Closed
Bug 824490
Opened 12 years ago
Closed 12 years ago
Possible Buffer OverFlow in jemalloc.c
Categories
(Core :: Memory Allocator, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: douglaswtcs, Unassigned)
Details
(Keywords: reporter-external)
Attachments
(1 file)
184.25 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0
Build ID: 20121128204232
Steps to reproduce:
I do Analises in the font-code of the file: "memory/mozjemalloc/jemalloc.c".
Actual results:
the function "strcpy();" actived and its is not secure.
Expected results:
#ifdef MALLOC_PAGEFILE
static int
pagefile_init(size_t size)
{
int ret;
size_t i;
char pagefile_path[PATH_MAX];
char zbuf[MALLOC_PAGEFILE_WRITE_SIZE];
/*
* Create a temporary file, then immediately unlink it so that it will
* not persist.
*/
strcpy(pagefile_path, pagefile_templ);
ret = mkstemp(pagefile_path);
if (ret == -1)
return (ret);
if (unlink(pagefile_path)) {
char buf[STRERROR_BUF];
strerror_r(errno, buf, sizeof(buf));
_malloc_message(_getprogname(), ": (malloc) Error in unlink(\"",
pagefile_path, "\"):");
_malloc_message(buf, "\n", "", "");
if (opt_abort)
abort();
}
this code is vulnerable to buffer overflow
why "strcpy(pagefile_path, pagefile_templ);"
Have a limit... and if I exceed i go cause a attack of "stack buffer overflow"
Updated•12 years ago
|
Flags: sec-bounty?
Summary: I found a vulnerability what permit attacks of Buffer OverFlow in the "Firefox 18.0b5" → Possible Buffer OverFlow in jemalloc.c
Updated•12 years ago
|
Component: Untriaged → jemalloc
Product: Firefox → Core
Comment 1•12 years ago
|
||
The code is under #ifdef MALLOC_PAGEFILE so it's not used in any Firefox
default configurations afaict. I did a Try test run with an #error here:
https://tbpl.mozilla.org/?tree=Try&rev=3107e8bb680d
and it builds fine on all platforms.
Furthermore, the cited strcpy() call is safe, because 'pagefile_templ' is
a static buffer of the same size:
http://mxr.mozilla.org/mozilla-central/source/memory/mozjemalloc/jemalloc.c#1224
which is initialized in this block:
http://mxr.mozilla.org/mozilla-central/source/memory/mozjemalloc/jemalloc.c#5715
where it's always zero-terminated properly (it will abort() if it doesn't fit)
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Updated•12 years ago
|
Group: core-security
Updated•12 years ago
|
Flags: sec-bounty? → sec-bounty-
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•