Closed
Bug 492717
Opened 15 years ago
Closed 15 years ago
nsNTLMAuthModule.cpp ParseType2Msg(): need to check |offset| value
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
VERIFIED
FIXED
mozilla1.9.2a1
Tracking | Status | |
---|---|---|
status1.9.1 | --- | .4-fixed |
People
(Reporter: guninski, Assigned: sgautherie)
Details
(Keywords: crash, verified1.9.1, Whiteboard: [sg:investigate])
Attachments
(1 file)
1.97 KB,
patch
|
rrelyea
:
review+
KaiE
:
review+
dveditz
:
approval1.9.1.4+
|
Details | Diff | Splinter Review |
this seems currently dead code but seems wrong by inspection. http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNTLMAuthModule.cpp#547 547 PRUint32 offset = ReadUint32(cursor); // get offset from inBuf 548 msg->target = ((const PRUint8 *) inBuf) + offset;
Reporter | ||
Updated•15 years ago
|
Whiteboard: [sg:investigate]
Reporter | ||
Updated•15 years ago
|
Component: General → Networking
Product: Firefox → Core
Reporter | ||
Updated•15 years ago
|
QA Contact: general → networking
Assignee | ||
Comment 1•15 years ago
|
||
(In reply to comment #0) > this seems currently dead code What makes you think that?
Reporter | ||
Comment 2•15 years ago
|
||
> What makes you think that?
i suspect |msg->target| is not used, this is what i mean. not sure about it.
Assignee | ||
Comment 3•15 years ago
|
||
http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNTLMAuthModule.cpp?mark=513-514,544-545,547-548,559-559,564-566#547 { 518 ParseType2Msg(const void *inBuf, PRUint32 inLen, Type2Msg *msg) ... 564 // we currently do not implement LMv2/NTLMv2 or NTLM2 responses, 565 // so we can ignore target information. we may want to enable 566 // support for these alternate mechanisms in the future. } then { 571 GenerateType3Msg(const nsString &domain, ... 584 rv = ParseType2Msg(inBuf, inLen, &msg); ... } currently uses |msg.flags| and |msg.challenge| only. So the |target*| are indeed unused "yet": no actual security issue atm. (But it doesn't look like dead/removable code, per the quoted comment.) *** (In reply to comment #0) > this [...] seems wrong by inspection. What do you think is wrong in this code? Would you know what a better code would be? Would the issue really be x86/Linux specific or rather all/all (or Windows only)? Would you have an example of log output which would show the problem?
Reporter | ||
Comment 4•15 years ago
|
||
>What do you think is wrong in this code?
|offset| can be any int32 value afaict.
this makes |target| any pointer on 32 bit systems and a lot of pointers on 64 bit systems.
Reporter | ||
Comment 5•15 years ago
|
||
so if |target| is used with attacker supplied |offset| this may be a problem - at least an easy crash.
Assignee | ||
Comment 6•15 years ago
|
||
Ah! This makes sense now: this calculation itself is actually right, but we miss to check |offset| value before using it.
Severity: normal → critical
Keywords: crash
OS: Linux → All
Hardware: x86 → All
Summary: dangerous pointer arithmetic in nsNTLMAuthModule.cpp → nsNTLMAuthModule.cpp ParseType2Msg(): need to check |offset| value
Reporter | ||
Comment 7•15 years ago
|
||
huh, how is this critical crash if the wild pointer is not used?
Assignee | ||
Comment 8•15 years ago
|
||
I guess we should check |msg->targetLen| value too... (In reply to comment #7) > huh, how is this critical crash if the wild pointer is not used? It's not actively used in the authentication process, but it is used by { 145 #ifdef PR_LOGGING ... 205 if (!LOG_ENABLED()) ... 559 LogBuf("target", (const PRUint8 *) msg->target, msg->targetLen); } This is already a case, even if rare, but this bug is about fixing this code before it (would) eventually gets a more general use, isn't it?
Reporter | ||
Comment 9•15 years ago
|
||
sure it better be fixed, this is why i filed it ;)
Reporter | ||
Comment 10•15 years ago
|
||
in theory if target is exposed to userland this may expose memory contents even without writing or dereferencing content from it.
Comment 11•15 years ago
|
||
Chromium folks just patched this: http://codereview.chromium.org/155311
Assignee | ||
Comment 12•15 years ago
|
||
Back-Port Chromium patch. Fwiw, see http://davenport.sourceforge.net/ntlm.html#theType2Message
Assignee: nobody → sgautherie.bz
Status: NEW → ASSIGNED
Attachment #388643 -
Flags: superreview?(dveditz)
Attachment #388643 -
Flags: review?(rrelyea)
Comment 13•15 years ago
|
||
Adding module owner.
Comment 14•15 years ago
|
||
Comment on attachment 388643 [details] [diff] [review] (Av1) offset and length [Checkin: Comment 17 & 20] r+ rrelyea Code is correct. so I'm giving this a r+ so as not to hold up a security fix any longer. bob
Attachment #388643 -
Flags: review?(rrelyea) → review+
Updated•15 years ago
|
Attachment #388643 -
Flags: review+
Comment 15•15 years ago
|
||
Comment on attachment 388643 [details] [diff] [review] (Av1) offset and length [Checkin: Comment 17 & 20] thanks, looks good to me. r=kaie
Comment 16•15 years ago
|
||
Comment on attachment 388643 [details] [diff] [review] (Av1) offset and length [Checkin: Comment 17 & 20] rrelyea and kaie's review should be enough... Ready to land.
Attachment #388643 -
Flags: superreview?(dveditz)
Assignee | ||
Updated•15 years ago
|
Attachment #388643 -
Attachment description: (Av1) offset and length → (Av1) offset and length
[Checkin: Comment 17]
Attachment #388643 -
Flags: approval1.9.1.2?
Assignee | ||
Comment 17•15 years ago
|
||
Comment on attachment 388643 [details] [diff] [review] (Av1) offset and length [Checkin: Comment 17 & 20] http://hg.mozilla.org/mozilla-central/rev/d1c0b2c4ac7a *** "approval1.9.1.2=?": No risk, just to be future-proof.
Assignee | ||
Updated•15 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2a1
Updated•15 years ago
|
Attachment #388643 -
Flags: approval1.9.1.2? → approval1.9.1.3?
Comment 18•15 years ago
|
||
Comment on attachment 388643 [details] [diff] [review] (Av1) offset and length [Checkin: Comment 17 & 20] Not for 1.9.1.2.
Comment 19•15 years ago
|
||
Comment on attachment 388643 [details] [diff] [review] (Av1) offset and length [Checkin: Comment 17 & 20] Approved for 1.9.1.4, a=dveditz for release-drivers
Attachment #388643 -
Flags: approval1.9.1.3? → approval1.9.1.4+
Assignee | ||
Comment 20•15 years ago
|
||
Comment on attachment 388643 [details] [diff] [review] (Av1) offset and length [Checkin: Comment 17 & 20] http://hg.mozilla.org/releases/mozilla-1.9.1/rev/dbcc002ebde8
Attachment #388643 -
Attachment description: (Av1) offset and length
[Checkin: Comment 17] → (Av1) offset and length
[Checkin: Comment 17 & 20]
Assignee | ||
Updated•15 years ago
|
status1.9.1:
--- → .4-fixed
Comment 21•15 years ago
|
||
Verified both fixes based on checkins on 1.9.2 and 1.9.1.
Status: RESOLVED → VERIFIED
Keywords: verified1.9.1
Updated•15 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•