| Issue 44: | Uninitialized vtable may lead to arbitrary code execution | |
| 3 people starred this issue and may be notified of changes. | Back to list |
Sign in to add a comment
|
TEAM CJETM Affected OS: Linux, OSX, Windows Tested Browser: Firefox 3.0.6 Nacl Version nacl_linux_0.1_38_2009_02_11.tgz There is an uninitialized memory bug that may lead to code execution in the SharedMemory::New function in shared_memory.cc. This function can receive a length of 2147483648, which is casted to type off_t, so it becomes -2147483648. A heap buffer (imc_desc/desc) is then created without being wiped. The function NaClDescImcShmCtor is then called which is supposed to initialize the vtbl pointer in the heap buffer but returns 0 prematurely because 'length' became less then 0 when casted to type off_t in SharedMemory::New. This leaves the desc->vtbl pointer uninitialized. This NaClDescImcShmCtor 0 return value is never checked and NaCl goes on to call a function pointer in that vtable, which lands in an arbitrary spot. It may be possible to control this execution and execute arbitrary code by controlling the contents of the heap via heap spray. To fix this issue memset the imc_desc heap buffer and check the return value of NaClDescImcShmCtor before continuing.
|
||||||||||||
,
Mar 04, 2009
Verified as an issue.
Status: Accepted
|
|||||||||||||
,
Mar 04, 2009
(No comment was entered for this change.)
Owner: nativeclient.admin
|
|||||||||||||
,
Mar 12, 2009
(No comment was entered for this change.)
Owner: s...@google.com
Labels: Type-Defect |
|||||||||||||
,
Apr 10, 2009
Fix was released in build 57.
Status: Fixed
|
|||||||||||||
 Sign in to add a comment
|
|||||||||||||
