Closed
Bug 1497246
(CVE-2022-34481)
Opened 6 years ago
Closed 3 years ago
integer overflow in nsTArray::ReplaceElementsAt
Categories
(Core :: XPCOM, enhancement)
Core
XPCOM
Tracking
()
RESOLVED
FIXED
103 Branch
People
(Reporter: froydnj, Assigned: nika)
References
Details
(Keywords: csectype-intoverflow, sec-moderate, Whiteboard: [adv-main102+][adv-esr91.11+])
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
|
240 bytes,
text/plain
|
Details |
+++ This bug was initially created as a clone of Bug #1483699 +++
Bug 1483699 handled a few cases of potential integer overflow in AppendElements/InsertElementsAt. There's one case in ReplaceElementsAt that we didn't handle and can handle in this bug:
// Adjust memory allocation up-front to catch errors.
if (!ActualAlloc::Successful(this->template EnsureCapacity<ActualAlloc>(
Length() + aArrayLen - aCount, sizeof(elem_type)))) {
return nullptr;
}
The addition of Length() + aArrayLen - aCount should be checked for overflow in some fashion.
|
||
Comment 1•6 years ago
|
||
(In reply to Nathan Froyd [:froydnj] from comment #0)
> +++ This bug was initially created as a clone of Bug #1483699 +++
>
> Bug 1483699 handled a few cases of potential integer overflow in
> AppendElements/InsertElementsAt. There's one case in ReplaceElementsAt that
> we didn't handle and can handle in this bug:
>
> // Adjust memory allocation up-front to catch errors.
> if (!ActualAlloc::Successful(this->template EnsureCapacity<ActualAlloc>(
> Length() + aArrayLen - aCount, sizeof(elem_type)))) {
> return nullptr;
> }
>
> The addition of Length() + aArrayLen - aCount should be checked for overflow
> in some fashion.
Yes, please! I don't think the expression can overflow (because |aArrayLen| elements must exist in the array being added), but it can underflow because |aCount| appears to be unchecked on all nsTArray paths into ReplaceElementsAt ().
|
||
Updated•6 years ago
|
Keywords: csectype-intoverflow,
sec-moderate
|
||
Comment 2•3 years ago
|
||
Nika, any ideas about who might be able to look at this bug? It seems like a shame to leave a fairly simple looking sec bug open for this long. Thanks.
Flags: needinfo?(nika)
|
Assignee | |
Comment 3•3 years ago
|
||
|
||
Updated•3 years ago
|
Assignee: nobody → nika
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•3 years ago
|
Flags: needinfo?(nika)
|
|
||
Updated•3 years ago
|
status-firefox102:
--- → affected
status-firefox103:
--- → affected
status-firefox64:
affected → ---
status-firefox-esr102:
--- → wontfix
status-firefox-esr91:
--- → affected
|
||
Comment 4•3 years ago
|
||
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox101:
--- → wontfix
status-firefox-esr102:
wontfix → ---
tracking-firefox102:
--- → +
tracking-firefox103:
--- → +
tracking-firefox-esr91:
--- → 102+
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch
|
|
||
Comment 5•3 years ago
|
||
Please nominate this for Beta/ESR91 approval when you get a chance.
Flags: needinfo?(nika)
|
|
Assignee | |
Comment 6•3 years ago
|
||
Comment on attachment 9279959 [details]
Bug 1497246 - Release-check aCount for underflow in ReplaceElementsAt, r=#xpcom-reviewers
Beta/Release Uplift Approval Request
- User impact if declined: Slightly less validation in some nsTArray methods
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Minor change double-checking some math for underflow in nsTArray. The underflowing case should never be hit as it would require an index out-of-bounds error, but this adds some extra defense-in-depth.
- String changes made/needed: None
- Is Android affected?: Yes
Flags: needinfo?(nika)
Attachment #9279959 -
Flags: approval-mozilla-beta?
|
||
Comment 7•3 years ago
|
||
Comment on attachment 9279959 [details]
Bug 1497246 - Release-check aCount for underflow in ReplaceElementsAt, r=#xpcom-reviewers
Approved for 102 beta 8, thanks.
Attachment #9279959 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 8•3 years ago
|
||
| uplift | ||
|
|
||
Updated•3 years ago
|
Attachment #9279959 -
Flags: approval-mozilla-esr91?
|
|
||
Comment 9•3 years ago
|
||
Comment on attachment 9279959 [details]
Bug 1497246 - Release-check aCount for underflow in ReplaceElementsAt, r=#xpcom-reviewers
Approved for 91.11esr.
Attachment #9279959 -
Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
|
|
||
Comment 10•3 years ago
•
|
||
| uplift | ||
|
||
Updated•3 years ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
|
||
Updated•3 years ago
|
Whiteboard: [adv-main102+]
|
|
||
Comment 11•3 years ago
|
||
|
|
||
Updated•3 years ago
|
Alias: CVE-2022-34481
|
|
||
Updated•3 years ago
|
Whiteboard: [adv-main102+] → [adv-main102+][adv-esr91.11+]
|
|
||
Updated•2 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•