Closed
Bug 1467587
Opened 6 years ago
Closed 3 years ago
Crash in PR_Unlock | nssTokenObjectCache_FindObjectsByTemplate | nssToken_FindObjectsByTemplate | nssToken_FindCertificateByIssuerAndSerialNumber | nssTrustDomain_UpdateCachedTokenCerts | PK11_DoPassword
Categories
(NSS :: Libraries, defect, P1)
NSS
Libraries
Tracking
(firefox-esr52 unaffected, firefox-esr60 wontfix, firefox60 wontfix, firefox61 wontfix, firefox62 wontfix, firefox65 wontfix, firefox66 wontfix)
RESOLVED
DUPLICATE
of bug 1745667
People
(Reporter: philipp, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-uaf, sec-moderate, Whiteboard: [nss-fx])
Crash Data
This bug was filed from the Socorro interface and is
report bp-e9190268-6473-4029-a1b4-405fb0180405.
=============================================================
Top 10 frames of crashing thread:
0 nss3.dll PR_Unlock nsprpub/pr/src/threads/combined/prulock.c:322
1 nss3.dll nssTokenObjectCache_FindObjectsByTemplate security/nss/lib/dev/devutil.c:736
2 nss3.dll nssToken_FindObjectsByTemplate security/nss/lib/dev/devtoken.c:412
3 nss3.dll nssToken_FindCertificateByIssuerAndSerialNumber security/nss/lib/dev/devtoken.c:830
4 nss3.dll nssTrustDomain_UpdateCachedTokenCerts security/nss/lib/pki/tdcache.c:474
5 nss3.dll PK11_DoPassword security/nss/lib/pk11wrap/pk11auth.c:640
6 nss3.dll PK11_Authenticate security/nss/lib/pk11wrap/pk11auth.c:324
7 nss3.dll pk11_AuthenticateUnfriendly security/nss/lib/pk11wrap/pk11auth.c:339
8 nss3.dll pk11_TraverseAllSlots security/nss/lib/pk11wrap/pk11obj.c:2027
9 nss3.dll CERT_GetCertNicknames security/nss/lib/certhigh/certhigh.c:483
=============================================================
these reports are around for a while already (firefox 55 is the earliest recorded crashing version) with a fairly low volume.
many user comments are referencing websites with a smartcard login as a source of the crash.
Updated•6 years ago
|
Group: core-security → crypto-core-security
Comment 1•6 years ago
|
||
These crashes all seem to be using a PKCS11 module. I saw several different ones, but b4wscard.dll version 1.2.0.0 seems fairly common. Since it's not just one vendor either it's a very common implementation mistake (copied from our examples or Stack Overflow?) or it really is a bug in our code.
Is there a race? On line 728 PZ_Lock(cache->lock) works fine and on line 736 PZ_Unlock(cache->lock) dies on a UAF on the lock. In between it calls get_token_objects_for_cache() which messes with cache->objects but doesn't do anything to cache itself.
https://hg.mozilla.org/releases/mozilla-release/annotate/a0b222c551f586904f51228c49149d9b6b7e2a81/security/nss/lib/dev/devutil.c#l728
Assignee: nobody → nobody
Component: Security: PSM → Libraries
Keywords: sec-moderate
Product: Core → NSS
Version: unspecified → other
Reporter | ||
Updated•6 years ago
|
Crash Signature: [@ PR_Unlock | nssTokenObjectCache_FindObjectsByTemplate | nssToken_FindObjectsByTemplate | nssToken_FindCertificateByIssuerAndSerialNumber | nssTrustDomain_UpdateCachedTokenCerts | PK11_DoPassword] → [@ PR_Unlock | nssTokenObjectCache_FindObjectsByTemplate | nssToken_FindObjectsByTemplate | nssToken_FindCertificateByIssuerAndSerialNumber | nssTrustDomain_UpdateCachedTokenCerts | PK11_DoPassword]
[@ nssTokenObjectCache_FindObjectsByTemplate | nssToken…
status-firefox65:
--- → wontfix
status-firefox66:
--- → affected
QA Contact: jjones
Updated•5 years ago
|
Updated•4 years ago
|
Severity: critical → S1
Priority: -- → P1
Whiteboard: [nss-fx]
Updated•4 years ago
|
Severity: S1 → S3
Updated•3 years ago
|
Depends on: CVE-2022-1097
Updated•3 years ago
|
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Updated•3 years ago
|
Group: crypto-core-security → core-security-release
Updated•1 year ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•