Closed
Bug 1419278
Opened 7 years ago
Closed 7 years ago
Uninitialised value use in lg_CopyAttribute (security/nss/lib/softoken/legacydb/lgattr.c)
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.35
People
(Reporter: jseward, Assigned: jseward)
Details
Attachments
(4 files, 1 obsolete file)
5.76 KB,
text/plain
|
Details | |
45 bytes,
text/x-phabricator-request
|
ttaubert
:
review+
|
Details | Review |
1.90 KB,
patch
|
Details | Diff | Splinter Review | |
993 bytes,
patch
|
Details | Diff | Splinter Review |
I saw this this morning whilst trying to reproduce bug 1418125. I'm
not saying they are the same problem, but perhaps there is some connection?
Anyway, Valgrind complaints below. STR:
DISPLAY=:2.0 ./mach mochitest --valgrind=vTRUNK --valgrind-args=--num-transtab-sectors=48,--px-default=allregs-at-mem-access,--px-file-backed=unwindregs-at-mem-access,--fair-sched=yes,--fullpath-after=/MOZ/,--error-limit=no,--show-mismatched-frees=no,--expensive-definedness-checks=yes,--track-origins=yes browser/components/extensions/test/browser/browser_ext_windows_create_params.js
Assignee | ||
Comment 1•7 years ago
|
||
Assignee | ||
Updated•7 years ago
|
Summary: Uninitialised value use in lg_CopyAttribute (MC-TALL/security/nss/lib/softoken/legacydb/lgattr.c) → Uninitialised value use in lg_CopyAttribute (security/nss/lib/softoken/legacydb/lgattr.c)
Updated•7 years ago
|
Assignee: nobody → nobody
Group: crypto-core-security
Component: Security → Libraries
Product: Core → NSS
Version: unspecified → trunk
Comment 2•7 years ago
|
||
`nsslowcert_ReadDBSMimeEntry` [1] allocates `entry`, so that's just a random chunk of memory. We then try to fill that structure via `DecodeDBSMimeEntry` [2], at this point the SECItem.data fields are still uninitialized. We set .data = alloc() only when the associated .len field is > 0 [3].
That means we'll call memcpy() with a random destination, but the count being zero. I assume we could "fix" this by changing the check to (value != NULL && len > 0) in `lg_CopyAttribute` [4].
[1] https://searchfox.org/nss/source/lib/softoken/legacydb/pcertdb.c#2034
[2] https://searchfox.org/nss/source/lib/softoken/legacydb/pcertdb.c#2059
[3] https://searchfox.org/nss/source/lib/softoken/legacydb/pcertdb.c#1845
[4] https://searchfox.org/nss/source/lib/softoken/legacydb/lgattr.c#136
Assignee | ||
Comment 3•7 years ago
|
||
Assignee: nobody → jseward
Assignee | ||
Comment 4•7 years ago
|
||
(In reply to Tim Taubert [:ttaubert] from comment #2)
Thanks for the analysis. Using the patch in comment 3 I can confirm that
analysis, without using valgrind.
> I assume we could "fix" this by changing the check to
> (value != NULL && len > 0) in `lg_CopyAttribute` [4].
Except we'd still be doing "<uninitialised> != NULL" like that. If we
swap the order then it's good, yes?
len > 0 && value != NULL
I'll try that. Given that this is sec- related code, I'm vaguely
uncomfortable that we have uninitialised values drifting around the
computation and only "catching" them mid-computation. Is there there
any enthusiasm for using calloc here, as a safety measure?
Comment 5•7 years ago
|
||
(In reply to Julian Seward [:jseward] from comment #4)
> Except we'd still be doing "<uninitialised> != NULL" like that. If we
> swap the order then it's good, yes?
>
> len > 0 && value != NULL
Good point, let's do that.
> I'll try that. Given that this is sec- related code, I'm vaguely
> uncomfortable that we have uninitialised values drifting around the
> computation and only "catching" them mid-computation. Is there there
> any enthusiasm for using calloc here, as a safety measure?
Yeah, I voiced similar concerns on phabricator. We could use PORT_ArenaZAlloc() instead of PORT_ArenaAlloc(), Z for zero, to achieve the same :)
Assignee | ||
Comment 6•7 years ago
|
||
(from comment 4)
> Except we'd still be doing "<uninitialised> != NULL" like that. If we
> swap the order then it's good, yes?
>
> len > 0 && value != NULL
Yes, that seems to work.
Updated•7 years ago
|
Group: core-security
Comment 7•7 years ago
|
||
Comment on attachment 8930366 [details]
Bug 1419278 - maybe fixing something
Tim Taubert [:ttaubert] has approved the revision.
https://phabricator.services.mozilla.com/D267#6890
Attachment #8930366 -
Flags: review+
Assignee | ||
Comment 8•7 years ago
|
||
(In reply to Phabricator Automation from comment #7)
> Comment on attachment 8930366 [details]
> Bug 1419278 - maybe fixing something
That fixes the V errors. So, +1 from me.
Updated•7 years ago
|
Attachment #8930840 -
Attachment is obsolete: true
Comment 9•7 years ago
|
||
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.35
Updated•7 years ago
|
Group: crypto-core-security → core-security-release
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•