Closed
Bug 1328122
(CVE-2017-7502)
Opened 7 years ago
Closed 7 years ago
Various ssl3_GatherData() issues
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.29
People
(Reporter: ttaubert, Assigned: ttaubert)
References
(Blocks 2 open bugs)
Details
(Keywords: sec-moderate)
The fuzzing target's implementation of `recv` showed that ssl_DefRecv() can be called with buf=NULL _and_ len=0. While this isn't too bad assuming that the underlying `recv` implementation can handle it, it probably would be nice to avoid those calls. There however are a few other issues, esp. with the v2 ClientHello handling code.
Assignee | ||
Comment 1•7 years ago
|
||
When we receive an empty v2 record, i.e. in long form = {0x00, 0x00, 0x00, 0x00, x00}, where the last 2 bytes are appended because ssl3_GatherData() expects 5 bytes total, then we try to memcpy() into `gs->inbuf`. The problem is that `gs->inbuf.buf` is still NULL and so we have a NULL dereference. After that we set `gs->remainder` to -2 or -3 and call ssl_DefRecv() that will usually err out with PR_BUFFER_OVERFLOW_ERROR. But that also is dependent on the actual implementation of `recv`. Assigning sec-moderate, memcpy(NULL, _) seems hard to exploit, only in rare situations and environments. Also this only affects NSS servers.
Keywords: sec-moderate
Assignee | ||
Comment 2•7 years ago
|
||
https://nss-review.dev.mozaws.net/D135
Comment 3•7 years ago
|
||
The fix you have looks fine, though I would observe that removing support for v2-compatible ClientHello would be a much neater change. Maybe we can put that on the executioners block this year.
Assignee | ||
Comment 4•7 years ago
|
||
Indeed. I really don't want to support it... but we probably have to keep it for now. Until RedHat agrees to remove it.
Assignee | ||
Comment 5•7 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/55ea60effd0d
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.29
Assignee | ||
Comment 6•7 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/fe14434b5996
Updated•7 years ago
|
Group: crypto-core-security → core-security-release
Comment 7•7 years ago
|
||
Thanks for fixing the v2 code, yes Red Hat still needs it for compatibility.
Comment 8•7 years ago
|
||
Is mozilla going to assign a cve to this issue, or we should?
Flags: needinfo?(dveditz)
Comment 9•7 years ago
|
||
We have assigned CVE-2017-7502 to this issue.
Assignee | ||
Updated•7 years ago
|
Flags: needinfo?(dveditz)
Updated•7 years ago
|
Alias: CVE-2017-7502
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•