Return-Path: Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: (qmail 38854 invoked from network); 3 Sep 2003 22:14:41 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 3 Sep 2003 22:14:41 -0000 Received: (qmail 11186 invoked by uid 500); 3 Sep 2003 22:14:25 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 11087 invoked by uid 500); 3 Sep 2003 22:14:24 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Reply-To: "Apache HTTPD Bugs Notification List" Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 11064 invoked from network); 3 Sep 2003 22:14:23 -0000 Received: from unknown (HELO exchange.sun.com) (192.18.33.10) by daedalus.apache.org with SMTP; 3 Sep 2003 22:14:23 -0000 Received: (qmail 9601 invoked by uid 50); 3 Sep 2003 22:16:50 -0000 Date: 3 Sep 2003 22:16:50 -0000 Message-ID: <20030903221650.9598.qmail@nagoya.betaversion.org> From: bugzilla@apache.org To: bugs@httpd.apache.org Cc: Subject: DO NOT REPLY [Bug 22915] New: - memcpy in apr_rmm_realloc may cause crash X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22915 memcpy in apr_rmm_realloc may cause crash Summary: memcpy in apr_rmm_realloc may cause crash Product: APR Version: HEAD Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: APR-util AssignedTo: bugs@httpd.apache.org ReportedBy: shrauner@inktomi.com The memcpy() at line 367 of apr_rmm_realloc which attempts to copy the old data to the newly allocated memory region is copying the newly requested number of bytes from the old region, which means if one uses realloc to grow a memory region (presumably the more common case), then we would be reading past the end of the old memory region. In cases where the old region were too close to the edge of the allocated shared memory, this would result in an attempt to read outside the process's memory space and thus result in a crash. The correct number of bytes to copy is the min() of the requested size and the size of the old buffer. Here are diffs for a fix: *** apr_rmm.c 21 Apr 2003 18:42:02 -0000 1.20 --- apr_rmm.c 3 Sep 2003 22:09:24 -0000 *************** *** 360,365 **** --- 360,367 ---- { apr_rmm_off_t this; apr_rmm_off_t old; + struct rmm_block_t *blk; + apr_size_t oldsize; if (!entity) { return apr_rmm_malloc(rmm, reqsize); *************** *** 372,379 **** return this; } memcpy(apr_rmm_addr_get(rmm, this), ! apr_rmm_addr_get(rmm, old), reqsize); apr_rmm_free(rmm, old); return this; --- 374,384 ---- return this; } + blk = (rmm_block_t*)((char*)rmm->base + old); + oldsize = blk->size; + memcpy(apr_rmm_addr_get(rmm, this), ! apr_rmm_addr_get(rmm, old), oldsize < reqsize ? oldsize : reqsize); apr_rmm_free(rmm, old); return this; --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org