714154 – overrunning array when executing nss_pcache

Bug 714154 - overrunning array when executing nss_pcache

Summary: overrunning array when executing nss_pcache

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	mod_nss
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	714255 1022298 1022717
TreeView+	depends on / blocked

Reported:	2011-06-17 13:26 UTC by Rob Crittenden
Modified:	2015-01-04 23:49 UTC (History)
CC List:	4 users (show)
Fixed In Version:	mod_nss-1.0.8-13.el6
Doc Type:	Bug Fix
Doc Text:	Previously, a static array containing the arguments for launching the nss_pcache command was overflowing the size by one. This could lead to a variety of issues including unexpected termination. This bug has been fixed, and mod_nss now uses properly sized static array when launching nss_pcache.
Clone Of:
Clones:	714255 1022298 1022717 (view as bug list)
Environment:
Last Closed:	2011-12-06 16:37:32 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Use properly sized static array (740 bytes, patch) 2011-08-01 17:28 UTC, Rob Crittenden	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1656	0	normal	SHIPPED_LIVE	mod_nss bug fix update	2011-12-06 00:50:24 UTC

Description Rob Crittenden 2011-06-17 13:26:01 UTC

Description of problem:

mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static array "child_argv", with 5 elements, at position 5 with index variable "5".

Version-Release number of selected component (if applicable):
mod_nss-1.0.8-12.el6

Comment 1 Jenny Severance 2011-06-20 19:12:47 UTC

can you please add some more information about this issue? steps to reproduce and verify?

Comment 2 Rob Crittenden 2011-06-20 19:19:19 UTC

In the worst case this would result in core dump. mod_nss is allocating an array of 5 elements and writing 6 to it. Through good fortune it isn't overwriting the memory or something else.

Comment 3 Rob Crittenden 2011-08-01 17:28:25 UTC

Created attachment 516182 [details]
Use properly sized static array

Comment 5 Tomas Capek 2011-08-22 09:39:30 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, a static array containing the arguments for launching the nss_pcache command was overflowing the size by one. This could lead to a variety of issues including unexpected termination. This bug has been fixed, and mod_nss now uses properly sized static array when launching nss_pcache.

Comment 6 Jenny Severance 2011-09-30 13:56:38 UTC

please add steps to reproduce this issue.

Comment 7 Rob Crittenden 2011-10-03 17:10:32 UTC

This bug was identified by Coverity. It requires code inspection to verify, we never saw this in the wild.

Comment 8 Jenny Severance 2011-10-03 17:41:42 UTC

Will we verify Sanity Only then, that no regressions occur during testing.

Comment 10 errata-xmlrpc 2011-12-06 16:37:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1656.html

Note You need to log in before you can comment on or make changes to this bug.