Closed Bug 1431940 Opened 6 years ago Closed 4 years ago

BLAKE2B_Update may dereference null pointer

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jeanluc.bonnafoux, Assigned: dbaryshkov)

Details

(Keywords: good-first-bug)

Attachments

(2 files, 2 obsolete files)

bug-1431940-attempt-03.patch
1.23 KB, patch
Details | Diff | Splinter Review
Bug 1431940 - remove dereference before NULL check in BLAKE2B code.
47 bytes, text/x-phabricator-request
Details | Review 
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20180103231032

Steps to reproduce:

First line of code of function BLAKE2B_Update uses ctx pointer.
However there is no check on this pointer being not null.


Actual results:

There is a check later in the code (line 232), it may be good to check at the beginning of function, before trying to use the ctx variable.


Expected results:

There is a check later in the code (line 232), it may be good to check at the beginning of function, before trying to use the ctx variable.
Keywords: good-first-bug
Priority: -- → P3
I like to work on this bug.  Is the below diff good?

diff --git a/security/nss/lib/freebl/blake2b.c b/security/nss/lib/freebl/blake2b.c
--- a/security/nss/lib/freebl/blake2b.c
+++ b/security/nss/lib/freebl/blake2b.c
@@ -218,6 +218,7 @@ SECStatus
 BLAKE2B_Update(BLAKE2BContext* ctx, const unsigned char* in,
                unsigned int inlen)
 {
+    PORT_Assert(ctx != NULL);
     size_t left = ctx->buflen;
     size_t fill = BLAKE2B_BLOCK_LENGTH - left;
Flags: needinfo?(franziskuskiefer)
The assert is only active in debug builds. So an if(!ctx) is needed as well. Can you please upload the patch to phabricator (https://phabricator.services.mozilla.com/) or here in splinter?
Flags: needinfo?(franziskuskiefer) → needinfo?(venkateshpitta)
Assignee: nobody → venkateshpitta
Attached patch bug-1431940-attempt-01.patch (obsolete) — Splinter Review 
What is splinter?

Please comment on this patch.
Flags: needinfo?(venkateshpitta) → needinfo?(franziskuskiefer)
Attachment #8966904 - Flags: review?(franziskuskiefer)
Comment on attachment 8966904 [details] [diff] [review]
bug-1431940-attempt-01.patch

Review of attachment 8966904 [details] [diff] [review]:
-----------------------------------------------------------------

This is splinter :)
Can you make the patch against NSS? This is against Firefox.

::: security/nss/lib/freebl/blake2b.c
@@ +218,5 @@
>  BLAKE2B_Update(BLAKE2BContext* ctx, const unsigned char* in,
>                 unsigned int inlen)
>  {
> +    PORT_Assert(ctx != NULL);
> +    if (!ctx) {

We actually check this already further down. But we get `left = ctx->buflen` before that check. So either move the `left` assignment after the check or remove the check further down.
Attachment #8966904 - Flags: review?(franziskuskiefer)
Flags: needinfo?(franziskuskiefer)
Attached patch bug-1431940-attempt-02.patch (obsolete) — Splinter Review 
Is this better?
Attachment #8966904 - Attachment is obsolete: true
Attachment #8967230 - Flags: review?(franziskuskiefer)
Comment on attachment 8967230 [details] [diff] [review]
bug-1431940-attempt-02.patch

Review of attachment 8967230 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks.
Attachment #8967230 - Flags: review?(franziskuskiefer) → review+
https://hg.mozilla.org/projects/nss/rev/4626e0cede57956b9dbcb72135753668c819a3c0
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.37
https://hg.mozilla.org/projects/nss/rev/e32e2755932b

This doesn't pass tests. Can you check why this is failing?
Status: RESOLVED → REOPENED
Ever confirmed: true
Flags: needinfo?(venkateshpitta)
Resolution: FIXED → ---
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #8)
> https://hg.mozilla.org/projects/nss/rev/e32e2755932b
> 
> This doesn't pass tests. Can you check why this is failing?

Sure, I got the nss.1/results.html by running all.sh, and can see the failed cases.  How do I work backwards from here to the source that is causing the failure?
Flags: needinfo?(venkateshpitta) → needinfo?(franziskuskiefer)
You can see [  FAILED  ] Blake2BTests.NullTest. So you can look at that test (https://searchfox.org/nss/rev/6383002966ffb398fc6a186ad21673ca3f2c79a9/gtests/freebl_gtest/blake2b_unittest.cc#135). You can also run only that test by running freebl_gtest --gtest_filter="*Blake2B*NullTest*". From there you can debug the issue.
Flags: needinfo?(franziskuskiefer)
Attachment #8967230 - Flags: review+ → review-
Preserving the order here.  inlen == 0 followed by ctx and in.  HOST=localhost DOMSUF=localdomain BUILD_OPT=1 USE_64=1 tests/all.sh shows the same output before and after with this patch compiled.  I did not find freebl_test in the nss directory.  Is it the tests under ssl, ssl_gtests, gtests?
Attachment #8967230 - Attachment is obsolete: true
Attachment #8968725 - Flags: review?(franziskuskiefer)
Comment on attachment 8968725 [details] [diff] [review]
bug-1431940-attempt-03.patch

Review of attachment 8968725 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good with the two assert moved before the if.

::: lib/freebl/blake2b.c
@@ +231,5 @@
> +    size_t left = ctx->buflen;
> +    size_t fill = BLAKE2B_BLOCK_LENGTH - left;
> +
> +    PORT_Assert(ctx != NULL);
> +    PORT_Assert(in != NULL);

These two asserts only make sense if they're before the if block checking them. Otherwise we'll never get here.
Attachment #8968725 - Flags: review?(franziskuskiefer)
Attachment #9126280 - Attachment description: Bug 1431940 - remove dereference before NULL check in BLAKE2B code → Bug 1431940 - remove dereference before NULL check in BLAKE2B code, r=franziskus
Attachment #9126280 - Attachment description: Bug 1431940 - remove dereference before NULL check in BLAKE2B code, r=franziskus → Bug 1431940 - remove dereference before NULL check in BLAKE2B code.

https://hg.mozilla.org/projects/nss/rev/5e661906698fa90702c31eae492c31a080882689

Assignee: venkateshpitta → dbaryshkov
Status: REOPENED → RESOLVED
Closed: 6 years ago4 years ago
QA Contact: jjones
Resolution: --- → FIXED
Target Milestone: 3.37 → 3.51
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: