js.c snarf() inconsistant allocation use

RESOLVED FIXED

Status

()

--
major
RESOLVED FIXED
12 years ago
11 years ago

People

(Reporter: msg, Assigned: mrbkap)

Tracking

unspecified
Other
Other
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse] local exploit for js shell)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.2) Gecko/20070225 BonEcho/2.0.0.2
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.2) Gecko/20070225 BonEcho/2.0.0.2

No limit is placed on the file size of the file size read. len could become 0xffffffff, which will cause a 0 allocation, followed by large fread into the 0 allocated buffer.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.



Check the return from ftell is not -1 or would cause an overflow after the arbitrary adjustment in js_malloc().
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Seems unlikely an attacker could usefully get a user to download a 4Gb file, but I suppose it could compress to nearly nothing.
Assignee: general → crowder
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:moderate]
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?

Comment 2

12 years ago
This is a shell-only bug, right?  Doesn't affect the browser.
So it is, thanks.
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Whiteboard: [sg:moderate] → [sg:nse] local exploit for js shell
Not s-s, #ifdef NARCISSUS shell only, doesn't affect even /usr/bin/js in any *BSD variant that shipped a shell.

/be
Group: security
Created attachment 267191 [details] [diff] [review]
So, this fixes it?

I didn't bother adding another error message.
Assignee: crowder → mrbkap
Status: NEW → ASSIGNED
Attachment #267191 - Flags: review?(brendan)

Updated

11 years ago
Attachment #267191 - Flags: review?(brendan) → review+
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED

Comment 7

11 years ago
This is a good patch, but I don't think it fixes the actual bug which is the overflow in the JS_malloc() below.
Brian and I talked about this on IRC. Because JS_malloc takes a size_t, and len is an off_t (which is a signed type of the same size), the only number that could overflow is 0xffffffff, which is -1 as an off_t, so this patch does cover all cases.

Updated

11 years ago
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.