Closed Bug 1458129 Opened 3 years ago Closed 3 years ago

Double free in mar_sign.c

Categories

(Toolkit :: Application Update, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla64
Tracking Status
firefox-esr60 --- wontfix
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- fixed

People

(Reporter: pauljt, Assigned: jewilde)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, sec-low, Whiteboard: [post-critsmash-triage][adv-main64+])

Attachments

(1 file)

mar_sign.c has a double free bug. extractedSignature is freed on line 536[1]. If we then hit an error [2] we goto failure case which also frees extractedSignature on line 576[3].

It's only mar_sign, so using this on untrusted input would seem unlikely, but filing since we should probably fix it anyways.  


[1] https://searchfox.org/mozilla-central/source/modules/libmar/sign/mar_sign.c#536 
[2] https://searchfox.org/mozilla-central/source/modules/libmar/sign/mar_sign.c#541
[3] https://searchfox.org/mozilla-central/source/modules/libmar/sign/mar_sign.c#576
Group: core-security → toolkit-core-security
The only place this code is reachable from is the MAR CLI tool: https://searchfox.org/mozilla-central/source/modules/libmar/tool/mar.c#309
Assignee: nobody → jewilde
Priority: -- → P1
I added line 537 to mar_sign.c to set extractedSignature to null before any of the error checks, that way if a failure occurs before extractedSignature is set again on line 553 the second call to free on line 578 will essentially be free(NULL);
Keywords: sec-auditsec-low
"found in an audit" is not sec-audit. This is either sec-low if we think we can reach it (comment 1) or sec-other (or unhidden entirely) if we think we can't.
(In reply to Daniel Veditz [:dveditz] from comment #4)
> "found in an audit" is not sec-audit. This is either sec-low if we think we
> can reach it (comment 1) or sec-other (or unhidden entirely) if we think we
> can't.
This only affects a build tool
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/379d79841c5d
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Group: toolkit-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main64+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.