Closed
Bug 334442
Opened 18 years ago
Closed 18 years ago
Incorrect use of realloc oom Crash in secmod_ReadPermDB
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.11.1
People
(Reporter: timeless, Assigned: alvolkov.bgs)
References
()
Details
(4 keywords, Whiteboard: [sg:nse] [CID 224])
Attachments
(1 file)
3.02 KB,
patch
|
nelson
:
review+
dveditz
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.4+
|
Details | Diff | Splinter Review |
found by coverity
Group: security
Summary: oom Crash in secmod_ReadPermDB → Incorrect use of realloc oom Crash in secmod_ReadPermDB
please see bug 244478 comment 13 for an explanation of why what this code is doing is very very very wrong.
Attachment #218783 -
Flags: review?(nelson)
Comment 3•18 years ago
|
||
Comment on attachment 218783 [details] [diff] [review] properly use realloc r=nelson
Attachment #218783 -
Flags: review?(nelson) → review+
Comment 4•18 years ago
|
||
How does this crash rather than just leak?
Flags: blocking1.9a1+
Flags: blocking1.8.1+
Comment 5•18 years ago
|
||
And who's going to check in the patch?
Updated•18 years ago
|
Flags: blocking1.8.0.3?
Comment 6•18 years ago
|
||
Timeless points out the code says "if (!moduleList[0])", not the "if (moduleList)" my brain saw.
Comment 7•18 years ago
|
||
NSS team members will do all checkins. Want to batch them up, since there will apprently be quite a few. I *expect* (not a promise) that most of these will go into 3.11.1 in time for FF 2.0 Beta.
Priority: -- → P2
Target Milestone: --- → 3.11.1
Updated•18 years ago
|
Hardware: PC → All
Comment 8•18 years ago
|
||
Alexei, please check in the above reviewed fix on both trunk and 3.11 branch. In the checkin comment, be sure to mention that the patch is contributed by timeless@bemail.org Thanks.
Assignee: nobody → alexei.volkov.bugs
Priority: P2 → P1
Assignee | ||
Comment 9•18 years ago
|
||
Check into the tip: /cvsroot/mozilla/security/nss/lib/softoken/pk11db.c,v <-- pk11db.c new revision: 1.36; previous revision: 1.35 Check into the 3.11 branch: /cvsroot/mozilla/security/nss/lib/softoken/pk11db.c,v <-- pk11db.c new revision: 1.35.2.1; previous revision: 1.35
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Updated•18 years ago
|
Flags: blocking1.8.0.3? → blocking1.8.0.3+
Comment 10•18 years ago
|
||
Comment on attachment 218783 [details] [diff] [review] properly use realloc Please check this into the 1.8.0 and 1.8 branches as well, and add "fixed1.8.1" and "fixed1.8.0.3" keywords when you've done that. Thanks! approved for 1.8.0 branch, a=dveditz for drivers
Attachment #218783 -
Flags: approval1.8.0.3+
Attachment #218783 -
Flags: approval-branch-1.8.1+
Comment 11•18 years ago
|
||
Kai, do you have trees for 1.8.0.3 and 1.8.1+? If so, would you be willing to do the checkins of this bug's patch on those trees? They're already approved (see previous comment).
Comment 12•18 years ago
|
||
done 1.8 branch: Checking in pk11db.c; /cvsroot/mozilla/security/nss/lib/softoken/pk11db.c,v <-- pk11db.c new revision: 1.32.20.2; previous revision: 1.32.20.1 done 1.8.0 branch: Checking in pk11db.c; /cvsroot/mozilla/security/nss/lib/softoken/pk11db.c,v <-- pk11db.c new revision: 1.32.30.1; previous revision: 1.32 done
Keywords: fixed1.8.0.3,
fixed1.8.1
Comment 13•18 years ago
|
||
Many thanks, Kai.
Assignee | ||
Comment 14•18 years ago
|
||
thank you, Kai!
Comment 15•18 years ago
|
||
Alexei, any idea on how to test this?
Comment 16•18 years ago
|
||
Maybe I'm missing something but I don't see the security issues here -- it looks like the old code is at worse a leak followed immediately by a null deref crash in the OOM case.
Whiteboard: [sg:nse]
Comment 17•18 years ago
|
||
Daniel, feel free to remove the security flag from this bug as you see fit. It was set by the reporter. I don't see how OOM crashes are exploitable, either.
Updated•18 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•