Closed
Bug 1464618
Opened 6 years ago
Closed 6 years ago
Double free in sec_pkcs12_encoder_start_context()
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
3.38
People
(Reporter: mozillabugs, Assigned: franziskus)
Details
(Keywords: csectype-uaf, sec-low)
Attachments
(1 file)
sec_pkcs12_encoder_start_context() (security\nss\lib\pkcs12\p12e.c) frees the |SECITEM *salt| twice in certain error conditions. The bug is that line 1591 is not followed by |salt = NULL;|, which means that if one or more of the conditions are satisfied that cause the |goto loser| on lines 1606, 1613, 1627, 1631, or 1636 to be executed, lines 1647-49 will be executed, thus overwriting |sizeof (SECITEM)| bytes of unallocated memory at |salt| with zeroes, and freeing |salt| again, which presumably corrupts the heap from which it's allocated: 1482: static sec_PKCS12EncoderContext * 1483: sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp) 1484: { 1485: sec_PKCS12EncoderContext *p12enc = NULL; 1486: unsigned int i, nonEmptyCnt; 1487: SECStatus rv; 1488: SECItem ignore = { 0 }; 1489: void *mark; 1490: SECItem *salt = NULL; 1491: SECItem *params = NULL; ... 1551: } else { ... 1560: salt = sec_pkcs12_generate_salt(); ... 1589: params = PK11_CreatePBEParams(salt, &pwd, 1590: NSS_PBE_DEFAULT_ITERATION_COUNT); 1591: SECITEM_ZfreeItem(salt, PR_TRUE); 1592: SECITEM_ZfreeItem(&pwd, PR_FALSE); 1593: 1594: /* get the PBA Mechanism to generate the key */ 1595: switch (p12exp->integrityInfo.pwdInfo.algorithm) { ... 1605: default: 1606: goto loser; 1607: } 1608: 1609: /* generate the key */ 1610: symKey = PK11_KeyGen(NULL, integrityMechType, params, 20, NULL); 1611: PK11_DestroyPBEParams(params); 1612: if (!symKey) { 1613: goto loser; 1614: } 1615: 1616: /* initialize HMAC */ 1617: /* Get the HMAC mechanism from the hash OID */ 1618: hmacMechType = sec_pkcs12_algtag_to_mech( 1619: p12exp->integrityInfo.pwdInfo.algorithm); 1620: 1621: p12enc->hmacCx = PK11_CreateContextBySymKey(hmacMechType, 1622: CKA_SIGN, symKey, &ignore); 1623: 1624: PK11_FreeSymKey(symKey); 1625: if (!p12enc->hmacCx) { 1626: PORT_SetError(SEC_ERROR_NO_MEMORY); 1627: goto loser; 1628: } 1629: rv = PK11_DigestBegin(p12enc->hmacCx); 1630: if (rv != SECSuccess) 1631: goto loser; 1632: } 1633: } 1634: 1635: if (!p12enc->aSafeCinfo) { 1636: goto loser; 1637: } 1638: 1639: PORT_ArenaUnmark(p12exp->arena, mark); 1640: 1641: return p12enc; 1642: 1643: loser: 1644: sec_pkcs12_encoder_destroy_context(p12enc); 1645: if (p12exp->arena != NULL) 1646: PORT_ArenaRelease(p12exp->arena, mark); 1647: if (salt) { 1648: SECITEM_ZfreeItem(salt, PR_TRUE); 1649: } 1650: if (params) { 1651: PK11_DestroyPBEParams(params); 1652: } 1653: 1654: return NULL; 1655: } I will attempt a POC.
Reporter | ||
Updated•6 years ago
|
Flags: needinfo?(mozillabugs)
Updated•6 years ago
|
Flags: sec-bounty?
Updated•6 years ago
|
Keywords: csectype-uaf,
sec-low
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → franziskuskiefer
Comment 1•6 years ago
|
||
Comment 2•6 years ago
|
||
Comment on attachment 8983334 [details] Bug 1464618 - null salt Martin Thomson [:mt:] has approved the revision. https://phabricator.services.mozilla.com/D1553
Attachment #8983334 -
Flags: review+
Assignee | ||
Comment 3•6 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/e36e5500f6534ea7e5b48b29215ab4d844ce7e70
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.38
Updated•6 years ago
|
Group: crypto-core-security → core-security-release
Updated•6 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•5 years ago
|
Group: core-security-release
Reporter | ||
Updated•2 years ago
|
Flags: needinfo?(mozillabugs)
You need to log in
before you can comment on or make changes to this bug.
Description
•