Closed
Bug 1460673
Opened 7 years ago
Closed 7 years ago
Crash in SEC_ASN1DecoderFinish_Util importing PKCS#12 file encrypted with AES
Categories
(NSS :: Libraries, defect)
Tracking
(firefox-esr52 wontfix, firefox-esr60 fixed, firefox60 fixed, firefox61 fixed, firefox62 fixed)
RESOLVED
FIXED
3.38
People
(Reporter: keeler, Assigned: franziskus)
References
Details
(Keywords: crash, sec-moderate)
Crash Data
Attachments
(4 files)
This bug was filed from the Socorro interface and is
report bp-53c9dfd0-6a2f-4543-a702-f4d7e0180510.
=============================================================
Top 10 frames of crashing thread:
0 libnssutil3.so SEC_ASN1DecoderFinish_Util security/nss/lib/util/secasn1d.c:2980
1 libsmime3.so SEC_PKCS7DecoderUpdate security/nss/lib/pkcs7/p7decode.c:1048
2 libnssutil3.so SEC_ASN1DecoderUpdate_Util security/nss/lib/util/secasn1d.c:2926
3 libsmime3.so sec_pkcs12_decoder_asafes_callback security/nss/lib/pkcs12/p12d.c:853
4 libsmime3.so sec_pkcs7_decoder_filter security/nss/lib/pkcs7/p7decode.c:172
5 libnssutil3.so SEC_ASN1DecoderUpdate_Util security/nss/lib/util/secasn1d.c:2926
6 libsmime3.so SEC_PKCS7DecoderUpdate security/nss/lib/pkcs7/p7decode.c:1037
7 libsmime3.so sec_pkcs12_decode_asafes_cinfo_update security/nss/lib/pkcs12/p12d.c:955
8 libnssutil3.so SEC_ASN1DecoderUpdate_Util security/nss/lib/util/secasn1d.c:2926
9 libsmime3.so SEC_PKCS12DecoderUpdate security/nss/lib/pkcs12/p12d.c:1288
=============================================================
Discovered this from https://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12911.html
|
Reporter | |
Comment 1•7 years ago
|
||
This appears to be an NSS bug. I'll attach a reduced testcase shortly.
Assignee: nobody → nobody
Component: Security: PSM → Libraries
Product: Core → NSS
Version: unspecified → other
|
|
Reporter | |
Comment 2•7 years ago
|
||
|
|
Reporter | |
Comment 3•7 years ago
|
||
|
|
Reporter | |
Comment 4•7 years ago
|
||
STR:
1. Compile libdislocator from https://github.com/mirrorer/afl/tree/master/libdislocator
2. Compile test.cpp (`make`)
3. run `LD_PRELOAD=/path/to/libdislocator.so ./test`
|
Assignee | |
Comment 5•7 years ago
|
||
Thanks for filing David. I responded to Jonathan who reported the issue to let him know we're looking into it.
Running this with ASAN gives more information. The issue is that SEC_PKCS7DecoderFinish is called before decoding is done, i.e. sec_pkcs12_decoder_wrap_p7_update is called on the freed p12dcx->currentASafeP7Dcx producing a heap-use-after-free.
Making this sec-moderate. A user has to actively import a p12 file into Firefox or call pk12util on the command line to be affected.
Assignee: nobody → franziskuskiefer
Keywords: sec-moderate
|
||
Comment 6•7 years ago
|
||
The reason for crashing here is that the p7 processor wasn't cleared after finishing the first P7 bag (for a P12 that has two P7 bags).
This patch doesn't fix the import itself but only the uaf.
The decoder isn't supporting this properly. Firefox will show an unknown P12 import error now.
test
|
|
Assignee | |
Comment 7•7 years ago
|
||
This fixes the crash. Importing the p12 will still fail, but in a safe way.
https://hg.mozilla.org/projects/nss/rev/8872ebb63acdaf69cbe3a134c1aeb2c223e3eaaa
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.38
|
|
||
Comment 8•7 years ago
|
||
Comment on attachment 8976067 [details]
Bug 1460673 - don't crash
Tim Taubert [:ttaubert] has approved the revision.
https://phabricator.services.mozilla.com/D1295
Attachment #8976067 -
Flags: review+
|
||
Comment 10•7 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #9)
> How far back does this issue go?
AFAICT, to whenever the P7 code was originally written for Netscape. It's present in March 2000 for the first checkin [1].
[1] https://hg.mozilla.org/projects/nss/file/cd12bbc0e0a9/security/nss/lib/pkcs7/p7decode.c#l1200
Flags: needinfo?(franziskuskiefer)
|
||
Comment 11•7 years ago
|
||
If we end up spinning updated NSS releases for the TLS 1.3 issue (bug 1462303) anyway, would it make sense to also include this as a ride-along?
status-firefox60:
--- → wontfix
status-firefox61:
--- → affected
status-firefox62:
--- → fixed
status-firefox-esr52:
--- → wontfix
status-firefox-esr60:
--- → affected
Flags: needinfo?(franziskuskiefer)
|
|
||
Comment 12•7 years ago
|
||
It's probably good to get it into ESR60. I don't know that it's important to get into a 60 point release, but it would make sense to have it ride-along anyway.
(Franziskus is on PTO for the next week, so please NI me or :keeler if needed on this one now)
Flags: needinfo?(franziskuskiefer)
|
||
Updated•7 years ago
|
Group: crypto-core-security → core-security-release
|
|
||
Comment 13•7 years ago
|
||
This is included in NSS 3.36.2 [1] and 3.37.1 [2], and landed in m-c this morning [3].
[1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.2_release_notes
[2] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.37.1_release_notes
[3] https://hg.mozilla.org/mozilla-central/rev/6d3ee860c038
|
|
||
Updated•7 years ago
|
|
||
Updated•7 years ago
|
|
|
||
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•