Closed
Bug 1431940
Opened 6 years ago
Closed 4 years ago
BLAKE2B_Update may dereference null pointer
Categories
(NSS :: Libraries, defect, P3)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.51
People
(Reporter: jeanluc.bonnafoux, Assigned: dbaryshkov)
Details
(Keywords: good-first-bug)
Attachments
(2 files, 2 obsolete files)
1.23 KB,
patch
|
Details | Diff | Splinter Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20180103231032 Steps to reproduce: First line of code of function BLAKE2B_Update uses ctx pointer. However there is no check on this pointer being not null. Actual results: There is a check later in the code (line 232), it may be good to check at the beginning of function, before trying to use the ctx variable. Expected results: There is a check later in the code (line 232), it may be good to check at the beginning of function, before trying to use the ctx variable.
Updated•6 years ago
|
Keywords: good-first-bug
Priority: -- → P3
Comment 1•6 years ago
|
||
I like to work on this bug. Is the below diff good? diff --git a/security/nss/lib/freebl/blake2b.c b/security/nss/lib/freebl/blake2b.c --- a/security/nss/lib/freebl/blake2b.c +++ b/security/nss/lib/freebl/blake2b.c @@ -218,6 +218,7 @@ SECStatus BLAKE2B_Update(BLAKE2BContext* ctx, const unsigned char* in, unsigned int inlen) { + PORT_Assert(ctx != NULL); size_t left = ctx->buflen; size_t fill = BLAKE2B_BLOCK_LENGTH - left;
Flags: needinfo?(franziskuskiefer)
Comment 2•6 years ago
|
||
The assert is only active in debug builds. So an if(!ctx) is needed as well. Can you please upload the patch to phabricator (https://phabricator.services.mozilla.com/) or here in splinter?
Flags: needinfo?(franziskuskiefer) → needinfo?(venkateshpitta)
Updated•6 years ago
|
Assignee: nobody → venkateshpitta
Comment 3•6 years ago
|
||
What is splinter? Please comment on this patch.
Flags: needinfo?(venkateshpitta) → needinfo?(franziskuskiefer)
Attachment #8966904 -
Flags: review?(franziskuskiefer)
Comment 4•6 years ago
|
||
Comment on attachment 8966904 [details] [diff] [review] bug-1431940-attempt-01.patch Review of attachment 8966904 [details] [diff] [review]: ----------------------------------------------------------------- This is splinter :) Can you make the patch against NSS? This is against Firefox. ::: security/nss/lib/freebl/blake2b.c @@ +218,5 @@ > BLAKE2B_Update(BLAKE2BContext* ctx, const unsigned char* in, > unsigned int inlen) > { > + PORT_Assert(ctx != NULL); > + if (!ctx) { We actually check this already further down. But we get `left = ctx->buflen` before that check. So either move the `left` assignment after the check or remove the check further down.
Attachment #8966904 -
Flags: review?(franziskuskiefer)
Updated•6 years ago
|
Flags: needinfo?(franziskuskiefer)
Comment 5•6 years ago
|
||
Is this better?
Attachment #8966904 -
Attachment is obsolete: true
Attachment #8967230 -
Flags: review?(franziskuskiefer)
Comment 6•6 years ago
|
||
Comment on attachment 8967230 [details] [diff] [review] bug-1431940-attempt-02.patch Review of attachment 8967230 [details] [diff] [review]: ----------------------------------------------------------------- Thanks.
Attachment #8967230 -
Flags: review?(franziskuskiefer) → review+
Comment 7•6 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/4626e0cede57956b9dbcb72135753668c819a3c0
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.37
Comment 8•6 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/e32e2755932b This doesn't pass tests. Can you check why this is failing?
Status: RESOLVED → REOPENED
Ever confirmed: true
Flags: needinfo?(venkateshpitta)
Resolution: FIXED → ---
Comment 9•6 years ago
|
||
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #8) > https://hg.mozilla.org/projects/nss/rev/e32e2755932b > > This doesn't pass tests. Can you check why this is failing? Sure, I got the nss.1/results.html by running all.sh, and can see the failed cases. How do I work backwards from here to the source that is causing the failure?
Flags: needinfo?(venkateshpitta) → needinfo?(franziskuskiefer)
Comment 10•6 years ago
|
||
You can see [ FAILED ] Blake2BTests.NullTest. So you can look at that test (https://searchfox.org/nss/rev/6383002966ffb398fc6a186ad21673ca3f2c79a9/gtests/freebl_gtest/blake2b_unittest.cc#135). You can also run only that test by running freebl_gtest --gtest_filter="*Blake2B*NullTest*". From there you can debug the issue.
Flags: needinfo?(franziskuskiefer)
Updated•6 years ago
|
Attachment #8967230 -
Flags: review+ → review-
Comment 11•6 years ago
|
||
Preserving the order here. inlen == 0 followed by ctx and in. HOST=localhost DOMSUF=localdomain BUILD_OPT=1 USE_64=1 tests/all.sh shows the same output before and after with this patch compiled. I did not find freebl_test in the nss directory. Is it the tests under ssl, ssl_gtests, gtests?
Attachment #8967230 -
Attachment is obsolete: true
Attachment #8968725 -
Flags: review?(franziskuskiefer)
Comment 12•6 years ago
|
||
Comment on attachment 8968725 [details] [diff] [review] bug-1431940-attempt-03.patch Review of attachment 8968725 [details] [diff] [review]: ----------------------------------------------------------------- Looks good with the two assert moved before the if. ::: lib/freebl/blake2b.c @@ +231,5 @@ > + size_t left = ctx->buflen; > + size_t fill = BLAKE2B_BLOCK_LENGTH - left; > + > + PORT_Assert(ctx != NULL); > + PORT_Assert(in != NULL); These two asserts only make sense if they're before the if block checking them. Otherwise we'll never get here.
Attachment #8968725 -
Flags: review?(franziskuskiefer)
Assignee | ||
Comment 13•4 years ago
|
||
Updated•4 years ago
|
Attachment #9126280 -
Attachment description: Bug 1431940 - remove dereference before NULL check in BLAKE2B code → Bug 1431940 - remove dereference before NULL check in BLAKE2B code, r=franziskus
Updated•4 years ago
|
Attachment #9126280 -
Attachment description: Bug 1431940 - remove dereference before NULL check in BLAKE2B code, r=franziskus → Bug 1431940 - remove dereference before NULL check in BLAKE2B code.
Comment 14•4 years ago
|
||
Assignee: venkateshpitta → dbaryshkov
Status: REOPENED → RESOLVED
Closed: 6 years ago → 4 years ago
QA Contact: jjones
Resolution: --- → FIXED
Target Milestone: 3.37 → 3.51
You need to log in
before you can comment on or make changes to this bug.
Description
•