Closed Bug 334319 Opened 18 years ago Closed 18 years ago

Buffer overrun in nsPermissionManager::Read when reading an invalid cookperm.txt file

Categories

(Core :: Networking: Cookies, defect, P5)

Product:
Core
Component:
Networking: Cookies
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: Gavin, Assigned: Gavin)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, crash)

Attachments

(2 files)

cookperm.txt
52 bytes, text/plain
Details
patch
1.26 KB, patch
mvl
: review+
darin.moz
: superreview+
Details | Diff | Splinter Review 
Coverity found this, CID 373 at http://scan.coverity.com:7454/.

This is mostly a theoretical problem: cookperm.txt is only used if hostperm.1 does not exist, which only normally happens with very old profiles (pre 2004 or so). The file also needs to be invalid, and there is no way that I know to make it invalid through a user action, so I don't think this could possibly be exploited. But I had fun figuring this one out anyways. I'll attach an invalid cookperm.txt file that shows the problem.

Basically, what ends up happening is the following:
AddInternal gets an invalid aTypeIndex (9, with my testcase), so |entry->SetPermission(aTypeIndex, aPermission);| fails (by writing past the end of mPermissions' buffer), which means entry->PermissionsAreEmpty() is then true, which means the engine thinks it's set a permission back to default, so mHostCount is decremented, but the entry is removed with RawRemoveEntry so the hashtable isn't shrunk. Later, in nsPermissionManager::GetEnumerator, the hashtable (mHostTable) is enumerated, so the stale entry is left in hostList, which is then passed to the nsPermissionEnumerator constructor which calls Prefetch which calls GetEntry which crashes when passed a null key.

Since mPermissions is only as large as NUMBER_OF_TYPES, I believe the solution is to treat the entry as invalid if type >= NUMBER_OF_TYPES.

Steps to reproduce:
1) Save the attached cookperm.txt file to a test profile
2) Delete any existing hostperm.1 files (won't exist for clean profiles)
3) Start Firefox, Tools->Options->Privacy->Cookies->Exceptions
4) Crash!
Attached patch patchSplinter Review 
Assignee: nobody → gavin.sharp
Status: NEW → ASSIGNED

        Attachment #218662 -
        Flags: superreview?(darin)

        Attachment #218662 -
        Flags: review?(mvl)

    
  

        Attachment #218662 -
        Flags: superreview?(darin) → superreview+
Priority: -- → P5
Whiteboard: [patch-r?]

    
    

    
  
Comment on attachment 218662 [details] [diff] [review]
patch

I'm not sure i understand the problem, but the solution sure looks good :)

r=mvl

        Attachment #218662 -
        Flags: review?(mvl) → review+

    
    

    
  
mozilla/extensions/cookie/nsPermissionManager.cpp 	1.58
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Whiteboard: [patch-r?]
Target Milestone: --- → mozilla1.9alpha

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: