Closed Bug 824490 Opened 12 years ago Closed 12 years ago

Possible Buffer OverFlow in jemalloc.c

Categories

(Core :: Memory Allocator, defect)

18 Branch
x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: douglaswtcs, Unassigned)

Details

(Keywords: reporter-external)

Attachments

(1 file)

Attached file jemalloc.c
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0 Build ID: 20121128204232 Steps to reproduce: I do Analises in the font-code of the file: "memory/mozjemalloc/jemalloc.c". Actual results: the function "strcpy();" actived and its is not secure. Expected results: #ifdef MALLOC_PAGEFILE static int pagefile_init(size_t size) { int ret; size_t i; char pagefile_path[PATH_MAX]; char zbuf[MALLOC_PAGEFILE_WRITE_SIZE]; /* * Create a temporary file, then immediately unlink it so that it will * not persist. */ strcpy(pagefile_path, pagefile_templ); ret = mkstemp(pagefile_path); if (ret == -1) return (ret); if (unlink(pagefile_path)) { char buf[STRERROR_BUF]; strerror_r(errno, buf, sizeof(buf)); _malloc_message(_getprogname(), ": (malloc) Error in unlink(\"", pagefile_path, "\"):"); _malloc_message(buf, "\n", "", ""); if (opt_abort) abort(); } this code is vulnerable to buffer overflow why "strcpy(pagefile_path, pagefile_templ);" Have a limit... and if I exceed i go cause a attack of "stack buffer overflow"
Flags: sec-bounty?
Summary: I found a vulnerability what permit attacks of Buffer OverFlow in the "Firefox 18.0b5" → Possible Buffer OverFlow in jemalloc.c
Component: Untriaged → jemalloc
Product: Firefox → Core
The code is under #ifdef MALLOC_PAGEFILE so it's not used in any Firefox default configurations afaict. I did a Try test run with an #error here: https://tbpl.mozilla.org/?tree=Try&rev=3107e8bb680d and it builds fine on all platforms. Furthermore, the cited strcpy() call is safe, because 'pagefile_templ' is a static buffer of the same size: http://mxr.mozilla.org/mozilla-central/source/memory/mozjemalloc/jemalloc.c#1224 which is initialized in this block: http://mxr.mozilla.org/mozilla-central/source/memory/mozjemalloc/jemalloc.c#5715 where it's always zero-terminated properly (it will abort() if it doesn't fit)
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Group: core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: