Closed Bug 673808 Opened 13 years ago Closed 13 years ago

_CACHE_MAP_ is storing nsDiskCacheRecord structs with uninitialized data containing bits of Fx memory

Categories

(Core :: Networking: Cache, defect)

Product:
Core
Component:
Networking: Cache
Version:
5 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla8

People

(Reporter: al_9x, Unassigned)

References

Details

(Whiteboard: [sg:low local])

Attachments

(1 file)

clear new uninitialized memory
1.81 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review 
You should be able to find clusters of contiguous nsDiskCacheRecord structs whose mHashNumber is 0 and the other 12 bytes appear to be effectively a Fx memory dump of readable profile data (I've seen bookmarks jason, javascript)

Even though the data is full of 4 byte holes (mHashNumber), because the records are contiguous, the data is more or less readable. 

Fx should not be inadvertently storing potentially sensitive profile data in a totally unexpected location.
Status: UNCONFIRMED → NEW
Ever confirmed: true

        Attachment #548407 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 548407 [details] [diff] [review]
clear new uninitialized memory

r=me

        Attachment #548407 -
        Flags: review?(bzbarsky) → review+

    
    

    
  
Tryserver is green except few intermittent failures.

http://hg.mozilla.org/mozilla-central/rev/dd7d71277a15
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
  
Whiteboard: [sg:low local]

    
  
Depends on: 675420

    
    

    
  
Please set the target milestone when checking things in....
Target Milestone: --- → mozilla8

    
    

    
  
Comment on attachment 548407 [details] [diff] [review]
clear new uninitialized memory

>-        // Clear the new empty entries
>-        for (PRUint32 i = count; i < newRecordsPerBucket; ++i)
>-            newRecords[i].SetHashNumber(0);
I think this block is still necessary when newArray + bucketIndex * newRecordsPerBucket + i < mHeader.mRecordCount since these are old entries that are no longer used and may otherwise be confused with live entries.

    
  
Depends on: 681407

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: