1360782 - ASAN: heap-buffer-overflow (write of size 8) in alloc_segs (lib/dbm/src/hash.c:1105)

Status: RESOLVED WONTFIX

(NSS :: Tools, defect, P3)

Description

[Brian Carpenter [:geeknik]]

Attachment: cert8.db

Triggered with changeset 13315:769f9ae07b10. Built with afl-clang-fast on Debian 8 x64 (CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 USE_64=1 make nss_build_all).

run ./certutil -U -d . with the attached cert8.db.

==1001==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001e880 at pc 0x7fc79b663536 bp 0x7ffff2dbb950 sp 0x7ffff2dbb948
WRITE of size 8 at 0x61d00001e880 thread T0
    #0 0x7fc79b663535 in alloc_segs /root/nss/lib/dbm/src/hash.c:1105:9
    #1 0x7fc79b663535 in __hash_open /root/nss/lib/dbm/src/hash.c:232
    #2 0x7fc79b65f9fe in dbopen /root/nss/lib/dbm/src/db.c:103:25
    #3 0x7fc79b5f398e in dbsopen /root/nss/lib/softoken/legacydb/dbmshim.c:515:10
    #4 0x7fc79b64257f in nsslowcert_OpenPermCertDB /root/nss/lib/softoken/legacydb/pcertdb.c:4086:30
    #5 0x7fc79b64257f in nsslowcert_OpenCertDB /root/nss/lib/softoken/legacydb/pcertdb.c:4587
    #6 0x7fc79b629eb6 in lg_OpenCertDB /root/nss/lib/softoken/legacydb/lginit.c:365:10
    #7 0x7fc79b629eb6 in legacy_Open /root/nss/lib/softoken/legacydb/lginit.c:609
    #8 0x7fc79d1524c3 in sftkdbCall_open /root/nss/lib/softoken/lgglue.c:306:12
    #9 0x7fc79d1eaa2e in sftk_DBInit /root/nss/lib/softoken/sftkdb.c:2584:19
    #10 0x7fc79d168990 in SFTK_SlotReInit /root/nss/lib/softoken/pkcs11.c:2484:15
    #11 0x7fc79d16a14c in SFTK_SlotInit /root/nss/lib/softoken/pkcs11.c:2600:11
    #12 0x7fc79d16d737 in nsc_CommonInitialize /root/nss/lib/softoken/pkcs11.c:3052:19
    #13 0x7fc79d16e1c8 in NSC_Initialize /root/nss/lib/softoken/pkcs11.c:3115:11
    #14 0x7fc7a09a9c1a in secmod_ModuleInit /root/nss/lib/pk11wrap/pk11load.c:245:11
    #15 0x7fc7a09aba61 in secmod_LoadPKCS11Module /root/nss/lib/pk11wrap/pk11load.c:504:10
    #16 0x7fc7a09df9de in SECMOD_LoadModule /root/nss/lib/pk11wrap/pk11pars.c:1672:10
    #17 0x7fc7a09dfd47 in SECMOD_LoadModule /root/nss/lib/pk11wrap/pk11pars.c:1707:25
    #18 0x7fc7a08fcf00 in nss_InitModules /root/nss/lib/nss/nssinit.c:464:18
    #19 0x7fc7a08fcf00 in nss_Init /root/nss/lib/nss/nssinit.c:689
    #20 0x7fc7a08fe0a1 in NSS_Initialize /root/nss/lib/nss/nssinit.c:889:12
    #21 0x4ddd8d in certutil_main /root/nss/cmd/certutil/certutil.c:2986:18
    #22 0x4db7b3 in main /root/nss/cmd/certutil/certutil.c:3703:14
    #23 0x7fc7a00d5b44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
    #24 0x4c500c in _start (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x4c500c)

0x61d00001e880 is located 0 bytes to the right of 2048-byte region [0x61d00001e080,0x61d00001e880)
allocated by thread T0 here:
    #0 0x4a7ae0 in calloc (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x4a7ae0)
    #1 0x7fc79b661c47 in alloc_segs /root/nss/lib/dbm/src/hash.c:1094:25
    #2 0x7fc79b661c47 in __hash_open /root/nss/lib/dbm/src/hash.c:232
    #3 0x7fc79b65f9fe in dbopen /root/nss/lib/dbm/src/db.c:103:25

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/nss/lib/dbm/src/hash.c:1105 alloc_segs
Shadow bytes around the buggy address:
  0x0c3a7fffbcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffbd10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fffbd60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==1001==ABORTING

Comment 1

[Daniel Veditz [:dveditz]]

Unless you can cause the creation of a corrupted cert8.db from remote content this isn't really a vulnerability in Firefox. Leaving hidden because maybe it is for other NSS applications.

Comment 2

[Brian Carpenter [:geeknik]]

Assigned CVE-2017-11695.

Comment 3

[Al Billings [:abillings - ex-MoCo]]

(In reply to Brian Carpenter [:geeknik] from comment #2)
> Assigned CVE-2017-11695.


Assigned by whom?

Comment 4

[Kai Engert [:KaiE:]]

How did you create the attached cert8.db ?

Comment 5

[Emma Humphries ☕️🎸🧞‍♀️✨ (she/they) [:emceeaich] (Pacific Time) use needinfo]

Bulk change per wleung.

Comment 6

[J.C. Jones [:jcj] (he/they)]

I’m sorry this bug didn’t get suitable, timely attention, nor follow-up. This CVE was not tracked in Mozilla’s lists (since the CVE wasn’t allocated by us), and both age and turnover in the NSS team led to it being dropped.

This bug and its peers from the 9 Aug 2017 disclosure [0] are all in libnssdbm, which has been replaced by a SQLite datastore, starting in NSS 3.12 in 2008 [1]. In 2018, Firefox 60 and NSS 3.35 made SQLite the default [2], and in Bug 1594931 (Firefox 73) and Bug 1594933 (NSS 3.49) we will stop building this legacy database by default [3][4].

These bugs are real and easily demonstrated, but require local modification of the profile directory, and thus are difficult to exploit widely. The underlying causes are deep within DBM, which was legacy ndbm code even back unto the first commits of NSS in Netscape. Fixing these issues is effectively fixing structual problems with the serialization layer of ndbm from the early 1990s. Unfortunately, these bugs are not shallow. The solution is to move to the SQLite format and leave this deprecated, legacy code until we can remove it entirely in the early 2020s.

For that reason, I am closing this and its peer bugs as WONTFIX. As [0] already disclosed the bugs, I am going to open them up as well to explain this publicly.

[0] https://seclists.org/fulldisclosure/2017/Aug/17
[1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.12_release_notes.html
[2] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.35_release_notes
[3] https://groups.google.com/d/msg/mozilla.dev.security/n5VNRpGwRIQ/Kr6_S34ZAQAJ
[4] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.48_release_notes