Closed Bug 334442 Opened 19 years ago Closed 19 years ago

Incorrect use of realloc oom Crash in secmod_ReadPermDB

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Version:
3.11
Platform:
All
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.11.1

People

(Reporter: timeless, Assigned: alvolkov.bgs)

References

(
URL
)

Details

(4 keywords, Whiteboard: [sg:nse] [CID 224])

Attachments

(1 file)

properly use realloc
3.02 KB, patch
nelson
: review+
dveditz
: approval-branch-1.8.1+
dveditz
: approval1.8.0.4+
Details | Diff | Splinter Review
found by coverity
URL: http://bonsai.mozilla.org/cvsblame.cg...http://bonsai.mozilla.org/cvsblame.cg...
Group: security
Summary: oom Crash in secmod_ReadPermDB → Incorrect use of realloc oom Crash in secmod_ReadPermDB
please see bug 244478 comment 13 for an explanation of why what this code is doing is very very very wrong.
Attachment #218783 - Flags: review?(nelson)
Comment on attachment 218783 [details] [diff] [review] properly use realloc r=nelson
Attachment #218783 - Flags: review?(nelson) → review+
How does this crash rather than just leak?
Flags: blocking1.9a1+
Flags: blocking1.8.1+
And who's going to check in the patch?
Flags: blocking1.8.0.3?
Timeless points out the code says "if (!moduleList[0])", not the "if (moduleList)" my brain saw.
NSS team members will do all checkins. Want to batch them up, since there will apprently be quite a few. I *expect* (not a promise) that most of these will go into 3.11.1 in time for FF 2.0 Beta.
Priority: -- → P2
Target Milestone: --- → 3.11.1
Hardware: PC → All
Alexei, please check in the above reviewed fix on both trunk and 3.11 branch. In the checkin comment, be sure to mention that the patch is contributed by timeless@bemail.org Thanks.
Assignee: nobody → alexei.volkov.bugs
Priority: P2 → P1
Check into the tip: /cvsroot/mozilla/security/nss/lib/softoken/pk11db.c,v <-- pk11db.c new revision: 1.36; previous revision: 1.35 Check into the 3.11 branch: /cvsroot/mozilla/security/nss/lib/softoken/pk11db.c,v <-- pk11db.c new revision: 1.35.2.1; previous revision: 1.35
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Flags: blocking1.8.0.3? → blocking1.8.0.3+
Comment on attachment 218783 [details] [diff] [review] properly use realloc Please check this into the 1.8.0 and 1.8 branches as well, and add "fixed1.8.1" and "fixed1.8.0.3" keywords when you've done that. Thanks! approved for 1.8.0 branch, a=dveditz for drivers
Attachment #218783 - Flags: approval1.8.0.3+
Attachment #218783 - Flags: approval-branch-1.8.1+
Kai, do you have trees for 1.8.0.3 and 1.8.1+? If so, would you be willing to do the checkins of this bug's patch on those trees? They're already approved (see previous comment).
done 1.8 branch: Checking in pk11db.c; /cvsroot/mozilla/security/nss/lib/softoken/pk11db.c,v <-- pk11db.c new revision: 1.32.20.2; previous revision: 1.32.20.1 done 1.8.0 branch: Checking in pk11db.c; /cvsroot/mozilla/security/nss/lib/softoken/pk11db.c,v <-- pk11db.c new revision: 1.32.30.1; previous revision: 1.32 done
Keywords: fixed1.8.0.3, fixed1.8.1
Many thanks, Kai.
thank you, Kai!
Alexei, any idea on how to test this?
Maybe I'm missing something but I don't see the security issues here -- it looks like the old code is at worse a leak followed immediately by a null deref crash in the OOM case.
Whiteboard: [sg:nse]
Daniel, feel free to remove the security flag from this bug as you see fit. It was set by the reporter. I don't see how OOM crashes are exploitable, either.
Group: security
CID 224
Whiteboard: [sg:nse] → [sg:nse] [CID 224]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: