Closed Bug 158776 Opened 23 years ago Closed 23 years ago

Possible memory corruption in pop3 protocol code.

Categories

(MailNews Core :: Networking: POP, defect)

Product:
MailNews Core
Component:
Networking: POP
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: naving, Assigned: naving)

Details

Attachments

(1 file, 1 obsolete file)

uw diff for strtok part of the fix
3.61 KB, patch
cavin
: review+
Bienvenu
: superreview+
asa
: approval+
Details | Diff | Splinter Review
Issue details: http://lxr.mozilla.org/mozilla/source/mailnews/local/src/nsPop3Protocol.cpp#1280 PR_CALLOC(sizeof(Pop3MsgInfo) * m_pop3ConData->number_of_messages); If the server claims there are 0x100000000 / (sizeof(Pop3MsgInfo)) messages, the minimum chunk size is allocated, and the entire memory may be referenced as a relative offset to the allocated location. It is possible to overwrite function pointers on the heap with arbitary strings from the UIDL. (Possible, but it doesn't seem trivial to predict the offset to overwrite, because of the 'random' order in which items are put on the heap, due to threading.) Exploitation would require the user connects to a maliciously modified POP3 server. (There are also a few crashes on badly formed input that are probably not exploitable, such as multiple instances like: http://lxr.mozilla.org/mozilla/source/mailnews/local/src/nsPop3Protocol.cpp#1739 If there is no space, it dies with a null dereference.)
setting security flag until Mitch says we don't need to worry about that.
Group: security?
Summary: Possible memory corruption in pop3 protocol code. → Possible memory corruption in pop3 protocol code.
As mentioned in this report I don't think overwriting function pointers on heap is easily exploitable (using uidl) because of the random order in which things are allocated on the heap. I found this on google search "Unlike many UNIX platforms, the heap that is used by malloc(), calloc() and realloc() is not guaranteed to be one contiguous piece of memory. Thus it is invalid to assume that all memory between two pointers returned by these functions is accessible, and it is invalid to compare pointers returned by these functions to determine the total size of the heap." Mitch, what do you think ? >http://lxr.mozilla.org/mozilla/source/mailnews/local/src/nsPop3Protocol.cpp#1739 >If there is no space, it dies with a null >dereference.) I have fixes for nsCRT::strtok problem.
Status: NEW → ASSIGNED
Attached patch proposed fix for strtok part (obsolete) — Splinter Review
The fix is to check token for null.
Cavin, David, Can I get reviews ? thx.
CC list accessible: false
CC list accessible: true
Attachment #92438 - Attachment is obsolete: true
Comment on attachment 92441 [details] [diff] [review] uw diff for strtok part of the fix looks OK, except what happens here to cur_msg_size if num is null? Does it matter? + if (num) + m_pop3ConData->cur_msg_size = atol(num);
m_pop3ConData->cur_msg_size is initialized to -1 when we get there.
Attachment #92441 - Flags: superreview+
Comment on attachment 92441 [details] [diff] [review] uw diff for strtok part of the fix OK, I assume you're mean that's OK and nothing bad will happen because of it - sr=bienvenu
Comment on attachment 92441 [details] [diff] [review] uw diff for strtok part of the fix OK, I assume you mean that's OK and nothing bad will happen because of it - sr=bienvenu
Comment on attachment 92441 [details] [diff] [review] uw diff for strtok part of the fix r=cavin.
Attachment #92441 - Flags: review+
yeah, it is ok because it will be taken care of in the next few lines. What do you think about the calloc issue. See comment 0 and comment #2.
I'm not sure I understand the calloc issues. Sure, you can cause the client to allocate a big chunk of memory with 0's in it. And then you can get some text strings into that block of memory with the UIDL. But that's not sufficient to cause a problem, is it? Doesn't that have to happen in conjunction with some other security exploit to actually cause execution to switch into the block of memory?
We don't need to get this fixed for Mach V, but it would be good to have a fix baking on the trunk for Buffy.
Comment on attachment 92441 [details] [diff] [review] uw diff for strtok part of the fix a=asa (on behalf of drivers) for checkin to 1.1
Attachment #92441 - Flags: approval+
fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
changing qa contact ->stephend
QA Contact: sheelar → stephend
Anybody object if I verify this via source code, as opposed to at the API-level? I really don't have a way of testing this (C++ knowledge required).
yes, lxr verification is ok because this code has been tested for more than a month now.
verified fixed via lxr, thanks!
Status: RESOLVED → VERIFIED
long fixed and no need to be confidential
Group: security
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: