351470: setuid root programs linked with NSPR allow elevation of privilege. patches #1 and #2. r=nelson, sr=wtc NSPR_4_6_BRANCH
authoralexei.volkov.bugs%sun.com
Fri, 08 Sep 2006 00:00:01 +0000
branchNSPR_4_6_BRANCH
changeset 3682 4d57050f9d247e2ad2c2117a51140747dc780d46
parent 3679 a08440bab81853f735e93dafb94d9a9c5ddb614f
child 3683 06d4b31e319a64086ffe893c06a74381b6404d9a
push idunknown
push userunknown
push dateunknown
reviewersnelson, wtc
bugs351470
351470: setuid root programs linked with NSPR allow elevation of privilege. patches #1 and #2. r=nelson, sr=wtc
pr/src/io/prfdcach.c
pr/src/io/prlog.c
pr/src/misc/pratom.c
pr/src/misc/prtrace.c
--- a/pr/src/io/prfdcach.c
+++ b/pr/src/io/prfdcach.c
@@ -272,16 +272,24 @@ void _PR_InitFdCache(void)
     _pr_fd_cache.limit_high = FD_SETSIZE;
 #else
     _pr_fd_cache.limit_high = 0;
 #endif  /* defined(DEBUG) */
 
     if (NULL != low) _pr_fd_cache.limit_low = atoi(low);
     if (NULL != high) _pr_fd_cache.limit_high = atoi(high);
 
+    if (_pr_fd_cache.limit_low < 0)
+        _pr_fd_cache.limit_low = 0;
+    if (_pr_fd_cache.limit_low > FD_SETSIZE)
+        _pr_fd_cache.limit_low = FD_SETSIZE;
+
+    if (_pr_fd_cache.limit_high > FD_SETSIZE)
+        _pr_fd_cache.limit_high = FD_SETSIZE;
+
     if (_pr_fd_cache.limit_high < _pr_fd_cache.limit_low)
         _pr_fd_cache.limit_high = _pr_fd_cache.limit_low;
 
     _pr_fd_cache.ml = PR_NewLock();
     PR_ASSERT(NULL != _pr_fd_cache.ml);
     _pr_fd_cache.stack = PR_CreateStack("FD");
     PR_ASSERT(NULL != _pr_fd_cache.stack);
 
--- a/pr/src/io/prlog.c
+++ b/pr/src/io/prlog.c
@@ -250,16 +250,22 @@ void _PR_InitLog(void)
             }
             /*found:*/
             count = sscanf(&ev[pos], " , %n", &delta);
             pos += delta;
             if (count == EOF) break;
         }
         PR_SetLogBuffering(isSync ? bufSize : 0);
 
+#ifdef XP_UNIX
+        if (getuid() != geteuid()) {
+            return;
+    }
+#endif /* XP_UNIX */
+
         ev = PR_GetEnv("NSPR_LOG_FILE");
         if (ev && ev[0]) {
             if (!PR_SetLogFile(ev)) {
 #ifdef XP_PC
                 char* str = PR_smprintf("Unable to create nspr log file '%s'\n", ev);
                 if (str) {
                     OutputDebugString(str);
                     PR_smprintf_free(str);
@@ -288,20 +294,22 @@ void _PR_LogCleanup(void)
     if (logFile
         && logFile != stdout
         && logFile != stderr
 #ifdef XP_PC
         && logFile != WIN32_DEBUG_FILE
 #endif
         ) {
         fclose(logFile);
+        logFile = NULL;
     }
 #else
     if (logFile && logFile != _pr_stdout && logFile != _pr_stderr) {
         PR_Close(logFile);
+        logFile = NULL;
     }
 #endif
 
     while (lm != NULL) {
         PRLogModuleInfo *next = lm->next;
         free((/*const*/ char *)lm->name);
         PR_Free(lm);
         lm = next;
--- a/pr/src/misc/pratom.c
+++ b/pr/src/misc/pratom.c
@@ -115,16 +115,18 @@ int index;
 	PR_ASSERT(PR_FloorLog2(DEFAULT_ATOMIC_LOCKS) ==
 							PR_CeilingLog2(DEFAULT_ATOMIC_LOCKS));
 
 	if (((eval = getenv("NSPR_ATOMIC_HASH_LOCKS")) != NULL)  &&
 		((num_atomic_locks = atoi(eval)) != DEFAULT_ATOMIC_LOCKS)) {
 
 		if (num_atomic_locks > MAX_ATOMIC_LOCKS)
 			num_atomic_locks = MAX_ATOMIC_LOCKS;
+		else if (num_atomic_locks < 1) 
+			num_atomic_locks = 1;
 		else {
 			num_atomic_locks = PR_FloorLog2(num_atomic_locks);
 			num_atomic_locks = 1L << num_atomic_locks;
 		}
 		atomic_locks = (pthread_mutex_t *) PR_Malloc(sizeof(pthread_mutex_t) *
 						num_atomic_locks);
 		if (atomic_locks) {
 			for (index = 0; index < num_atomic_locks; index++) {
--- a/pr/src/misc/prtrace.c
+++ b/pr/src/misc/prtrace.c
@@ -40,25 +40,17 @@
 **
 ** Implement the API defined in prtrace.h
 **
 **
 **
 */
 
 #include <string.h>
-#include "prtrace.h"
-#include "prclist.h"
-#include "prlock.h"
-#include "prcvar.h"
-#include "prio.h"
-#include "prlog.h"
-#include "prenv.h"
-#include "prmem.h"
-#include "prerror.h"
+#include "primpl.h"
 
 
 #define DEFAULT_TRACE_BUFSIZE ( 1024 * 1024 )
 #define DEFAULT_BUFFER_SEGMENTS    2
 
 /*
 ** Enumerate states in a RName structure
 */
@@ -692,16 +684,22 @@ static PRFileDesc * InitializeRecording(
         _PR_InitializeTrace();
 
     PR_LOG( lm, PR_LOG_DEBUG,
         ("PR_RecordTraceEntries: begins"));
 
     logLostData = 0; /* reset at entry */
     logState = LogReset;
 
+#ifdef XP_UNIX
+    if (getuid() != geteuid()) {
+        return NULL;
+    }
+#endif /* XP_UNIX */
+
     /* Get the filename for the logfile from the environment */
     logFileName = PR_GetEnv( "NSPR_TRACE_LOG" );
     if ( logFileName == NULL )
     {
         PR_LOG( lm, PR_LOG_ERROR,
             ("RecordTraceEntries: Environment variable not defined. Exiting"));
         return NULL;
     }