Closed Bug 1454072 (CVE-2022-34480) Opened 7 years ago Closed 3 years ago

Use of uninitialized pointer in lg_init()

Categories

(NSS :: Libraries, enhancement)

Product:
NSS
Component:
Libraries
Version:
3.34.1
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(firefox-esr91 wontfix, firefox100 wontfix, firefox101 wontfix, firefox102 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox100 --- wontfix
firefox101 --- wontfix
firefox102 --- fixed

People

(Reporter: mozillabugs, Assigned: jschanck)

Details

(Keywords: csectype-uninitialized, reporter-external, sec-low, Whiteboard: [post-critsmash-triage][adv-main102+])

Attachments

(2 files)

Bug 1454072 - Use of uninitialized pointer in lg_init after alloc fail. r=#nss-reviewers
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
230 bytes, text/plain
Details
lg_init() (security\nss\lib\softoken\legacydb\lginit.c) can use an uninitialized pointer on error. The bug is that line 504 does not initialize the block pointed to by |lgdb_p|. If line 511 fails (as with an OOM), causing lines 512-14 to transfer control to lines 544 et seq, line 552 will read the uninitialized pointer |lgdb->hashtable|, and if it is nonzero (likely), line 553 will attempt to destroy it, in the process reading and writing hyperspace: 491: CK_RV 492: lg_init(SDB **pSdb, int flags, NSSLOWCERTCertDBHandle *certdbPtr, 493: NSSLOWKEYDBHandle *keydbPtr) 494: { 495: SDB *sdb = NULL; 496: LGPrivate *lgdb_p = NULL; 497: CK_RV error = CKR_HOST_MEMORY; 498: 499: *pSdb = NULL; 500: sdb = (SDB *)PORT_Alloc(sizeof(SDB)); 501: if (sdb == NULL) { 502: goto loser; 503: } 504: lgdb_p = (LGPrivate *)PORT_Alloc(sizeof(LGPrivate)); 505: if (lgdb_p == NULL) { 506: goto loser; 507: } 508: /* invariant fields */ 509: lgdb_p->certDB = certdbPtr; 510: lgdb_p->keyDB = keydbPtr; 511: lgdb_p->dbLock = PR_NewLock(); 512: if (lgdb_p->dbLock == NULL) { 513: goto loser; 514: } 515: lgdb_p->hashTable = PL_NewHashTable(64, lg_HashNumber, PL_CompareValues, 516: SECITEM_HashCompare, NULL, 0); 517: if (lgdb_p->hashTable == NULL) { 518: goto loser; 519: } 520: ... 541: *pSdb = sdb; 542: return CKR_OK; 543: 544: loser: 545: if (sdb) { 546: PORT_Free(sdb); 547: } 548: if (lgdb_p) { 549: if (lgdb_p->dbLock) { 550: PR_DestroyLock(lgdb_p->dbLock); 551: } 552: if (lgdb_p->hashTable) { 553: PL_HashTableDestroy(lgdb_p->hashTable); 554: } 555: PORT_Free(lgdb_p); 556: } 557: return error; 558: } FF typically poisons memory blocks with 0xe4 or 0xe5, but I don't know whether poisoning is guaranteed in all environments that NSS supports.
Flags: sec-bounty?
Could happen, but more a bug than something that could be intentionally exploited since you'd have to successfully get past all those PORT_Allocs and then OOM in just the right place.
Flags: sec-bounty? → sec-bounty-
Assignee: nobody → jschanck

https://hg.mozilla.org/projects/nss/rev/927d47dcc509bd4f561c5a6e6e7b050b63f03009

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Group: crypto-core-security → core-security-release
status-firefox100: --- → wontfix
status-firefox101: --- → wontfix
status-firefox102: --- → fixed
status-firefox-esr91: --- → wontfix
Target Milestone: --- → 3.79
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main102+]
Attached file advisory.txt
Alias: CVE-2022-34480
Flags: sec-bounty-hof+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: