Closed Bug 1572164 Opened 6 years ago Closed 5 years ago

Use-after-Free in NSC_WrapKey

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jcj, Assigned: kjacobs)

References

Details

(Keywords: csectype-uaf, sec-audit)

Crash Data

Attachments

(1 file)

Bug 1572164 - Don't unnecessarily free session in NSC_WrapKey r=jcj
47 bytes, text/x-phabricator-request
Details | Review

Audit of NSC_WrapKey revealed that SFTKSession *session is used in its error legs after being freed: https://searchfox.org/mozilla-central/rev/9ae20497229225cb3fa729a787791f424ff8087b/security/nss/lib/softoken/pkcs11c.c#5608

This appears as a crash signature for NSC_WrapKey, which is accessible via WebCrypto. It's not a common crash, but is clear from inspection.

Crash Signature: NSC_WrapKey → [@ NSC_WrapKey ]

https://hg.mozilla.org/projects/nss/rev/b306ff3d6f4d7344c255f442e3f55d846e46de32

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.46
Group: crypto-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: