[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #17931 [Tor Browser]: Tor Browser Hardened Crash

Subject: Re: [tor-bugs] #17931 [Tor Browser]: Tor Browser Hardened Crash
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 29 Dec 2015 21:39:45 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 29 Dec 2015 16:39:55 -0500
In-reply-to: <044.d6ca03d5e4dde392adfaf7066ccee0e4@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <044.d6ca03d5e4dde392adfaf7066ccee0e4@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#17931: Tor Browser Hardened Crash
-------------------------------------+--------------------------
 Reporter:  pege                     |          Owner:  tbb-team
     Type:  defect                   |         Status:  new
 Priority:  Immediate                |      Milestone:
Component:  Tor Browser              |        Version:
 Severity:  Blocker                  |     Resolution:
 Keywords:  tbb-hardened, tbb-crash  |  Actual Points:
Parent ID:                           |         Points:
  Sponsor:                           |
-------------------------------------+--------------------------

Comment (by arthuredelstein):

 The bug here is exposed by an interaction between URL escaping and printf-
 like format specifiers. Here is what happens:

 1. The user enter's "let's encrypt" into the github search box.
 2. Github navigates to the resulting page
 `https://github.com/search?utf8=%E2%9C%93&q=let%27s+encrypt`, which
 attempts to extract canvas image data.
 3. `CanvasUtils::IsImageExtractionAllowed` attempts to log its blocking of
 the image extraction by calling `nsContentUtils::LogMessageToConsole`, to
 which it passes as the first argument a string containing the above URL.
 4. The `%27s` fragment in that URL is interpreted by `LogMessageToConsole`
 as a printf-like format specifier for a 27-character string. However, no
 such char array was passed to LogMessageToConsole, because this format
 specifier was unintended.

 So we have undefined behavior, which manifests as EXC_BAD_ACCESS when I
 run the debugger.

 To avoid this problem, I wrote the following revision to
 `CanvasUtils::IsImageExtractionAllowed` to use
 `nsIConsoleService::LogStringMessage` instead of `LogMessageToConsole`, as
 was used in the original Canvas patch. I manually tested this patch and
 the exception no longer occurs.

 Here is the patch for review:
 https://github.com/arthuredelstein/tor-browser/commit/17931

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17931#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #17931 [Tor Browser]: Tor Browser Hardened Crash
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #8137 [Torsocks]: add option to allow connections to local addresses
Next by Author: Re: [tor-bugs] #17931 [Tor Browser]: Tor Browser Hardened Crash
Previous by thread: Re: [tor-bugs] #17931 [Tor Browser]: Tor Browser Hardened Crash
Next by thread: Re: [tor-bugs] #17931 [Tor Browser]: Tor Browser Hardened Crash
Index(es):
- Author
- Thread