Adding policy rules to the Windows sandbox can cause a buffer overrun
Reported by
dapa...@mozilla.com,
Sep 1 2016
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0 Steps to reproduce the problem: 1. Add a bunch of rules to the Mozilla sandbox code. (This is a Chromium issue -- see below) 2. When a low level rule is used, Firefox will crash. What is the expected behavior? No amount of rules should cause a crash. What went wrong? Quick summary: Firefox uses the Chromium sandbox code. After adding some rules, the sandbox low level policy buffer trashes itself. The offending Chromium sandbox code is here: https://chromium.googlesource.com/chromium/src/sandbox/+/master/win/src/policy_low_level.cc#69 I have a fix for the issue in a patch in the Firefox bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=1299611 The patch uses a Mozilla ASSERT macro but is otherwise fine for your code base. Unfortunately, the "test" case I wrote is Firefox-specific but someone more Chromium-familiar should be able to reproduce the issue, which you will see is a clear bug, without Firefox. The Firefox test code is also in the bugzilla report. Did this work before? N/A Chrome version: <Copy from: 'about:version'> Channel: n/a OS Version: Windows 10 Flash Version: Shockwave Flash 22.0 r0
,
Sep 1 2016
forshaw@chromium.org, wfh@chromium.org: Please help triage this. I am not sure how to repro this. Thanks.
,
Sep 2 2016
forshaw@ -- I am sorry but I can't find a more appropriate owner so assigning to you. Please feel free to re-assign.
,
Sep 2 2016
,
Sep 2 2016
,
Sep 2 2016
I'll take a look. Not sure it's a Pri-1 though, as it doesn't affect current Chrome as we don't have large number of policies, but does affect downstream users of the sandbox code. Also does it need to be a restricted bug?
,
Sep 2 2016
This doesn't need to be a security bug as there is no way for user data to affect sandbox polices. But it's a bug that should be gixed. I'll take a look. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by elawrence@chromium.org
, Sep 1 2016