Closed Bug 1467587 Opened 6 years ago Closed 3 years ago

Crash in PR_Unlock | nssTokenObjectCache_FindObjectsByTemplate | nssToken_FindObjectsByTemplate | nssToken_FindCertificateByIssuerAndSerialNumber | nssTrustDomain_UpdateCachedTokenCerts | PK11_DoPassword

Categories

(NSS :: Libraries, defect, P1)

Tracking

(firefox-esr52 unaffected, firefox-esr60 wontfix, firefox60 wontfix, firefox61 wontfix, firefox62 wontfix, firefox65 wontfix, firefox66 wontfix)

RESOLVED DUPLICATE of bug 1745667
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox65 --- wontfix
firefox66 --- wontfix

People

(Reporter: philipp, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-uaf, sec-moderate, Whiteboard: [nss-fx])

Crash Data

This bug was filed from the Socorro interface and is report bp-e9190268-6473-4029-a1b4-405fb0180405. ============================================================= Top 10 frames of crashing thread: 0 nss3.dll PR_Unlock nsprpub/pr/src/threads/combined/prulock.c:322 1 nss3.dll nssTokenObjectCache_FindObjectsByTemplate security/nss/lib/dev/devutil.c:736 2 nss3.dll nssToken_FindObjectsByTemplate security/nss/lib/dev/devtoken.c:412 3 nss3.dll nssToken_FindCertificateByIssuerAndSerialNumber security/nss/lib/dev/devtoken.c:830 4 nss3.dll nssTrustDomain_UpdateCachedTokenCerts security/nss/lib/pki/tdcache.c:474 5 nss3.dll PK11_DoPassword security/nss/lib/pk11wrap/pk11auth.c:640 6 nss3.dll PK11_Authenticate security/nss/lib/pk11wrap/pk11auth.c:324 7 nss3.dll pk11_AuthenticateUnfriendly security/nss/lib/pk11wrap/pk11auth.c:339 8 nss3.dll pk11_TraverseAllSlots security/nss/lib/pk11wrap/pk11obj.c:2027 9 nss3.dll CERT_GetCertNicknames security/nss/lib/certhigh/certhigh.c:483 ============================================================= these reports are around for a while already (firefox 55 is the earliest recorded crashing version) with a fairly low volume. many user comments are referencing websites with a smartcard login as a source of the crash.
Group: core-security → crypto-core-security
These crashes all seem to be using a PKCS11 module. I saw several different ones, but b4wscard.dll version 1.2.0.0 seems fairly common. Since it's not just one vendor either it's a very common implementation mistake (copied from our examples or Stack Overflow?) or it really is a bug in our code. Is there a race? On line 728 PZ_Lock(cache->lock) works fine and on line 736 PZ_Unlock(cache->lock) dies on a UAF on the lock. In between it calls get_token_objects_for_cache() which messes with cache->objects but doesn't do anything to cache itself. https://hg.mozilla.org/releases/mozilla-release/annotate/a0b222c551f586904f51228c49149d9b6b7e2a81/security/nss/lib/dev/devutil.c#l728
Assignee: nobody → nobody
Component: Security: PSM → Libraries
Keywords: sec-moderate
Product: Core → NSS
Version: unspecified → other
Crash Signature: [@ PR_Unlock | nssTokenObjectCache_FindObjectsByTemplate | nssToken_FindObjectsByTemplate | nssToken_FindCertificateByIssuerAndSerialNumber | nssTrustDomain_UpdateCachedTokenCerts | PK11_DoPassword] → [@ PR_Unlock | nssTokenObjectCache_FindObjectsByTemplate | nssToken_FindObjectsByTemplate | nssToken_FindCertificateByIssuerAndSerialNumber | nssTrustDomain_UpdateCachedTokenCerts | PK11_DoPassword] [@ nssTokenObjectCache_FindObjectsByTemplate | nssToken…
QA Contact: jjones
Severity: critical → S1
Priority: -- → P1
Whiteboard: [nss-fx]
Severity: S1 → S3
Depends on: CVE-2022-1097
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Group: crypto-core-security → core-security-release
Blocks: 1763237
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.