Closed
Bug 318618
Opened 19 years ago
Closed 19 years ago
Unchecked malloc in CertReader
Categories
(Core Graveyard :: Installer: XPInstall Engine, defect)
Core Graveyard
Installer: XPInstall Engine
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: taralx, Assigned: dveditz)
Details
(5 keywords, Whiteboard: [sg:dos])
Attachments
(3 files)
1.66 KB,
patch
|
dougt
:
review+
dougt
:
superreview+
|
Details | Diff | Splinter Review |
6.62 KB,
patch
|
dougt
:
review+
dougt
:
superreview+
dveditz
:
approval1.8.0.1+
dveditz
:
approval1.8.1+
|
Details | Diff | Splinter Review |
2.50 KB,
patch
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 http://lxr.mozilla.org/seamonkey/source/xpinstall/src/CertReader.cpp#218 The uncompressed size is passed to malloc() without checking for invalid values. Probably not a big deal (it only crashes the browser), but still a bad idea nonetheless. Reproducible: Always Steps to Reproduce:
Assignee | ||
Comment 1•19 years ago
|
||
I don't think this is a security problem -- it could suck all the memory out of the browser though. This should fix it: - if (orgSize == 0) + if (orgSize == 0 || orgSize > MAX_SIGNATURE_SIZE) return NS_BINDING_ABORTED; There's a problem in the non-DEFLATED case with the memcpy. If the file is simply STORED csize should equal orgSize, but we don't verify that and go ahead and copy an orgSize amount of data out of the stream (and potentially lots of memory beyond it). That may be where the crash comes in, eventually reading far enough to get an access violation. I don't think this aspect is exploitable either, if we get that far the malloc succeeded so we're not overwriting anything and VerifySignature should simply return an error on non-signature data. But the above check doesn't entirely solve the problem: we could still read < 32K data that isn't ours and possibly crash with an access violation. - else { + else if (orgSize == csize) { memcpy(orgData, data, orgSize); } + else + err = Z_DATA_ERROR;
Assignee: xpi-engine → dveditz
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8.0.1+
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
Whiteboard: [sg:dos]
Assignee | ||
Comment 2•19 years ago
|
||
Attachment #204754 -
Flags: superreview?(dougt)
Attachment #204754 -
Flags: review?(dougt)
Updated•19 years ago
|
Attachment #204754 -
Flags: superreview?(dougt)
Attachment #204754 -
Flags: superreview+
Attachment #204754 -
Flags: review?(dougt)
Attachment #204754 -
Flags: review+
Attachment #204754 -
Flags: approval1.8.0.1?
Assignee | ||
Comment 3•19 years ago
|
||
Here's an alternate version that avoids the useless malloc/memcpy in the uncompressed case (plus a bunch of whitespace cleanup). No real-world difference though since install is a rare action. Maybe the simpler change is better.
Attachment #204799 -
Flags: superreview?(dougt)
Attachment #204799 -
Flags: review?(dougt)
Comment 4•19 years ago
|
||
Comment on attachment 204799 [details] [diff] [review] avoid memcpy() in the non-compressed case this is cleaner and style fixup to boot!
Attachment #204799 -
Flags: superreview?(dougt)
Attachment #204799 -
Flags: superreview+
Attachment #204799 -
Flags: review?(dougt)
Attachment #204799 -
Flags: review+
Comment 5•19 years ago
|
||
Per bug triage meeting Please land in the trunk and re-nominate.
Assignee | ||
Comment 6•19 years ago
|
||
Assignee | ||
Updated•19 years ago
|
Whiteboard: [sg:dos] → [sg:dos] need trunk landing
Assignee | ||
Comment 7•19 years ago
|
||
This was checked in Friday night, so was in the 20060107 trunk builds
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Whiteboard: [sg:dos] need trunk landing → [sg:dos]
Assignee | ||
Updated•19 years ago
|
Attachment #204754 -
Flags: approval1.8.0.1?
Assignee | ||
Updated•19 years ago
|
Attachment #204799 -
Flags: approval1.8.1?
Attachment #204799 -
Flags: approval1.8.0.1?
Assignee | ||
Comment 8•19 years ago
|
||
Signed installs can be regression tested here: http://www.mozilla.org/projects/xpinstall/signed/testcases/
Assignee | ||
Comment 9•19 years ago
|
||
Comment on attachment 204799 [details] [diff] [review] avoid memcpy() in the non-compressed case a=dveditz for drivers
Attachment #204799 -
Flags: approval1.8.1?
Attachment #204799 -
Flags: approval1.8.1+
Attachment #204799 -
Flags: approval1.8.0.1?
Attachment #204799 -
Flags: approval1.8.0.1+
Assignee | ||
Updated•19 years ago
|
Keywords: fixed1.8.0.1,
fixed1.8.1
Comment 10•19 years ago
|
||
verified fixed on the branch using the regression tests noted in Comment 8, using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1.
Keywords: fixed1.8.0.1 → verified1.8.0.1
Comment 11•19 years ago
|
||
I installed dougt's ca cert, gave it rights to install software, restarted and tried to install the signed xpi on the signed xpi install page in 1.8, 1.8.0.1, 1.8.1, 1.9a1 on windows and it blocked the install each time because www.mozilla.org was not whitelisted. Is that correct?
Updated•19 years ago
|
Flags: testcase?
Assignee | ||
Comment 12•19 years ago
|
||
(In reply to comment #11) > it blocked the install each time because www.mozilla.org was not > whitelisted. Is that correct? sure, whether signing works or is exploitable is independent of the anti-annoyance install whitelisting. you have to get past the whitelist check to test this bug.
Assignee | ||
Updated•19 years ago
|
Keywords: fixed-aviary1.0.8,
fixed1.7.13
Assignee | ||
Updated•18 years ago
|
Group: security
Updated•9 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•