Closed Bug 1360778 Opened 4 years ago Closed 1 year ago

ASAN: heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)

Categories

(NSS :: Tools, defect, P3)

defect

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: geeknik, Unassigned)

References

Details

(Keywords: sec-other)

Attachments

(2 files)

Attached file cert8.db
Triggered with changeset 13315:769f9ae07b10. Built with afl-clang-fast on Debian 8 x64 (CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 USE_64=1 make nss_build_all).

run ./certutil -U -d . with the attached cert8.db.

==3003==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61700000fba8 at pc 0x000000490903 bp 0x7ffcbafd0450 sp 0x7ffcbafcfc10
WRITE of size 65544 at 0x61700000fba8 thread T0
    #0 0x490902 in __asan_memset (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x490902)
    #1 0x7f63c21331ae in __hash_open /root/nss/lib/dbm/src/hash.c:241:15
    #2 0x7f63c212f9fe in dbopen /root/nss/lib/dbm/src/db.c:103:25
    #3 0x7f63c20c398e in dbsopen /root/nss/lib/softoken/legacydb/dbmshim.c:515:10
    #4 0x7f63c211257f in nsslowcert_OpenPermCertDB /root/nss/lib/softoken/legacydb/pcertdb.c:4086:30
    #5 0x7f63c211257f in nsslowcert_OpenCertDB /root/nss/lib/softoken/legacydb/pcertdb.c:4587
    #6 0x7f63c20f9eb6 in lg_OpenCertDB /root/nss/lib/softoken/legacydb/lginit.c:365:10
    #7 0x7f63c20f9eb6 in legacy_Open /root/nss/lib/softoken/legacydb/lginit.c:609
    #8 0x7f63c2af44c3 in sftkdbCall_open /root/nss/lib/softoken/lgglue.c:306:12
    #9 0x7f63c2b8ca2e in sftk_DBInit /root/nss/lib/softoken/sftkdb.c:2584:19
    #10 0x7f63c2b0a990 in SFTK_SlotReInit /root/nss/lib/softoken/pkcs11.c:2484:15
    #11 0x7f63c2b0c14c in SFTK_SlotInit /root/nss/lib/softoken/pkcs11.c:2600:11
    #12 0x7f63c2b0f737 in nsc_CommonInitialize /root/nss/lib/softoken/pkcs11.c:3052:19
    #13 0x7f63c2b101c8 in NSC_Initialize /root/nss/lib/softoken/pkcs11.c:3115:11
    #14 0x7f63c634bc1a in secmod_ModuleInit /root/nss/lib/pk11wrap/pk11load.c:245:11
    #15 0x7f63c634da61 in secmod_LoadPKCS11Module /root/nss/lib/pk11wrap/pk11load.c:504:10
    #16 0x7f63c63819de in SECMOD_LoadModule /root/nss/lib/pk11wrap/pk11pars.c:1672:10
    #17 0x7f63c6381d47 in SECMOD_LoadModule /root/nss/lib/pk11wrap/pk11pars.c:1707:25
    #18 0x7f63c629ef00 in nss_InitModules /root/nss/lib/nss/nssinit.c:464:18
    #19 0x7f63c629ef00 in nss_Init /root/nss/lib/nss/nssinit.c:689
    #20 0x7f63c62a00a1 in NSS_Initialize /root/nss/lib/nss/nssinit.c:889:12
    #21 0x4ddd8d in certutil_main /root/nss/cmd/certutil/certutil.c:2986:18
    #22 0x4db7b3 in main /root/nss/cmd/certutil/certutil.c:3703:14
    #23 0x7f63c5a77b44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
    #24 0x4c500c in _start (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x4c500c)

0x61700000fba8 is located 0 bytes to the right of 680-byte region [0x61700000f900,0x61700000fba8)
allocated by thread T0 here:
    #0 0x4a7ae0 in calloc (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x4a7ae0)
    #1 0x7f63c212fcce in __hash_open /root/nss/lib/dbm/src/hash.c:155:27
    #2 0x7f63c212f9fe in dbopen /root/nss/lib/dbm/src/db.c:103:25

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memset
Shadow bytes around the buggy address:
  0x0c2e7fff9f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff9f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff9f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff9f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e7fff9f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2e7fff9f70: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==3003==ABORTING
Flags: sec-bounty?
If I deploy the cert8.db in this report to a clean Firefox profile (ASAN Nightly build ID 20170429194033), the following crash happens. I assume it will be similar with #1360779 and #1360782.

==122288==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x617000053fa8 at pc 0x0000004a477b bp 0x7ffeb8f0aa90 sp 0x7ffeb8f0a240
WRITE of size 65544 at 0x617000053fa8 thread T0
    #0 0x4a477a in __asan_memset /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:430:3
    #1 0x7f42da0fa42a in __hash_open /home/worker/workspace/build/src/security/nss/lib/dbm/src/hash.c:241:15
    #2 0x7f42da102931 in dbsopen /home/worker/workspace/build/src/security/nss/lib/softoken/legacydb/dbmshim.c:515:10
    #3 0x7f42da12cdcb in nsslowcert_OpenPermCertDB /home/worker/workspace/build/src/security/nss/lib/softoken/legacydb/pcertdb.c:4086:30
    #4 0x7f42da12cdcb in nsslowcert_OpenCertDB /home/worker/workspace/build/src/security/nss/lib/softoken/legacydb/pcertdb.c:4587
    #5 0x7f42da1213d7 in lg_OpenCertDB /home/worker/workspace/build/src/security/nss/lib/softoken/legacydb/lginit.c:365:10
    #6 0x7f42da1213d7 in legacy_Open /home/worker/workspace/build/src/security/nss/lib/softoken/legacydb/lginit.c:609
    #7 0x7f42da3b8797 in sftk_DBInit /home/worker/workspace/build/src/security/nss/lib/softoken/sftkdb.c:2584:19
    #8 0x7f42da3733f2 in SFTK_SlotReInit /home/worker/workspace/build/src/security/nss/lib/softoken/pkcs11.c:2484:15
    #9 0x7f42da3741ac in SFTK_SlotInit /home/worker/workspace/build/src/security/nss/lib/softoken/pkcs11.c:2600:11
    #10 0x7f42da376257 in nsc_CommonInitialize /home/worker/workspace/build/src/security/nss/lib/softoken/pkcs11.c:3052:19
    #11 0x7f42da3769cd in NSC_Initialize /home/worker/workspace/build/src/security/nss/lib/softoken/pkcs11.c:3115:11
    #12 0x7f42ffeb42e2 in secmod_ModuleInit /home/worker/workspace/build/src/security/nss/lib/pk11wrap/pk11load.c:245:11
    #13 0x7f42ffeb53fc in secmod_LoadPKCS11Module /home/worker/workspace/build/src/security/nss/lib/pk11wrap/pk11load.c:504:10
    #14 0x7f42ffed12c8 in SECMOD_LoadModule /home/worker/workspace/build/src/security/nss/lib/pk11wrap/pk11pars.c:1672:10
    #15 0x7f42ffed1436 in SECMOD_LoadModule /home/worker/workspace/build/src/security/nss/lib/pk11wrap/pk11pars.c:1707:25
    #16 0x7f42ffe5f93a in nss_InitModules /home/worker/workspace/build/src/security/nss/lib/nss/nssinit.c:464:18
    #17 0x7f42ffe5f93a in nss_Init /home/worker/workspace/build/src/security/nss/lib/nss/nssinit.c:689
    #18 0x7f42ffe600b4 in NSS_Initialize /home/worker/workspace/build/src/security/nss/lib/nss/nssinit.c:889:12
    #19 0x7f42f24ddfec in InitializeNSSWithFallbacks /home/worker/workspace/build/src/security/manager/ssl/nsNSSComponent.cpp:1750:19
    #20 0x7f42f24ddfec in nsNSSComponent::InitializeNSS() /home/worker/workspace/build/src/security/manager/ssl/nsNSSComponent.cpp:1860
    #21 0x7f42f24e089a in nsNSSComponent::Init() /home/worker/workspace/build/src/security/manager/ssl/nsNSSComponent.cpp:2037:8
    #22 0x7f42f25154a8 in (anonymous namespace)::nsNSSComponentConstructor(nsISupports*, nsID const&, void**) /home/worker/workspace/build/src/security/manager/ssl/nsNSSModule.cpp:134:1
    #23 0x7f42e952b3f1 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /home/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1104:19
    #24 0x7f42e952299e in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /home/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1460:10
    #25 0x7f42e9530e31 in CallGetService /home/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:67:43
    #26 0x7f42e9530e31 in nsGetServiceByContractID::operator()(nsID const&, void**) const /home/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:280
    #27 0x7f42e9407fc3 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) /home/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:95:7
    #28 0x7f42f24d6daf in nsCOMPtr /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:890:5
    #29 0x7f42f24d6daf in EnsureNSSInitializedChromeOrContent() /home/worker/workspace/build/src/security/manager/ssl/nsNSSComponent.cpp:111
    #30 0x7f42f2516069 in nsresult mozilla::psm::Constructor<nsNSSCertificateDB, (nsresult (nsNSSCertificateDB::*)())0, (mozilla::psm::ProcessRestriction)0, (mozilla::psm::ThreadRestriction)1>(nsISupports*, nsID const&, void**) /home/worker/workspace/build/src/security/manager/ssl/nsNSSModule.cpp:96:8
    #31 0x7f42e952af93 in nsComponentManagerImpl::CreateInstance(nsID const&, nsISupports*, nsID const&, void**) /home/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1021:19
    #32 0x7f42e9521c93 in nsComponentManagerImpl::GetService(nsID const&, nsID const&, void**) /home/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1264:10
    #33 0x7f42eabb120e in nsJSCID::GetService(JS::Handle<JS::Value>, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/xpconnect/src/XPCJSID.cpp:695:18
    #34 0x7f42e9588991 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
    #35 0x7f42eac1ff4b in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
    #36 0x7f42eac1ff4b in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
    #37 0x7f42eac1ff4b in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
    #38 0x7f42eac2702f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:982:12
    #39 0x7f42f2fc7123 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #40 0x7f42f2fc7123 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #41 0x7f42f2fafccf in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
    #42 0x7f42f2fafccf in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3025
    #43 0x7f42f2f95c28 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
    #44 0x7f42f2fc9637 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:699:15
    #45 0x7f42f2fc9ea2 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:731:12
    #46 0x7f42f396d2b7 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/worker/workspace/build/src/js/src/jsapi.cpp:4550:12
    #47 0x7f42eab2c2bf in mozJSComponentLoader::ObjectForLocation(ComponentLoaderInfo&, nsIFile*, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSScript*>, char**, bool, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/xpconnect/loader/mozJSComponentLoader.cpp:893:18
    #48 0x7f42eab3159b in mozJSComponentLoader::ImportInto(nsACString const&, JS::Handle<JSObject*>, JSContext*, JS::MutableHandle<JSObject*>) /home/worker/workspace/build/src/js/xpconnect/loader/mozJSComponentLoader.cpp:1124:14
    #49 0x7f42eab2ff65 in mozJSComponentLoader::Import(nsACString const&, JS::Handle<JS::Value>, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/xpconnect/loader/mozJSComponentLoader.cpp:1000:19
    #50 0x7f42eab7b981 in nsXPCComponents_Utils::Import(nsACString const&, JS::Handle<JS::Value>, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/xpconnect/src/XPCComponents.cpp:2504:26
    #51 0x7f42e9588991 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
    #52 0x7f42eac1ff4b in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
    #53 0x7f42eac1ff4b in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
    #54 0x7f42eac1ff4b in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
    #55 0x7f42eac2702f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:982:12
    #56 0x7f42f2fc7123 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #57 0x7f42f2fc7123 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #58 0x7f42f2fafccf in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
    #59 0x7f42f2fafccf in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3025
    #60 0x7f42f2f95c28 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
    #61 0x7f42f2fc72a8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
    #62 0x7f42f2fafccf in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
    #63 0x7f42f2fafccf in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3025
    #64 0x7f42f2f95c28 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
    #65 0x7f42f2fc72a8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
    #66 0x7f42f2fc7ad2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
    #67 0x7f42f3bf874e in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
    #68 0x7f42f3bae764 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:23
    #69 0x7f42f3bd8ec3 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:479:21
    #70 0x7f42f3bdb897 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:739:12
    #71 0x7f42f2fc7473 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #72 0x7f42f2fc7473 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:452
    #73 0x7f42f2fafccf in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
    #74 0x7f42f2fafccf in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3025
    #75 0x7f42f2f95c28 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
    #76 0x7f42f2fc72a8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
    #77 0x7f42f2fc7ad2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
    #78 0x7f42f395a973 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2832:12
    #79 0x7f42eac08553 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1214:23
    #80 0x7f42e958a07a in PrepareAndDispatch /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120:28
    #81 0x7f42e9589056 in SharedStub (/home/geeknik/firefox/libxul.so+0x20e3056)
    #82 0x7f42f2b27f60 in nsXREDirProvider::DoStartup() /home/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:1159:11
    #83 0x7f42f2b06120 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4376:16
    #84 0x7f42f2b085ca in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4720:8
    #85 0x7f42f2b097bc in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4813:21
    #86 0x4eb3c3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
    #87 0x4eb3c3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:307
    #88 0x7f43030eeb44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
    #89 0x41cf18 in _start (/home/geeknik/firefox/firefox+0x41cf18)

0x617000053fa8 is located 0 bytes to the right of 680-byte region [0x617000053d00,0x617000053fa8)
allocated by thread T0 here:
    #0 0x4bb983 in calloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:72:3
    #1 0x7f42da0f8b18 in __hash_open /home/worker/workspace/build/src/security/nss/lib/dbm/src/hash.c:155:27
    #2 0x7f42da102931 in dbsopen /home/worker/workspace/build/src/security/nss/lib/softoken/legacydb/dbmshim.c:515:10
    #3 0x7f42da12cdcb in nsslowcert_OpenPermCertDB /home/worker/workspace/build/src/security/nss/lib/softoken/legacydb/pcertdb.c:4086:30
    #4 0x7f42da12cdcb in nsslowcert_OpenCertDB /home/worker/workspace/build/src/security/nss/lib/softoken/legacydb/pcertdb.c:4587
    #5 0x7f42da1213d7 in lg_OpenCertDB /home/worker/workspace/build/src/security/nss/lib/softoken/legacydb/lginit.c:365:10
    #6 0x7f42da1213d7 in legacy_Open /home/worker/workspace/build/src/security/nss/lib/softoken/legacydb/lginit.c:609
    #7 0x7f42da3b8797 in sftk_DBInit /home/worker/workspace/build/src/security/nss/lib/softoken/sftkdb.c:2584:19
    #8 0x7f42da3733f2 in SFTK_SlotReInit /home/worker/workspace/build/src/security/nss/lib/softoken/pkcs11.c:2484:15
    #9 0x7f42da3741ac in SFTK_SlotInit /home/worker/workspace/build/src/security/nss/lib/softoken/pkcs11.c:2600:11
    #10 0x7f42da376257 in nsc_CommonInitialize /home/worker/workspace/build/src/security/nss/lib/softoken/pkcs11.c:3052:19
    #11 0x7f42da3769cd in NSC_Initialize /home/worker/workspace/build/src/security/nss/lib/softoken/pkcs11.c:3115:11
    #12 0x7f42ffeb42e2 in secmod_ModuleInit /home/worker/workspace/build/src/security/nss/lib/pk11wrap/pk11load.c:245:11
    #13 0x7f42ffeb53fc in secmod_LoadPKCS11Module /home/worker/workspace/build/src/security/nss/lib/pk11wrap/pk11load.c:504:10
    #14 0x7f42ffed12c8 in SECMOD_LoadModule /home/worker/workspace/build/src/security/nss/lib/pk11wrap/pk11pars.c:1672:10
    #15 0x7f42ffed1436 in SECMOD_LoadModule /home/worker/workspace/build/src/security/nss/lib/pk11wrap/pk11pars.c:1707:25
    #16 0x7f42ffe5f93a in nss_InitModules /home/worker/workspace/build/src/security/nss/lib/nss/nssinit.c:464:18
    #17 0x7f42ffe5f93a in nss_Init /home/worker/workspace/build/src/security/nss/lib/nss/nssinit.c:689
    #18 0x7f42ffe600b4 in NSS_Initialize /home/worker/workspace/build/src/security/nss/lib/nss/nssinit.c:889:12
    #19 0x7f42f24ddfec in InitializeNSSWithFallbacks /home/worker/workspace/build/src/security/manager/ssl/nsNSSComponent.cpp:1750:19
    #20 0x7f42f24ddfec in nsNSSComponent::InitializeNSS() /home/worker/workspace/build/src/security/manager/ssl/nsNSSComponent.cpp:1860
    #21 0x7f42f24e089a in nsNSSComponent::Init() /home/worker/workspace/build/src/security/manager/ssl/nsNSSComponent.cpp:2037:8
    #22 0x7f42f25154a8 in (anonymous namespace)::nsNSSComponentConstructor(nsISupports*, nsID const&, void**) /home/worker/workspace/build/src/security/manager/ssl/nsNSSModule.cpp:134:1
    #23 0x7f42e952b3f1 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /home/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1104:19
    #24 0x7f42e952299e in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /home/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1460:10
    #25 0x7f42e9530e31 in CallGetService /home/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:67:43
    #26 0x7f42e9530e31 in nsGetServiceByContractID::operator()(nsID const&, void**) const /home/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:280
    #27 0x7f42e9407fc3 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) /home/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:95:7
    #28 0x7f42f24d6daf in nsCOMPtr /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:890:5
    #29 0x7f42f24d6daf in EnsureNSSInitializedChromeOrContent() /home/worker/workspace/build/src/security/manager/ssl/nsNSSComponent.cpp:111
    #30 0x7f42f2516069 in nsresult mozilla::psm::Constructor<nsNSSCertificateDB, (nsresult (nsNSSCertificateDB::*)())0, (mozilla::psm::ProcessRestriction)0, (mozilla::psm::ThreadRestriction)1>(nsISupports*, nsID const&, void**) /home/worker/workspace/build/src/security/manager/ssl/nsNSSModule.cpp:96:8
    #31 0x7f42e952af93 in nsComponentManagerImpl::CreateInstance(nsID const&, nsISupports*, nsID const&, void**) /home/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1021:19
    #32 0x7f42e9521c93 in nsComponentManagerImpl::GetService(nsID const&, nsID const&, void**) /home/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1264:10
    #33 0x7f42eabb120e in nsJSCID::GetService(JS::Handle<JS::Value>, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/xpconnect/src/XPCJSID.cpp:695:18
    #34 0x7f42e9588991 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
    #35 0x7f42eac1ff4b in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
    #36 0x7f42eac1ff4b in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
    #37 0x7f42eac1ff4b in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:430:3 in __asan_memset
Shadow bytes around the buggy address:
  0x0c2e800027a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e800027b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e800027c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e800027d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e800027e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2e800027f0: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
  0x0c2e80002800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e80002810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e80002820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e80002830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e80002840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==122288==ABORTING
This cert8.db specimen triggers a different memory error but with a similar stack.

==4335==ERROR: AddressSanitizer: negative-size-param: (size=-109120)
    #0 0x490980 in __asan_memset (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x490980)
    #1 0x7fa6c52bc1ae in __hash_open /root/nss/lib/dbm/src/hash.c:241:15
    #2 0x7fa6c52b89fe in dbopen /root/nss/lib/dbm/src/db.c:103:25
    #3 0x7fa6c524c98e in dbsopen /root/nss/lib/softoken/legacydb/dbmshim.c:515:10
    #4 0x7fa6c529b57f in nsslowcert_OpenPermCertDB /root/nss/lib/softoken/legacydb/pcertdb.c:4086:30
    #5 0x7fa6c529b57f in nsslowcert_OpenCertDB /root/nss/lib/softoken/legacydb/pcertdb.c:4587
    #6 0x7fa6c5282eb6 in lg_OpenCertDB /root/nss/lib/softoken/legacydb/lginit.c:365:10
    #7 0x7fa6c5282eb6 in legacy_Open /root/nss/lib/softoken/legacydb/lginit.c:609
    #8 0x7fa6c5c7d4c3 in sftkdbCall_open /root/nss/lib/softoken/lgglue.c:306:12
    #9 0x7fa6c5d15a2e in sftk_DBInit /root/nss/lib/softoken/sftkdb.c:2584:19
    #10 0x7fa6c5c93990 in SFTK_SlotReInit /root/nss/lib/softoken/pkcs11.c:2484:15
    #11 0x7fa6c5c9514c in SFTK_SlotInit /root/nss/lib/softoken/pkcs11.c:2600:11
    #12 0x7fa6c5c98737 in nsc_CommonInitialize /root/nss/lib/softoken/pkcs11.c:3052:19
    #13 0x7fa6c5c991c8 in NSC_Initialize /root/nss/lib/softoken/pkcs11.c:3115:11
    #14 0x7fa6c94d4c1a in secmod_ModuleInit /root/nss/lib/pk11wrap/pk11load.c:245:11
    #15 0x7fa6c94d6a61 in secmod_LoadPKCS11Module /root/nss/lib/pk11wrap/pk11load.c:504:10
    #16 0x7fa6c950a9de in SECMOD_LoadModule /root/nss/lib/pk11wrap/pk11pars.c:1672:10
    #17 0x7fa6c950ad47 in SECMOD_LoadModule /root/nss/lib/pk11wrap/pk11pars.c:1707:25
    #18 0x7fa6c9427f00 in nss_InitModules /root/nss/lib/nss/nssinit.c:464:18
    #19 0x7fa6c9427f00 in nss_Init /root/nss/lib/nss/nssinit.c:689
    #20 0x7fa6c94290a1 in NSS_Initialize /root/nss/lib/nss/nssinit.c:889:12
    #21 0x4ddd8d in certutil_main /root/nss/cmd/certutil/certutil.c:2986:18
    #22 0x4db7b3 in main /root/nss/cmd/certutil/certutil.c:3703:14
    #23 0x7fa6c8c00b44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
    #24 0x4c500c in _start (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x4c500c)

0x61700000fa58 is located 344 bytes inside of 680-byte region [0x61700000f900,0x61700000fba8)
allocated by thread T0 here:
    #0 0x4a7ae0 in calloc (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x4a7ae0)
    #1 0x7fa6c52b8cce in __hash_open /root/nss/lib/dbm/src/hash.c:155:27
    #2 0x7fa6c52b89fe in dbopen /root/nss/lib/dbm/src/db.c:103:25

SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memset
==4335==ABORTING
See Also: → 783994
Unless you can cause the creation of a corrupted cert8.db from remote content this isn't really a vulnerability in Firefox. Leaving hidden because maybe it is for other NSS applications.
Keywords: sec-other
Flags: sec-bounty? → sec-bounty-
Assigned CVE-2017-11696.
(In reply to Brian Carpenter [:geeknik] from comment #4)
> Assigned CVE-2017-11696.


Assigned by whom?
How did you create the attached cert8.db ?

I’m sorry this bug didn’t get suitable, timely attention, nor follow-up. This CVE was not tracked in Mozilla’s lists (since the CVE wasn’t allocated by us), and both age and turnover in the NSS team led to it being dropped.

This bug and its peers from the 9 Aug 2017 disclosure [0] are all in libnssdbm, which has been replaced by a SQLite datastore, starting in NSS 3.12 in 2008 [1]. In 2018, Firefox 60 and NSS 3.35 made SQLite the default [2], and in Bug 1594931 (Firefox 73) and Bug 1594933 (NSS 3.49) we will stop building this legacy database by default [3][4].

These bugs are real and easily demonstrated, but require local modification of the profile directory, and thus are difficult to exploit widely. The underlying causes are deep within DBM, which was legacy ndbm code even back unto the first commits of NSS in Netscape. Fixing these issues is effectively fixing structual problems with the serialization layer of ndbm from the early 1990s. Unfortunately, these bugs are not shallow. The solution is to move to the SQLite format and leave this deprecated, legacy code until we can remove it entirely in the early 2020s.

For that reason, I am closing this and its peer bugs as WONTFIX. As [0] already disclosed the bugs, I am going to open them up as well to explain this publicly.

[0] https://seclists.org/fulldisclosure/2017/Aug/17
[1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.12_release_notes.html
[2] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.35_release_notes
[3] https://groups.google.com/d/msg/mozilla.dev.security/n5VNRpGwRIQ/Kr6_S34ZAQAJ
[4] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.48_release_notes

Group: crypto-core-security
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.