Bug 714154

Summary: overrunning array when executing nss_pcache
Product: Red Hat Enterprise Linux 6 Reporter: Rob Crittenden <rcritten>
Component: mod_nssAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1CC: benl, dpal, jgalipea, kchamart
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: mod_nss-1.0.8-13.el6 Doc Type: Bug Fix
Doc Text:
Previously, a static array containing the arguments for launching the nss_pcache command was overflowing the size by one. This could lead to a variety of issues including unexpected termination. This bug has been fixed, and mod_nss now uses properly sized static array when launching nss_pcache.
 Story Points: ---
Clone Of:
: 714255 1022298 1022717 (view as bug list) Environment:
Last Closed: 2011-12-06 16:37:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 714255, 1022298, 1022717    
Attachments:
Description Flags
Use properly sized static array none

Description Rob Crittenden 2011-06-17 13:26:01 UTC 
Description of problem:

mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static array "child_argv", with 5 elements, at position 5 with index variable "5".

Version-Release number of selected component (if applicable):
mod_nss-1.0.8-12.el6
Comment 1 Jenny Severance 2011-06-20 19:12:47 UTC 
can you please add some more information about this issue? steps to reproduce and verify?
Comment 2 Rob Crittenden 2011-06-20 19:19:19 UTC 
In the worst case this would result in core dump. mod_nss is allocating an array of 5 elements and writing 6 to it. Through good fortune it isn't overwriting the memory or something else.
Comment 3 Rob Crittenden 2011-08-01 17:28:25 UTC 
Created attachment 516182 [details]
Use properly sized static array
Comment 5 Tomas Capek 2011-08-22 09:39:30 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, a static array containing the arguments for launching the nss_pcache command was overflowing the size by one. This could lead to a variety of issues including unexpected termination. This bug has been fixed, and mod_nss now uses properly sized static array when launching nss_pcache.
Comment 6 Jenny Severance 2011-09-30 13:56:38 UTC 
please add steps to reproduce this issue.
Comment 7 Rob Crittenden 2011-10-03 17:10:32 UTC 
This bug was identified by Coverity. It requires code inspection to verify, we never saw this in the wild.
Comment 8 Jenny Severance 2011-10-03 17:41:42 UTC 
Will we verify Sanity Only then, that no regressions occur during testing.
Comment 10 errata-xmlrpc 2011-12-06 16:37:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1656.html