Closed Bug 1307472 Opened 4 years ago Closed 4 years ago

UBSan: sftk_ChaCha20Poly1305_CreateContext: null pointer passed as argument 2, which is declared to never be null

Categories

(NSS :: Libraries, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ttaubert, Assigned: ttaubert)

References

Details

pkcs11c.c:705:30: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
    #0 0x7f7ccf7ca6a0 in sftk_ChaCha20Poly1305_CreateContext /home/worker/nss/lib/softoken/pkcs11c.c:705:9
    #1 0x7f7ccf74e457 in sftk_CryptInit /home/worker/nss/lib/softoken/pkcs11c.c:1169:35
    #2 0x7f7ccf74529d in NSC_EncryptInit /home/worker/nss/lib/softoken/pkcs11c.c:1231:12
    #3 0x11d1979 in PK11_Encrypt /home/worker/nss/lib/pk11wrap/pk11obj.c:931:11
    #4 0x101e6fb in tls13_AEAD /home/worker/nss/lib/ssl/tls13con.c:2686:14
    #5 0x101afb7 in tls13_ChaCha20Poly1305 /home/worker/nss/lib/ssl/tls13con.c:2741:12
    #6 0x1000481 in tls13_ProtectRecord /home/worker/nss/lib/ssl/tls13con.c:3809:14
    #7 0xdcfbdc in ssl3_SendRecord /home/worker/nss/lib/ssl/ssl3con.c:2683:26
    #8 0xddb197 in ssl3_FlushHandshakeMessages /home/worker/nss/lib/ssl/ssl3con.c:2912:13
    #9 0xdda426 in ssl3_FlushHandshake /home/worker/nss/lib/ssl/ssl3con.c:2882:16
    #10 0xff1a8c in tls13_SendServerHelloSequence /home/worker/nss/lib/ssl/tls13con.c:1850:11
    #11 0xfe1a0b in tls13_HandleClientHelloPart2 /home/worker/nss/lib/ssl/tls13con.c:1341:14
    #12 0xe488f2 in ssl3_HandleClientHello /home/worker/nss/lib/ssl/ssl3con.c:8494:14
    #13 0xe40a01 in ssl3_HandleHandshakeMessage /home/worker/nss/lib/ssl/ssl3con.c:11655:18
    #14 0xe6269a in ssl3_HandleHandshake /home/worker/nss/lib/ssl/ssl3con.c:11848:18
    #15 0xe5541f in ssl3_HandleRecord /home/worker/nss/lib/ssl/ssl3con.c:12611:22
    #16 0x103c140 in ssl3_GatherCompleteHandshake /home/worker/nss/lib/ssl/ssl3gthr.c:474:22
    #17 0x1046db0 in ssl_GatherRecord1stHandshake /home/worker/nss/lib/ssl/sslcon.c:78:10
    #18 0xf1463a in ssl_Do1stHandshake /home/worker/nss/lib/ssl/sslsecur.c:65:14
    #19 0xf202dc in SSL_ForceHandshake /home/worker/nss/lib/ssl/sslsecur.c:413:14
    #20 0xb06a06 in nss_test::TlsAgent::Handshake() /home/worker/nss/external_tests/ssl_gtest/tls_agent.cc:671:18
    #21 0xb46997 in nss_test::TlsConnectTestBase::Handshake() /home/worker/nss/external_tests/ssl_gtest/tls_connect.cc:240:12
    #22 0xb49426 in nss_test::TlsConnectTestBase::Connect() /home/worker/nss/external_tests/ssl_gtest/tls_connect.cc:256:3
    #23 0x6bd234 in nss_test::TlsCipherSuiteTestBase::ConnectAndCheckCipherSuite() /home/worker/nss/external_tests/ssl_gtest/ssl_ciphersuite_unittest.cc:131:5
    #24 0x6ba421 in nss_test::TlsCipherSuiteTest_SingleCipherSuite_Test::TestBody() /home/worker/nss/external_tests/ssl_gtest/ssl_ciphersuite_unittest.cc:214:3
    #25 0xd56e9e in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /home/worker/nss/external_tests/google_test/gtest/src/gtest.cc:2362:10
    #26 0xc448ed in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /home/worker/nss/external_tests/google_test/gtest/src/gtest.cc:2398:14
    #27 0xc43c40 in testing::Test::Run() /home/worker/nss/external_tests/google_test/gtest/src/gtest.cc:2434:5
    #28 0xc4aca2 in testing::TestInfo::Run() /home/worker/nss/external_tests/google_test/gtest/src/gtest.cc:2610:11
    #29 0xc51e8f in testing::TestCase::Run() /home/worker/nss/external_tests/google_test/gtest/src/gtest.cc:2728:28
    #30 0xc8ebdb in testing::internal::UnitTestImpl::RunAllTests() /home/worker/nss/external_tests/google_test/gtest/src/gtest.cc:4591:43
    #31 0xd6f400 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /home/worker/nss/external_tests/google_test/gtest/src/gtest.cc:2362:10
    #32 0xc8be5d in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /home/worker/nss/external_tests/google_test/gtest/src/gtest.cc:2398:14
    #33 0xc8b58e in testing::UnitTest::Run() /home/worker/nss/external_tests/google_test/gtest/src/gtest.cc:4209:10
    #34 0x91ac5c in RUN_ALL_TESTS() /home/worker/nss/external_tests/ssl_gtest/../../external_tests/google_test/gtest/include/gtest/gtest.h:2304:46
    #35 0x91aae2 in main /home/worker/nss/external_tests/ssl_gtest/ssl_gtest.cc:37:12
    #36 0x7f7cd344a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #37 0x46e2d8 in _start (/home/worker/nss/external_tests/ssl_gtest/Linux4.1_x86_64_clang-3.9_glibc_PTH_64_ASAN_DBG.OBJ/ssl_gtest+0x46e2d8)
This happens because tls13_ChaCha20Poly1305() does:

> aeadParams.pAAD = NULL; /* No AAD in TLS 1.3. */

And we need to handle that. sec-low because 1.3 isn't enabled by default.
Keywords: sec-low
https://hg.mozilla.org/projects/nss/rev/6056611f3f55
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.28
Unhiding, this isn't security sensitive if memcpy() is called with a NULL pointer and length=0.
Group: crypto-core-security
Keywords: sec-low
You need to log in before you can comment on or make changes to this bug.