1360779 - ASAN: heap-buffer-overflow (write of size 2) in __get_page (lib/dbm/src/h_page.c:704)

Status: RESOLVED WONTFIX

(NSS :: Tools, defect, P3)

Description

[Brian Carpenter [:geeknik]]

Attachment: cert8.db

Triggered with changeset 13315:769f9ae07b10. Built with afl-clang-fast on Debian 8 x64 (CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 USE_64=1 make nss_build_all).

run ./certutil -U -d . with the attached cert8.db.

==15793==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e830 at pc 0x7fd39453c482 bp 0x7ffe3eda87f0 sp 0x7ffe3eda87e8
WRITE of size 2 at 0x60200000e830 thread T0
    #0 0x7fd39453c481 in __get_page /root/nss/lib/dbm/src/h_page.c:704:9
    #1 0x7fd39452fdbc in __get_buf /root/nss/lib/dbm/src/hash_buf.c:143:13
    #2 0x7fd39452b795 in hash_access /root/nss/lib/dbm/src/hash.c:781:13
    #3 0x7fd394528cd8 in hash_get /root/nss/lib/dbm/src/hash.c:672:10
    #4 0x7fd3944b8d8e in dbs_get /root/nss/lib/softoken/legacydb/dbmshim.c:331:11
    #5 0x7fd3945001a7 in certdb_Get /root/nss/lib/softoken/legacydb/pcertdb.c:233:11
    #6 0x7fd3945001a7 in ReadDBEntry /root/nss/lib/softoken/legacydb/pcertdb.c:467
    #7 0x7fd3945195a8 in ReadDBVersionEntry /root/nss/lib/softoken/legacydb/pcertdb.c:2869:10
    #8 0x7fd3945195a8 in nsslowcert_GetVersionNumber /root/nss/lib/softoken/legacydb/pcertdb.c:4050
    #9 0x7fd394507612 in nsslowcert_OpenPermCertDB /root/nss/lib/softoken/legacydb/pcertdb.c:4091:19
    #10 0x7fd394507612 in nsslowcert_OpenCertDB /root/nss/lib/softoken/legacydb/pcertdb.c:4587
    #11 0x7fd3944eeeb6 in lg_OpenCertDB /root/nss/lib/softoken/legacydb/lginit.c:365:10
    #12 0x7fd3944eeeb6 in legacy_Open /root/nss/lib/softoken/legacydb/lginit.c:609
    #13 0x7fd3947704c3 in sftkdbCall_open /root/nss/lib/softoken/lgglue.c:306:12
    #14 0x7fd394808a2e in sftk_DBInit /root/nss/lib/softoken/sftkdb.c:2584:19
    #15 0x7fd394786990 in SFTK_SlotReInit /root/nss/lib/softoken/pkcs11.c:2484:15
    #16 0x7fd39478814c in SFTK_SlotInit /root/nss/lib/softoken/pkcs11.c:2600:11
    #17 0x7fd39478b737 in nsc_CommonInitialize /root/nss/lib/softoken/pkcs11.c:3052:19
    #18 0x7fd39478c1c8 in NSC_Initialize /root/nss/lib/softoken/pkcs11.c:3115:11
    #19 0x7fd397fc7c1a in secmod_ModuleInit /root/nss/lib/pk11wrap/pk11load.c:245:11
    #20 0x7fd397fc9a61 in secmod_LoadPKCS11Module /root/nss/lib/pk11wrap/pk11load.c:504:10
    #21 0x7fd397ffd9de in SECMOD_LoadModule /root/nss/lib/pk11wrap/pk11pars.c:1672:10
    #22 0x7fd397ffdd47 in SECMOD_LoadModule /root/nss/lib/pk11wrap/pk11pars.c:1707:25
    #23 0x7fd397f1af00 in nss_InitModules /root/nss/lib/nss/nssinit.c:464:18
    #24 0x7fd397f1af00 in nss_Init /root/nss/lib/nss/nssinit.c:689
    #25 0x7fd397f1c0a1 in NSS_Initialize /root/nss/lib/nss/nssinit.c:889:12
    #26 0x4ddd8d in certutil_main /root/nss/cmd/certutil/certutil.c:2986:18
    #27 0x4db7b3 in main /root/nss/cmd/certutil/certutil.c:3703:14
    #28 0x7fd3976f3b44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
    #29 0x4c500c in _start (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x4c500c)

0x60200000e831 is located 0 bytes to the right of 1-byte region [0x60200000e830,0x60200000e831)
allocated by thread T0 here:
    #0 0x4a798b in malloc (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x4a798b)
    #1 0x7fd39452efae in newbuf /root/nss/lib/dbm/src/hash_buf.c:214:33
    #2 0x7fd39452efae in __get_buf /root/nss/lib/dbm/src/hash_buf.c:140

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/nss/lib/dbm/src/h_page.c:704 __get_page
Shadow bytes around the buggy address:
  0x0c047fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d00: fa fa fa fa fa fa[01]fa fa fa 00 03 fa fa 00 04
  0x0c047fff9d10: fa fa 00 03 fa fa 02 fa fa fa 02 fa fa fa 02 fa
  0x0c047fff9d20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9d30: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 03
  0x0c047fff9d40: fa fa 02 fa fa fa 02 fa fa fa 03 fa fa fa fd fa
  0x0c047fff9d50: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==15793==ABORTING

Comment 1

[Daniel Veditz [:dveditz]]

Unless you can cause the creation of a corrupted cert8.db from remote content this isn't really a vulnerability in Firefox. Leaving hidden because maybe it is for other NSS applications.

Comment 2

[Brian Carpenter [:geeknik]]

Assigned CVE-2017-11698.

Comment 3

[Al Billings [:abillings - ex-MoCo]]

(In reply to Brian Carpenter [:geeknik] from comment #2)
> Assigned CVE-2017-11698.

Assigned by whom?

Comment 4

[Kai Engert [:KaiE:]]

How did you create the attached cert8.db ?

Comment 5

[Brian Carpenter [:geeknik]]

I took a valid cert8.db from a Firefox install and used it as a starting point for the AFL fuzzer which mutated and mangled it to the point where it caused multiple OOB reads and writes in the nss/lib/dbm code while being read by certutil.

Comment 6

[Al Billings [:abillings - ex-MoCo]]

and who gave you the CVEs you're putting in the bugs since they aren't Mozilla assigned CVEs?

Comment 7

[Brian Carpenter [:geeknik]]

Mitre.

Comment 8

[Emma Humphries ☕️🎸🧞‍♀️✨ (she/they) [:emceeaich] (Pacific Time) use needinfo]

Bulk change per wleung.

Comment 9

[J.C. Jones [:jcj] (he/they)]

I’m sorry this bug didn’t get suitable, timely attention, nor follow-up. This CVE was not tracked in Mozilla’s lists (since the CVE wasn’t allocated by us), and both age and turnover in the NSS team led to it being dropped.

This bug and its peers from the 9 Aug 2017 disclosure [0] are all in libnssdbm, which has been replaced by a SQLite datastore, starting in NSS 3.12 in 2008 [1]. In 2018, Firefox 60 and NSS 3.35 made SQLite the default [2], and in Bug 1594931 (Firefox 73) and Bug 1594933 (NSS 3.49) we will stop building this legacy database by default [3][4].

These bugs are real and easily demonstrated, but require local modification of the profile directory, and thus are difficult to exploit widely. The underlying causes are deep within DBM, which was legacy ndbm code even back unto the first commits of NSS in Netscape. Fixing these issues is effectively fixing structual problems with the serialization layer of ndbm from the early 1990s. Unfortunately, these bugs are not shallow. The solution is to move to the SQLite format and leave this deprecated, legacy code until we can remove it entirely in the early 2020s.

For that reason, I am closing this and its peer bugs as WONTFIX. As [0] already disclosed the bugs, I am going to open them up as well to explain this publicly.

[0] https://seclists.org/fulldisclosure/2017/Aug/17
[1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.12_release_notes.html
[2] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.35_release_notes
[3] https://groups.google.com/d/msg/mozilla.dev.security/n5VNRpGwRIQ/Kr6_S34ZAQAJ
[4] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.48_release_notes