Closed Bug 1468539 Opened Last year Closed Last year

BLRG-PT-18-003: DoS Due to Negative fseek()

Categories

(Toolkit :: Application Update, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla65
Tracking Status
firefox-esr60 --- wontfix
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- fixed

People

(Reporter: jvehent, Assigned: jewilde)

References

(Blocks 1 open bug)

Details

(Keywords: sec-low, Whiteboard: [post-critsmash-triage][adv-main65-])

Attachments

(1 file, 1 obsolete file)

mar_read_product_info_block() retrieved the variable numAdditionalBlocks via get_mar_file_info_fp(). The value was read from the file without further sanitization. The function then iterated over the file numAdditionalBlocks times to read each block, stopping when a read failed. After the size of a block was read, fseek() was used to skip over this block. But since the fseek() operated on a value retrieved from the file which was not further checked, it could seek in a negative direction, causing the loop to read the same block over and over again. This might cause a limited DoS issue, since the loop is bounded to numAdditionalBlocks iterations.

It is advised to add sanity checks to additionalBlockSize and numAdditionalBlocks.
Blocks: 1468531
No longer depends on: 1468531
Assignee: nobody → jewilde
Status: NEW → ASSIGNED
Priority: -- → P1
Only a single type of additional block has ever been defined for the MAR archive format and only a single block of that
type is needed per file so limiting ourselves to reading only that until we define more seems sensible
Only a single type of additional block has ever been defined for the MAR
archive format and only a single block of that type is needed per file.
Limiting ourselves to reading only that until we define more seems
sensible.

Move additionalBlockSize check before first fread
Add MAXADDITIONALBLOCKSIZE as a constant for checking block sizes
Attachment #9021929 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/609b4f85c0d3
Group: toolkit-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main65-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.