Closed
Bug 373934
Opened 17 years ago
Closed 17 years ago
js.c snarf() inconsistant allocation use
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: msg, Assigned: mrbkap)
Details
(Whiteboard: [sg:nse] local exploit for js shell)
Attachments
(1 file)
|
1.09 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.2) Gecko/20070225 BonEcho/2.0.0.2 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.2) Gecko/20070225 BonEcho/2.0.0.2 No limit is placed on the file size of the file size read. len could become 0xffffffff, which will cause a 0 allocation, followed by large fread into the 0 allocated buffer. Reproducible: Always Steps to Reproduce: 1. 2. 3. Check the return from ftell is not -1 or would cause an overflow after the arbitrary adjustment in js_malloc().
|
||
Updated•17 years ago
|
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
|
||
Comment 1•17 years ago
|
||
Seems unlikely an attacker could usefully get a user to download a 4Gb file, but I suppose it could compress to nearly nothing.
Assignee: general → crowder
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:moderate]
|
|
||
Updated•17 years ago
|
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
|
||
Comment 2•17 years ago
|
||
This is a shell-only bug, right? Doesn't affect the browser.
|
|
||
Comment 3•17 years ago
|
||
So it is, thanks.
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Whiteboard: [sg:moderate] → [sg:nse] local exploit for js shell
|
||
Comment 4•17 years ago
|
||
Not s-s, #ifdef NARCISSUS shell only, doesn't affect even /usr/bin/js in any *BSD variant that shipped a shell. /be
Group: security
|
Assignee | |
Comment 5•17 years ago
|
||
I didn't bother adding another error message.
|
|
||
Updated•17 years ago
|
Attachment #267191 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 6•17 years ago
|
||
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
|
||
Comment 7•17 years ago
|
||
This is a good patch, but I don't think it fixes the actual bug which is the overflow in the JS_malloc() below.
|
|
Assignee | |
Comment 8•17 years ago
|
||
Brian and I talked about this on IRC. Because JS_malloc takes a size_t, and len is an off_t (which is a signed type of the same size), the only number that could overflow is 0xffffffff, which is -1 as an off_t, so this patch does cover all cases.
|
||
Updated•17 years ago
|
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•