Closed
Bug 373934
Opened 18 years ago
Closed 18 years ago
js.c snarf() inconsistant allocation use
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: msg, Assigned: mrbkap)
Details
(Whiteboard: [sg:nse] local exploit for js shell)
Attachments
(1 file)
1.09 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.2) Gecko/20070225 BonEcho/2.0.0.2
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.2) Gecko/20070225 BonEcho/2.0.0.2
No limit is placed on the file size of the file size read. len could become 0xffffffff, which will cause a 0 allocation, followed by large fread into the 0 allocated buffer.
Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Check the return from ftell is not -1 or would cause an overflow after the arbitrary adjustment in js_malloc().
Updated•18 years ago
|
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Comment 1•18 years ago
|
||
Seems unlikely an attacker could usefully get a user to download a 4Gb file, but I suppose it could compress to nearly nothing.
Assignee: general → crowder
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:moderate]
Updated•18 years ago
|
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Comment 2•18 years ago
|
||
This is a shell-only bug, right? Doesn't affect the browser.
Comment 3•18 years ago
|
||
So it is, thanks.
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Whiteboard: [sg:moderate] → [sg:nse] local exploit for js shell
Comment 4•18 years ago
|
||
Not s-s, #ifdef NARCISSUS shell only, doesn't affect even /usr/bin/js in any *BSD variant that shipped a shell.
/be
Group: security
Assignee | ||
Comment 5•18 years ago
|
||
I didn't bother adding another error message.
Updated•18 years ago
|
Attachment #267191 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 6•18 years ago
|
||
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment 7•18 years ago
|
||
This is a good patch, but I don't think it fixes the actual bug which is the overflow in the JS_malloc() below.
Assignee | ||
Comment 8•18 years ago
|
||
Brian and I talked about this on IRC. Because JS_malloc takes a size_t, and len is an off_t (which is a signed type of the same size), the only number that could overflow is 0xffffffff, which is -1 as an off_t, so this patch does cover all cases.
Updated•18 years ago
|
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•