Closed
Bug 337421
Opened 19 years ago
Closed 3 years ago
Should we protect against mRefCnt integer overflow?
Categories
(Core :: XPCOM, defect)
Core
XPCOM
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: sec-moderate, Whiteboard: [sg:moderate])
Attachments
(1 file)
|
15.84 KB,
patch
|
Details | Diff | Splinter Review |
Should we protect against mRefCnt integer overflow?
I haven't tested this, but I think an some "addref without release" leaks could lead to an integer overflow of mRefCnt, which would then leave dangling nsCOMPtrs. Luckily, that type of leak is rare compared to leaks due to cycles.
Hrm. I thought I filed this bug a while back, but I can't find it. Maybe I just sent email somewhere.
The way you'd have to fix this is probably to make PRUint32(-1) never be decremented once it's hit, in case all the references in question are real. This is easy to do for the non-threadsafe versions, but I'm not sure how to do it for the threadsafe ones.
|
Reporter | |
Comment 2•19 years ago
|
||
> make PRUint32(-1) never be decremented once it's hit
And never incremented either? So mRefCnt == -1 would mean "never to be freed"?
|
||
Comment 3•17 years ago
|
||
still a problem?
|
|
Reporter | |
Comment 4•17 years ago
|
||
yes
|
||
Comment 6•17 years ago
|
||
This is at least a start if we choose to go down this path. I haven't measured performance or codesize impacts of this, and all that would need to happen etc, and I don't think I'll have time to work more on this any time soon. If anyone wants to pick this up from here, feel free...
|
||
Comment 7•17 years ago
|
||
We've had one sg:critical abuse of int16 refcounters (and fixed them), but for now 32-bit seems impractical to overflow so I'm guessing at sg:moderate.
Whiteboard: [sg:moderate]
|
|
||
Updated•16 years ago
|
Assignee: nobody → jst
Flags: blocking1.9.1?
|
|
||
Updated•16 years ago
|
Blocks: CVE-2008-2785
|
|
||
Comment 8•16 years ago
|
||
Given the advisory for the 16bit version (bug 440230) this probably doesn't
warrant being security-sensitive. Objections to unhiding it?
|
||
Updated•16 years ago
|
Group: core-security
Flags: wanted1.9.1+
Flags: blocking1.9.1?
Flags: blocking1.9.1-
|
||
Updated•13 years ago
|
Keywords: sec-moderate
|
||
Comment 9•12 years ago
|
||
We could probably more easily measure perf impact now (assuming we still care about this bug).
|
||
Updated•9 years ago
|
Assignee: jst → nobody
|
|
||
Comment 10•3 years ago
|
||
Ref counts were changed to be pointer sized in bug 798158, so I think overflow shouldn't be a real issue any more.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
|
||
Comment 11•3 years ago
|
||
Time to unhide bug 798158?
You need to log in
before you can comment on or make changes to this bug.
Description
•