment 3•6 years ago
|
||
This was fixed by deleting all this code in bug 1500876.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Assignee: nobody → m_kato
status-firefox63:
--- → wontfix
status-firefox64:
--- → affected
status-firefox65:
--- → fixed
Depends on: 1500876
Target Milestone: --- → mozilla65
Updated•6 years ago
|
Group: dom-core-security → core-security-release
Updated•6 years ago
|
Updated•5 years ago
|
Whiteboard: [geckoview:klar] → [geckoview:klar][adv-main64+]
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•