Closed
Bug 1458129
Opened 6 years ago
Closed 6 years ago
Double free in mar_sign.c
Categories
(Toolkit :: Application Update, defect, P1)
Toolkit
Application Update
Tracking
()
RESOLVED
FIXED
mozilla64
People
(Reporter: pauljt, Assigned: jewilde)
References
Details
(Keywords: csectype-uaf, sec-low, Whiteboard: [post-critsmash-triage][adv-main64+])
Attachments
(1 file)
mar_sign.c has a double free bug. extractedSignature is freed on line 536[1]. If we then hit an error [2] we goto failure case which also frees extractedSignature on line 576[3]. It's only mar_sign, so using this on untrusted input would seem unlikely, but filing since we should probably fix it anyways. [1] https://searchfox.org/mozilla-central/source/modules/libmar/sign/mar_sign.c#536 [2] https://searchfox.org/mozilla-central/source/modules/libmar/sign/mar_sign.c#541 [3] https://searchfox.org/mozilla-central/source/modules/libmar/sign/mar_sign.c#576
Updated•6 years ago
|
Group: core-security → toolkit-core-security
Comment 1•6 years ago
|
||
The only place this code is reachable from is the MAR CLI tool: https://searchfox.org/mozilla-central/source/modules/libmar/tool/mar.c#309
Assignee | ||
Comment 2•6 years ago
|
||
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → jewilde
Assignee | ||
Updated•6 years ago
|
Priority: -- → P1
Assignee | ||
Comment 3•6 years ago
|
||
I added line 537 to mar_sign.c to set extractedSignature to null before any of the error checks, that way if a failure occurs before extractedSignature is set again on line 553 the second call to free on line 578 will essentially be free(NULL);
Updated•6 years ago
|
Comment 4•6 years ago
|
||
"found in an audit" is not sec-audit. This is either sec-low if we think we can reach it (comment 1) or sec-other (or unhidden entirely) if we think we can't.
Reporter | ||
Updated•6 years ago
|
Keywords: csectype-uaf
Comment 5•6 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #4) > "found in an audit" is not sec-audit. This is either sec-low if we think we > can reach it (comment 1) or sec-other (or unhidden entirely) if we think we > can't. This only affects a build tool
Assignee | ||
Updated•6 years ago
|
Keywords: checkin-needed
Comment 6•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/379d79841c5d439654d77f264f7c9d730863059e
status-firefox62:
--- → wontfix
status-firefox63:
--- → wontfix
status-firefox64:
--- → affected
status-firefox-esr60:
--- → wontfix
Keywords: checkin-needed
Comment 7•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/379d79841c5d
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Updated•6 years ago
|
Group: toolkit-core-security → core-security-release
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•6 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main64+]
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•