Closed
Bug 1246567
Opened 8 years ago
Closed 8 years ago
NULL out xSS and xES after PK11_FreeSymKey
Categories
(NSS :: Libraries, defect)
Tracking
(firefox44 unaffected, firefox45 unaffected, firefox46 unaffected, firefox47 unaffected)
RESOLVED
FIXED
Future
Tracking | Status | |
---|---|---|
firefox44 | --- | unaffected |
firefox45 | --- | unaffected |
firefox46 | --- | unaffected |
firefox47 | --- | unaffected |
People
(Reporter: ekr, Assigned: ekr)
Details
(Keywords: csectype-uaf, sec-moderate)
Attachments
(1 file)
No description provided.
Assignee | ||
Comment 1•8 years ago
|
||
Assignee | ||
Comment 2•8 years ago
|
||
MT, this is a likely UAF but it only occurs in the TLS 1.3 code path.
Assignee | ||
Updated•8 years ago
|
Attachment #8716860 -
Flags: review?(martin.thomson)
Updated•8 years ago
|
Attachment #8716860 -
Flags: review?(martin.thomson) → review+
Comment 3•8 years ago
|
||
Comment on attachment 8716860 [details] [diff] [review] 0001-NULL-xSS-and-xES-after-call-to-PK11_SymKeyFree.patch Review of attachment 8716860 [details] [diff] [review]: ----------------------------------------------------------------- Wasn't sure whether you CC'ed me to get another opinion or to just let me know. In any case, LGTM.
Attachment #8716860 -
Flags: review+
Assignee | ||
Comment 4•8 years ago
|
||
Dan, Wan-Teh. This is a memory error, but it's in an experimental version of NSS that is off by default in Firefox. Any reason not to just land it?
Flags: needinfo?(wtc)
Flags: needinfo?(dveditz)
Comment 5•8 years ago
|
||
Comment on attachment 8716860 [details] [diff] [review] 0001-NULL-xSS-and-xES-after-call-to-PK11_SymKeyFree.patch Review of attachment 8716860 [details] [diff] [review]: ----------------------------------------------------------------- r=wtc. It is fine to check this in. ::: lib/ssl/tls13con.c @@ +1209,5 @@ > loser: > PK11_FreeSymKey(ss->ssl3.hs.xSS); > PK11_FreeSymKey(ss->ssl3.hs.xES); > + ss->ssl3.hs.xSS = NULL; > + ss->ssl3.hs.xES = NULL; Nit: you may want to put them in this order: PK11_FreeSymKey(ss->ssl3.hs.xSS); ss->ssl3.hs.xSS = NULL; PK11_FreeSymKey(ss->ssl3.hs.xES); ss->ssl3.hs.xES = NULL;
Attachment #8716860 -
Flags: review+
Updated•8 years ago
|
status-firefox44:
--- → unaffected
status-firefox45:
--- → unaffected
status-firefox46:
--- → unaffected
status-firefox47:
--- → unaffected
Assignee | ||
Comment 6•8 years ago
|
||
Committed as: https://hg.mozilla.org/projects/nss/rev/d7d940a5999d
Comment 7•8 years ago
|
||
(In reply to Eric Rescorla (:ekr) from comment #4) > Dan, Wan-Teh. This is a memory error, but it's in an experimental version of > NSS that is off by default in Firefox. Any reason not to just land it? "by default"? If it's just a pref switch we should change the status flag to "disabled" instead of "unaffected" -- but either way sure, go ahead and land it if the NSS tree is open
Comment 8•8 years ago
|
||
:dveditz, this is off in the sense that it can't be turned on. I guess that makes "by default" moot :)
Assignee | ||
Comment 9•8 years ago
|
||
mt: actually it sort of can be. It's not compiled off in Firefox, and while you can set the variables in about:config, I'm not sure that it will actually negotiate 1.3 if you do that because a lot of changes in PSM are needed.
Comment 10•8 years ago
|
||
Did we forget to resolve this? Was it left open intentionally?
Assignee: nobody → ekr
Status: NEW → ASSIGNED
Updated•8 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → Future
Updated•8 years ago
|
Group: crypto-core-security → core-security-release
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•