Closed Bug 770534 Opened 8 years ago Closed 6 years ago

possible pointer overflow in PL_ArenaAllocate()

Categories

(NSPR :: NSPR, defect, P2)

4.9.1
defect

Tracking

(firefox25 fixed, firefox26+ fixed, firefox27+ fixed, firefox28+ fixed, firefox-esr1725+ fixed, firefox-esr2425+ fixed, b2g18? affected, b2g-v1.1hd affected, b2g-v1.2 affected)

RESOLVED FIXED
4.10.2
Tracking Status
firefox25 --- fixed
firefox26 + fixed
firefox27 + fixed
firefox28 + fixed
firefox-esr17 25+ fixed
firefox-esr24 25+ fixed
b2g18 ? affected
b2g-v1.1hd --- affected
b2g-v1.2 --- affected

People

(Reporter: kdudka, Assigned: kdudka)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.5) Gecko/20120601 Firefox/10.0.5
Build ID: 20120601031547

Steps to reproduce:

As pointed out by Pascal Cuoq [1,2], the expressions ( a->avail +nb <= a->limit ) and ( a->base +nb <= a->limit ) used in PL_ArenaAllocate() can cause a pointer overflow and consequently undefined behavior. A similar issue was discussed in [3].  I am attaching a patch for the issue suggested by Pascal.

[1] https://groups.google.com/a/sosy-lab.org/d/msg/sv-comp/ylsrp9E0pug/_cDRv8o7JgsJ
[2] https://groups.google.com/a/sosy-lab.org/d/msg/sv-comp/ylsrp9E0pug/31TTjs1MYeQJ
[3] http://lwn.net/Articles/278137/
Attachment #638730 - Flags: review?(wtc)
Comment on attachment 638730 [details] [diff] [review]
0001-plarena-eliminate-possible-pointer-overflow.patch

r=wtc.

Thank you very much for the patch and the reminder for code review.

I recently rediscovered this issue and wrote a patch in bug 927687.
Sigh.

Patch checked in: https://hg.mozilla.org/projects/nspr/rev/9b26e99c21c3
Attachment #638730 - Flags: review?(wtc)
Attachment #638730 - Flags: review+
Attachment #638730 - Flags: checked-in+
Assignee: wtc → kdudka
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Priority: -- → P2
Resolution: --- → FIXED
Target Milestone: --- → 4.10.2
Thanks for review and getting the patch upstream!
Do we need a separate bug here for updating NSPR in m-c, aurora, and beta?
Flags: needinfo?(kdudka)
If there is no risk of confusion, we can just use this bug for
updating NSPR in m-c, aurora, and beta.
Flags: needinfo?(kdudka)
I think there is potentially risk of confusion. Let's use bug 935568 for tracking the respective NSPR update.
I think bug 935568 has fixed this by updating NSPR - is that correct? Anything else need doing here?
Flags: needinfo?(kdudka)
I do not know much about the relation with other components, switching the needinfo to Kai...
Flags: needinfo?(kdudka) → needinfo?(kaie)
(In reply to lsblakk@mozilla.com [:lsblakk] from comment #6)
> I think bug 935568 has fixed this by updating NSPR - is that correct?
> Anything else need doing here?

Correct, we're done, nothing else needed.
Flags: needinfo?(kaie)
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.