Closed
Bug 770534
Opened 13 years ago
Closed 11 years ago
possible pointer overflow in PL_ArenaAllocate()
Categories
(NSPR :: NSPR, defect, P2)
Tracking
(firefox25 fixed, firefox26+ fixed, firefox27+ fixed, firefox28+ fixed, firefox-esr1725+ fixed, firefox-esr2425+ fixed, b2g18? affected, b2g-v1.1hd affected, b2g-v1.2 affected)
People
(Reporter: kdudka, Assigned: kdudka)
References
Details
(Whiteboard: [qa-])
Attachments
(1 file)
|
1.25 KB,
patch
|
wtc
:
review+
wtc
:
checked-in+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.5) Gecko/20120601 Firefox/10.0.5
Build ID: 20120601031547
Steps to reproduce:
As pointed out by Pascal Cuoq [1,2], the expressions ( a->avail +nb <= a->limit ) and ( a->base +nb <= a->limit ) used in PL_ArenaAllocate() can cause a pointer overflow and consequently undefined behavior. A similar issue was discussed in [3]. I am attaching a patch for the issue suggested by Pascal.
[1] https://groups.google.com/a/sosy-lab.org/d/msg/sv-comp/ylsrp9E0pug/_cDRv8o7JgsJ
[2] https://groups.google.com/a/sosy-lab.org/d/msg/sv-comp/ylsrp9E0pug/31TTjs1MYeQJ
[3] http://lwn.net/Articles/278137/
|
||
Updated•11 years ago
|
Attachment #638730 -
Flags: review?(wtc)
|
||
Comment 1•11 years ago
|
||
Comment on attachment 638730 [details] [diff] [review]
0001-plarena-eliminate-possible-pointer-overflow.patch
r=wtc.
Thank you very much for the patch and the reminder for code review.
I recently rediscovered this issue and wrote a patch in bug 927687.
Sigh.
Patch checked in: https://hg.mozilla.org/projects/nspr/rev/9b26e99c21c3
Attachment #638730 -
Flags: review?(wtc)
Attachment #638730 -
Flags: review+
Attachment #638730 -
Flags: checked-in+
|
|
||
Updated•11 years ago
|
Assignee: wtc → kdudka
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Priority: -- → P2
Resolution: --- → FIXED
Target Milestone: --- → 4.10.2
|
Assignee | |
Comment 2•11 years ago
|
||
Thanks for review and getting the patch upstream!
|
||
Updated•11 years ago
|
Blocks: CVE-2013-5607
status-b2g18:
--- → affected
status-b2g-v1.1hd:
--- → affected
status-b2g-v1.2:
--- → affected
status-firefox25:
--- → wontfix
status-firefox26:
--- → affected
status-firefox27:
--- → affected
status-firefox28:
--- → affected
status-firefox-esr17:
--- → affected
status-firefox-esr24:
--- → affected
tracking-b2g18:
--- → ?
tracking-firefox26:
--- → +
tracking-firefox27:
--- → +
tracking-firefox28:
--- → +
tracking-firefox-esr24:
--- → ?
|
||
Comment 3•11 years ago
|
||
Do we need a separate bug here for updating NSPR in m-c, aurora, and beta?
Flags: needinfo?(kdudka)
|
|
||
Comment 4•11 years ago
|
||
If there is no risk of confusion, we can just use this bug for
updating NSPR in m-c, aurora, and beta.
Flags: needinfo?(kdudka)
|
||
Comment 5•11 years ago
|
||
I think there is potentially risk of confusion. Let's use bug 935568 for tracking the respective NSPR update.
|
|
||
Comment 6•11 years ago
|
||
I think bug 935568 has fixed this by updating NSPR - is that correct? Anything else need doing here?
Flags: needinfo?(kdudka)
|
|
Assignee | |
Comment 7•11 years ago
|
||
I do not know much about the relation with other components, switching the needinfo to Kai...
Flags: needinfo?(kdudka) → needinfo?(kaie)
|
|
||
Comment 8•11 years ago
|
||
(In reply to lsblakk@mozilla.com [:lsblakk] from comment #6)
> I think bug 935568 has fixed this by updating NSPR - is that correct?
> Anything else need doing here?
Correct, we're done, nothing else needed.
Flags: needinfo?(kaie)
|
|
||
Comment 9•11 years ago
|
||
Marking statuses up to 25 since this shipped in 25.0.1 (and ESR 24.1.1/17.0.11)
You need to log in
before you can comment on or make changes to this bug.
Description
•