Closed
Bug 1419278
Opened 7 years ago
Closed 7 years ago
Uninitialised value use in lg_CopyAttribute (security/nss/lib/softoken/legacydb/lgattr.c)
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.35
People
(Reporter: jseward, Assigned: jseward)
Details
Attachments
(4 files, 1 obsolete file)
5.76 KB,
text/plain
|
Details | |
45 bytes,
text/x-phabricator-request
|
ttaubert
:
review+
|
Details | Review |
1.90 KB,
patch
|
Details | Diff | Splinter Review | |
993 bytes,
patch
|
Details | Diff | Splinter Review |
I saw this this morning whilst trying to reproduce bug 1418125. I'm not saying they are the same problem, but perhaps there is some connection? Anyway, Valgrind complaints below. STR: DISPLAY=:2.0 ./mach mochitest --valgrind=vTRUNK --valgrind-args=--num-transtab-sectors=48,--px-default=allregs-at-mem-access,--px-file-backed=unwindregs-at-mem-access,--fair-sched=yes,--fullpath-after=/MOZ/,--error-limit=no,--show-mismatched-frees=no,--expensive-definedness-checks=yes,--track-origins=yes browser/components/extensions/test/browser/browser_ext_windows_create_params.js
Assignee | ||
Comment 1•7 years ago
|
||
Assignee | ||
Updated•7 years ago
|
Summary: Uninitialised value use in lg_CopyAttribute (MC-TALL/security/nss/lib/softoken/legacydb/lgattr.c) → Uninitialised value use in lg_CopyAttribute (security/nss/lib/softoken/legacydb/lgattr.c)
Updated•7 years ago
|
Assignee: nobody → nobody
Group: crypto-core-security
Component: Security → Libraries
Product: Core → NSS
Version: unspecified → trunk
Comment 2•7 years ago
|
||
`nsslowcert_ReadDBSMimeEntry` [1] allocates `entry`, so that's just a random chunk of memory. We then try to fill that structure via `DecodeDBSMimeEntry` [2], at this point the SECItem.data fields are still uninitialized. We set .data = alloc() only when the associated .len field is > 0 [3]. That means we'll call memcpy() with a random destination, but the count being zero. I assume we could "fix" this by changing the check to (value != NULL && len > 0) in `lg_CopyAttribute` [4]. [1] https://searchfox.org/nss/source/lib/softoken/legacydb/pcertdb.c#2034 [2] https://searchfox.org/nss/source/lib/softoken/legacydb/pcertdb.c#2059 [3] https://searchfox.org/nss/source/lib/softoken/legacydb/pcertdb.c#1845 [4] https://searchfox.org/nss/source/lib/softoken/legacydb/lgattr.c#136
Assignee | ||
Comment 3•7 years ago
|
||
Assignee: nobody → jseward
Assignee | ||
Comment 4•7 years ago
|
||
(In reply to Tim Taubert [:ttaubert] from comment #2) Thanks for the analysis. Using the patch in comment 3 I can confirm that analysis, without using valgrind. > I assume we could "fix" this by changing the check to > (value != NULL && len > 0) in `lg_CopyAttribute` [4]. Except we'd still be doing "<uninitialised> != NULL" like that. If we swap the order then it's good, yes? len > 0 && value != NULL I'll try that. Given that this is sec- related code, I'm vaguely uncomfortable that we have uninitialised values drifting around the computation and only "catching" them mid-computation. Is there there any enthusiasm for using calloc here, as a safety measure?
Comment 5•7 years ago
|
||
(In reply to Julian Seward [:jseward] from comment #4) > Except we'd still be doing "<uninitialised> != NULL" like that. If we > swap the order then it's good, yes? > > len > 0 && value != NULL Good point, let's do that. > I'll try that. Given that this is sec- related code, I'm vaguely > uncomfortable that we have uninitialised values drifting around the > computation and only "catching" them mid-computation. Is there there > any enthusiasm for using calloc here, as a safety measure? Yeah, I voiced similar concerns on phabricator. We could use PORT_ArenaZAlloc() instead of PORT_ArenaAlloc(), Z for zero, to achieve the same :)
Assignee | ||
Comment 6•7 years ago
|
||
(from comment 4) > Except we'd still be doing "<uninitialised> != NULL" like that. If we > swap the order then it's good, yes? > > len > 0 && value != NULL Yes, that seems to work.
Updated•7 years ago
|
Group: core-security
Comment 7•7 years ago
|
||
Comment on attachment 8930366 [details] Bug 1419278 - maybe fixing something Tim Taubert [:ttaubert] has approved the revision. https://phabricator.services.mozilla.com/D267#6890
Attachment #8930366 -
Flags: review+
Assignee | ||
Comment 8•7 years ago
|
||
(In reply to Phabricator Automation from comment #7) > Comment on attachment 8930366 [details] > Bug 1419278 - maybe fixing something That fixes the V errors. So, +1 from me.
Updated•7 years ago
|
Attachment #8930840 -
Attachment is obsolete: true
Comment 9•7 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/96e6dbbd080f07b325a31e67fea8ed858c6b21cf
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.35
Updated•7 years ago
|
Group: crypto-core-security → core-security-release
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•