|
|
launchd heap corruption due to incorrect rounding in launch_data_unpack | ||||||
| Project Member Reported by ianbeer@google.com, Apr 3 2014 | Back to list | ||||||
(see issue 12 for background on launchd and launch_data_unpack) liblaunch.c: launch_data_unpack: ... case LAUNCH_DATA_STRING: tmpcnt = big2wire(r->string_len); if ((data_size - *data_offset) < (tmpcnt + 1)) { errno = EAGAIN; return NULL; } r->string = data + *data_offset; r->string_len = tmpcnt; *data_offset += ROUND_TO_64BIT_WORD_SIZE(tmpcnt + 1); break; case LAUNCH_DATA_OPAQUE: tmpcnt = big2wire(r->opaque_size); if ((data_size - *data_offset) < tmpcnt) { errno = EAGAIN; return NULL; } r->opaque = data + *data_offset; r->opaque_size = tmpcnt; *data_offset += ROUND_TO_64BIT_WORD_SIZE(tmpcnt); break; ... Both these cases check that there is enough space remaining in the buffer for the given payload size. However, they both then round up the given size to the nearest 8 bytes. This rounding can cause data_offset to become larger than data_size if the data_size was not a multiple of 8 bytes. This causes (data_size - *data_offset) to underflow, meaning that the code will continue to read and deserialize _launch_data structures off the end of the data buffer.
Project Member
Comment 1
by
ianbeer@google.com,
Apr 4 2014
,
Apr 4 2014
Apple follow up id: 605056130
,
Apr 4 2014
,
May 12 2014
,
May 23 2014
,
Jul 3 2014
Apple advisory: http://support.apple.com/kb/HT6296
,
Jul 31 2014
|
|||||||
| ► Sign in to add a comment | |||||||