Closed Bug 1572593 Opened 3 years ago Closed 3 years ago

Heap buffer overrun in ssl_ConstructExtensions

Categories

(NSS :: Libraries, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kjacobs, Assigned: jcj)

References

Details

(Keywords: csectype-bounds, sec-low, wsec-dos)

Attachments

(2 files, 1 obsolete file)

ssl3_InitExtensionData allocates xtnData->advertised based on the number of possible extensions.

In ssl_ConstructExtensions, this buffer can be overrun if called multiple times with the same extension:

https://searchfox.org/mozilla-central/source/security/nss/lib/ssl/ssl3ext.c#794, triggering an ASAN crash from https://searchfox.org/mozilla-central/source/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc#295.

This doesn't seem to be remotely exploitable (beyond perhaps a DoS) since it's only triggered when preparing one's own messages.

In a situation where ssl_ConstructExtensions tries to make the same message
more than once (ssl_hs_certificate_request twice, for exmaple), we overrun
TLSExtensionDataStr.advertised. This patch checks that array to see if the
extension in question was already noted, for future calls to
ssl3_ExtensionAdvertised.

I think this could be prompted for a DTLS server by prompting retransmission of the hs_certificate_request, so it would be a potential DOS for servers (including WebRTC). However, what gets written out of bounds is practically fixed -- a 0x06 -- so keeping as sec-low.

Keywords: wsec-dos
Attachment #9084186 - Attachment description: Bug 1572593 - Don't overrun memory in ssl_ConstructExtensions → Bug 1572593 - Reset advertised extensions in ssl_ConstructExtensions
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.46

ASAN leaks detected in https://tools.taskcluster.net/task-inspector/#APb1Inj5THW11yH1J0Sx-A

=================================================================
==349==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 51451 byte(s) in 23 object(s) allocated from:
    #0 0x558460 in __interceptor_malloc (/home/worker/dist/Debug/bin/ssl_gtest+0x558460)
    #1 0x7f528ad8379c in PR_Malloc /home/worker/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:435:55
    #2 0x7f528bf196bc in PORT_Alloc_Util /home/worker/nss/out/Debug/../../lib/util/secport.c:87:14
    #3 0x7f5287191fab in pkcs11_allocStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:360:33
    #4 0x7f5287191fe4 in pkcs11_copyStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:370:27
    #5 0x7f52871a0568 in DecodeDBCertEntry /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:743:27
    #6 0x7f52871a6a24 in certcallback /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4368:10
    #7 0x7f52871973cd in nsslowcert_TraverseDBEntries /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4232:18
    #8 0x7f5287197867 in TraversePermCertsNoLocking /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4408:10
    #9 0x7f528719766d in nsslowcert_TraversePermCerts /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4427:10
    #10 0x7f528717e218 in lg_searchCertsAndTrust /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:521:9
    #11 0x7f528717cd88 in lg_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:812:9
    #12 0x7f528717b90a in lg_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:863:11
    #13 0x7f52874b6c78 in sftkdb_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/sftkdb.c:1229:11
    #14 0x7f528744c23e in sftk_searchDatabase /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4775:11
    #15 0x7f528744ce49 in sftk_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4924:15
    #16 0x7f528744c9c5 in NSC_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4978:11
    #17 0x10aeaf3 in nssToken_TraverseCertificates /home/worker/nss/out/Debug/../../lib/dev/devtoken.c:1489:12
    #18 0x1096b29 in NSSTrustDomain_TraverseCertificates /home/worker/nss/out/Debug/../../lib/pki/trustdomain.c:1019:23
    #19 0x10e3868 in PK11_TraverseSlotCerts /home/worker/nss/out/Debug/../../lib/pk11wrap/pk11cert.c:478:5
    #20 0xfe7ac6 in CERT_GetSSLCACerts /home/worker/nss/out/Debug/../../lib/certhigh/certhigh.c:664:10
    #21 0xcaa46a in nss_test::CheckCertReqAgainstDefaultCAs(CERTDistNamesStr const*) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:325:32
    #22 0xca9e8b in nss_test::TlsAgent::GetClientAuthDataHook(void*, PRFileDesc*, CERTDistNamesStr*, CERTCertificateStr**, SECKEYPrivateKeyStr**) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:343:3
    #23 0xec3d0b in ssl3_CompleteHandleCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:7508:25
    #24 0xefa9f9 in ssl3_HandleCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:7465:10
    #25 0xedbf4f in ssl3_HandlePostHelloHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11951:18
    #26 0xed5ebf in ssl3_HandleHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11875:22
    #27 0xedf4cc in ssl3_HandleHandshake /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12049:18
    #28 0xedcbca in ssl3_HandleNonApplicationData /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12568:22
    #29 0xee2eb6 in ssl3_HandleRecord /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12849:12

Direct leak of 35792 byte(s) in 16 object(s) allocated from:
    #0 0x558460 in __interceptor_malloc (/home/worker/dist/Debug/bin/ssl_gtest+0x558460)
    #1 0x7f528ad8379c in PR_Malloc /home/worker/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:435:55
    #2 0x7f528bf196bc in PORT_Alloc_Util /home/worker/nss/out/Debug/../../lib/util/secport.c:87:14
    #3 0x7f5287191fab in pkcs11_allocStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:360:33
    #4 0x7f5287191fe4 in pkcs11_copyStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:370:27
    #5 0x7f52871a0568 in DecodeDBCertEntry /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:743:27
    #6 0x7f52871a6a24 in certcallback /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4368:10
    #7 0x7f52871973cd in nsslowcert_TraverseDBEntries /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4232:18
    #8 0x7f5287197867 in TraversePermCertsNoLocking /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4408:10
    #9 0x7f528719766d in nsslowcert_TraversePermCerts /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4427:10
    #10 0x7f528717e218 in lg_searchCertsAndTrust /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:521:9
    #11 0x7f528717cd88 in lg_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:812:9
    #12 0x7f528717b90a in lg_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:863:11
    #13 0x7f52874b6c78 in sftkdb_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/sftkdb.c:1229:11
    #14 0x7f528744c23e in sftk_searchDatabase /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4775:11
    #15 0x7f528744ce49 in sftk_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4924:15
    #16 0x7f528744c9c5 in NSC_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4978:11
    #17 0x10aeaf3 in nssToken_TraverseCertificates /home/worker/nss/out/Debug/../../lib/dev/devtoken.c:1489:12
    #18 0x1096b29 in NSSTrustDomain_TraverseCertificates /home/worker/nss/out/Debug/../../lib/pki/trustdomain.c:1019:23
    #19 0x10e3868 in PK11_TraverseSlotCerts /home/worker/nss/out/Debug/../../lib/pk11wrap/pk11cert.c:478:5
    #20 0xfe7ac6 in CERT_GetSSLCACerts /home/worker/nss/out/Debug/../../lib/certhigh/certhigh.c:664:10
    #21 0xcaa46a in nss_test::CheckCertReqAgainstDefaultCAs(CERTDistNamesStr const*) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:325:32
    #22 0xca9e8b in nss_test::TlsAgent::GetClientAuthDataHook(void*, PRFileDesc*, CERTDistNamesStr*, CERTCertificateStr**, SECKEYPrivateKeyStr**) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:343:3
    #23 0xec3d0b in ssl3_CompleteHandleCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:7508:25
    #24 0xefa9f9 in ssl3_HandleCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:7465:10
    #25 0xedbf4f in ssl3_HandlePostHelloHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11951:18
    #26 0xed5ebf in ssl3_HandleHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11875:22
    #27 0xe907b0 in dtls_HandleHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/dtlscon.c:248:12
    #28 0xe8f3c4 in dtls_HandleHandshake /home/worker/nss/out/Debug/../../lib/ssl/dtlscon.c:364:18
    #29 0xedcbea in ssl3_HandleNonApplicationData /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12570:22

Direct leak of 33555 byte(s) in 15 object(s) allocated from:
    #0 0x558460 in __interceptor_malloc (/home/worker/dist/Debug/bin/ssl_gtest+0x558460)
    #1 0x7f528ad8379c in PR_Malloc /home/worker/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:435:55
    #2 0x7f528bf196bc in PORT_Alloc_Util /home/worker/nss/out/Debug/../../lib/util/secport.c:87:14
    #3 0x7f5287191fab in pkcs11_allocStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:360:33
    #4 0x7f5287191fe4 in pkcs11_copyStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:370:27
    #5 0x7f52871a0568 in DecodeDBCertEntry /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:743:27
    #6 0x7f52871a6a24 in certcallback /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4368:10
    #7 0x7f52871973cd in nsslowcert_TraverseDBEntries /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4232:18
    #8 0x7f5287197867 in TraversePermCertsNoLocking /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4408:10
    #9 0x7f528719766d in nsslowcert_TraversePermCerts /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4427:10
    #10 0x7f528717e218 in lg_searchCertsAndTrust /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:521:9
    #11 0x7f528717cd88 in lg_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:812:9
    #12 0x7f528717b90a in lg_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:863:11
    #13 0x7f52874b6c78 in sftkdb_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/sftkdb.c:1229:11
    #14 0x7f528744c23e in sftk_searchDatabase /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4775:11
    #15 0x7f528744ce49 in sftk_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4924:15
    #16 0x7f528744c9c5 in NSC_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4978:11
    #17 0x10aeaf3 in nssToken_TraverseCertificates /home/worker/nss/out/Debug/../../lib/dev/devtoken.c:1489:12
    #18 0x1096b29 in NSSTrustDomain_TraverseCertificates /home/worker/nss/out/Debug/../../lib/pki/trustdomain.c:1019:23
    #19 0x10e3868 in PK11_TraverseSlotCerts /home/worker/nss/out/Debug/../../lib/pk11wrap/pk11cert.c:478:5
    #20 0xfe7ac6 in CERT_GetSSLCACerts /home/worker/nss/out/Debug/../../lib/certhigh/certhigh.c:664:10
    #21 0xcaa46a in nss_test::CheckCertReqAgainstDefaultCAs(CERTDistNamesStr const*) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:325:32
    #22 0xca9e8b in nss_test::TlsAgent::GetClientAuthDataHook(void*, PRFileDesc*, CERTDistNamesStr*, CERTCertificateStr**, SECKEYPrivateKeyStr**) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:343:3
    #23 0xec3d0b in ssl3_CompleteHandleCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:7508:25
    #24 0xf8d651 in tls13_HandleCertificateVerify /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:4268:14
    #25 0xf88383 in tls13_HandlePostHelloHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:932:20
    #26 0xed5ed7 in ssl3_HandleHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11877:22
    #27 0xe907b0 in dtls_HandleHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/dtlscon.c:248:12
    #28 0xe8f3c4 in dtls_HandleHandshake /home/worker/nss/out/Debug/../../lib/ssl/dtlscon.c:364:18
    #29 0xedcbea in ssl3_HandleNonApplicationData /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12570:22

Direct leak of 31318 byte(s) in 14 object(s) allocated from:
    #0 0x558460 in __interceptor_malloc (/home/worker/dist/Debug/bin/ssl_gtest+0x558460)
    #1 0x7f528ad8379c in PR_Malloc /home/worker/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:435:55
    #2 0x7f528bf196bc in PORT_Alloc_Util /home/worker/nss/out/Debug/../../lib/util/secport.c:87:14
    #3 0x7f5287191fab in pkcs11_allocStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:360:33
    #4 0x7f5287191fe4 in pkcs11_copyStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:370:27
    #5 0x7f52871a0568 in DecodeDBCertEntry /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:743:27
    #6 0x7f52871a6a24 in certcallback /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4368:10
    #7 0x7f52871973cd in nsslowcert_TraverseDBEntries /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4232:18
    #8 0x7f5287197867 in TraversePermCertsNoLocking /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4408:10
    #9 0x7f528719766d in nsslowcert_TraversePermCerts /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4427:10
    #10 0x7f528717e218 in lg_searchCertsAndTrust /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:521:9
    #11 0x7f528717cd88 in lg_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:812:9
    #12 0x7f528717b90a in lg_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:863:11
    #13 0x7f52874b6c78 in sftkdb_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/sftkdb.c:1229:11
    #14 0x7f528744c23e in sftk_searchDatabase /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4775:11
    #15 0x7f528744ce49 in sftk_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4924:15
    #16 0x7f528744c9c5 in NSC_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4978:11
    #17 0x10aeaf3 in nssToken_TraverseCertificates /home/worker/nss/out/Debug/../../lib/dev/devtoken.c:1489:12
    #18 0x1096b29 in NSSTrustDomain_TraverseCertificates /home/worker/nss/out/Debug/../../lib/pki/trustdomain.c:1019:23
    #19 0x10e3868 in PK11_TraverseSlotCerts /home/worker/nss/out/Debug/../../lib/pk11wrap/pk11cert.c:478:5
    #20 0xfe7ac6 in CERT_GetSSLCACerts /home/worker/nss/out/Debug/../../lib/certhigh/certhigh.c:664:10
    #21 0xcaa46a in nss_test::CheckCertReqAgainstDefaultCAs(CERTDistNamesStr const*) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:325:32
    #22 0xca9e8b in nss_test::TlsAgent::GetClientAuthDataHook(void*, PRFileDesc*, CERTDistNamesStr*, CERTCertificateStr**, SECKEYPrivateKeyStr**) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:343:3
    #23 0xec3d0b in ssl3_CompleteHandleCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:7508:25
    #24 0xf8d651 in tls13_HandleCertificateVerify /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:4268:14
    #25 0xf88383 in tls13_HandlePostHelloHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:932:20
    #26 0xed5ed7 in ssl3_HandleHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11877:22
    #27 0xedf4cc in ssl3_HandleHandshake /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12049:18
    #28 0xedcbca in ssl3_HandleNonApplicationData /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12568:22
    #29 0xee2eb6 in ssl3_HandleRecord /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12849:12

Direct leak of 11185 byte(s) in 5 object(s) allocated from:
    #0 0x558460 in __interceptor_malloc (/home/worker/dist/Debug/bin/ssl_gtest+0x558460)
    #1 0x7f528ad8379c in PR_Malloc /home/worker/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:435:55
    #2 0x7f528bf196bc in PORT_Alloc_Util /home/worker/nss/out/Debug/../../lib/util/secport.c:87:14
    #3 0x7f5287191fab in pkcs11_allocStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:360:33
    #4 0x7f5287191fe4 in pkcs11_copyStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:370:27
    #5 0x7f52871a0568 in DecodeDBCertEntry /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:743:27
    #6 0x7f52871a6a24 in certcallback /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4368:10
    #7 0x7f52871973cd in nsslowcert_TraverseDBEntries /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4232:18
    #8 0x7f5287197867 in TraversePermCertsNoLocking /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4408:10
    #9 0x7f528719766d in nsslowcert_TraversePermCerts /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4427:10
    #10 0x7f528717e218 in lg_searchCertsAndTrust /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:521:9
    #11 0x7f528717cd88 in lg_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:812:9
    #12 0x7f528717b90a in lg_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:863:11
    #13 0x7f52874b6c78 in sftkdb_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/sftkdb.c:1229:11
    #14 0x7f528744c23e in sftk_searchDatabase /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4775:11
    #15 0x7f528744ce49 in sftk_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4924:15
    #16 0x7f528744c9c5 in NSC_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4978:11
    #17 0x10aeaf3 in nssToken_TraverseCertificates /home/worker/nss/out/Debug/../../lib/dev/devtoken.c:1489:12
    #18 0x1096b29 in NSSTrustDomain_TraverseCertificates /home/worker/nss/out/Debug/../../lib/pki/trustdomain.c:1019:23
    #19 0x10e3868 in PK11_TraverseSlotCerts /home/worker/nss/out/Debug/../../lib/pk11wrap/pk11cert.c:478:5
    #20 0xfe7ac6 in CERT_GetSSLCACerts /home/worker/nss/out/Debug/../../lib/certhigh/certhigh.c:664:10
    #21 0xcaa46a in nss_test::CheckCertReqAgainstDefaultCAs(CERTDistNamesStr const*) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:325:32
    #22 0xca9e8b in nss_test::TlsAgent::GetClientAuthDataHook(void*, PRFileDesc*, CERTDistNamesStr*, CERTCertificateStr**, SECKEYPrivateKeyStr**) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:343:3
    #23 0xec3d0b in ssl3_CompleteHandleCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:7508:25
    #24 0xf8b6b2 in tls13_HandleCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:2556:14
    #25 0xf8836b in tls13_HandlePostHelloHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:929:20
    #26 0xed5ed7 in ssl3_HandleHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11877:22
    #27 0xedf4cc in ssl3_HandleHandshake /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12049:18
    #28 0xedcbca in ssl3_HandleNonApplicationData /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12568:22
    #29 0xee2eb6 in ssl3_HandleRecord /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12849:12

Direct leak of 2237 byte(s) in 1 object(s) allocated from:
    #0 0x558460 in __interceptor_malloc (/home/worker/dist/Debug/bin/ssl_gtest+0x558460)
    #1 0x7f528ad8379c in PR_Malloc /home/worker/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:435:55
    #2 0x7f528bf196bc in PORT_Alloc_Util /home/worker/nss/out/Debug/../../lib/util/secport.c:87:14
    #3 0x7f5287191fab in pkcs11_allocStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:360:33
    #4 0x7f5287191fe4 in pkcs11_copyStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:370:27
    #5 0x7f52871a0568 in DecodeDBCertEntry /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:743:27
    #6 0x7f52871a6a24 in certcallback /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4368:10
    #7 0x7f52871973cd in nsslowcert_TraverseDBEntries /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4232:18
    #8 0x7f5287197867 in TraversePermCertsNoLocking /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4408:10
    #9 0x7f528719766d in nsslowcert_TraversePermCerts /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4427:10
    #10 0x7f528717e218 in lg_searchCertsAndTrust /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:521:9
    #11 0x7f528717cd88 in lg_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:812:9
    #12 0x7f528717b90a in lg_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:863:11
    #13 0x7f52874b6c78 in sftkdb_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/sftkdb.c:1229:11
    #14 0x7f528744c23e in sftk_searchDatabase /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4775:11
    #15 0x7f528744ce49 in sftk_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4924:15
    #16 0x7f528744c9c5 in NSC_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4978:11
    #17 0x10aeaf3 in nssToken_TraverseCertificates /home/worker/nss/out/Debug/../../lib/dev/devtoken.c:1489:12
    #18 0x1096b29 in NSSTrustDomain_TraverseCertificates /home/worker/nss/out/Debug/../../lib/pki/trustdomain.c:1019:23
    #19 0x10e3868 in PK11_TraverseSlotCerts /home/worker/nss/out/Debug/../../lib/pk11wrap/pk11cert.c:478:5
    #20 0xfe7ac6 in CERT_GetSSLCACerts /home/worker/nss/out/Debug/../../lib/certhigh/certhigh.c:664:10
    #21 0xf29425 in ssl_SetupCAListOnce /home/worker/nss/out/Debug/../../lib/ssl/sslcert.c:43:36
    #22 0x7f528ada3ead in PR_CallOnceWithArg /home/worker/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c:799:21
    #23 0xf29384 in ssl_SetupCAList /home/worker/nss/out/Debug/../../lib/ssl/sslcert.c:52:23
    #24 0xf29595 in ssl_GetCertificateRequestCAs /home/worker/nss/out/Debug/../../lib/ssl/sslcert.c:76:13
    #25 0xfc4793 in tls13_SendCertAuthoritiesXtn /home/worker/nss/out/Debug/../../lib/ssl/tls13exthandle.c:1025:10
    #26 0xf14881 in ssl_ConstructExtensions /home/worker/nss/out/Debug/../../lib/ssl/ssl3ext.c:771:14
    #27 0xf8787c in tls13_SendCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:2252:10
    #28 0xf87224 in SSLExp_SendCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:901:10
    #29 0x685b23 in nss_test::TlsConnectStreamTls13_PostHandshakeAuth_Test::TestBody() /home/worker/nss/out/Debug/../../gtests/ssl_gtest/ssl_auth_unittest.cc:230:3

SUMMARY: AddressSanitizer: 165538 byte(s) leaked in 74 allocation(s).
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

The error is https://searchfox.org/nss/source/lib/softoken/legacydb/pcertdb.c#4370

certcallback don’t clean up the newly-allocated entry on error, and neither does the callee, DecodeDBCertEntry.

Comment on attachment 9085531 [details]
Bug 1572593 - Fix memory leak in DecodeDBCertEntry on error r?kjacobs

Revision D42004 was moved to bug 1573945. Setting attachment 9085531 [details] to obsolete.

Attachment #9085531 - Attachment is obsolete: true

Moved the new patch to its own bug: To fix that will be non-trivial.

For now I'm going to re-revert part of https://hg.mozilla.org/projects/nss/rev/1ca362213631d6edc885b6b965b52ecffcf29afd to un-break trunk.

Even though the leak is still there.

Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
Resolution: --- → FIXED
Group: crypto-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.