Closed
Bug 1572593
Opened 4 years ago
Closed 4 years ago
Heap buffer overrun in ssl_ConstructExtensions
Categories
(NSS :: Libraries, defect, P1)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.46
People
(Reporter: kjacobs, Assigned: jcj)
References
Details
(Keywords: csectype-bounds, sec-low, wsec-dos)
Attachments
(2 files, 1 obsolete file)
ssl3_InitExtensionData allocates xtnData->advertised based on the number of possible extensions.
In ssl_ConstructExtensions, this buffer can be overrun if called multiple times with the same extension:
https://searchfox.org/mozilla-central/source/security/nss/lib/ssl/ssl3ext.c#794, triggering an ASAN crash from https://searchfox.org/mozilla-central/source/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc#295.
This doesn't seem to be remotely exploitable (beyond perhaps a DoS) since it's only triggered when preparing one's own messages.
|
Assignee | |
Comment 1•4 years ago
|
||
In a situation where ssl_ConstructExtensions tries to make the same message
more than once (ssl_hs_certificate_request twice, for exmaple), we overrun
TLSExtensionDataStr.advertised. This patch checks that array to see if the
extension in question was already noted, for future calls to
ssl3_ExtensionAdvertised.
|
|
Assignee | |
Comment 2•4 years ago
|
||
I think this could be prompted for a DTLS server by prompting retransmission of the hs_certificate_request, so it would be a potential DOS for servers (including WebRTC). However, what gets written out of bounds is practically fixed -- a 0x06 -- so keeping as sec-low.
Keywords: wsec-dos
|
||
Updated•4 years ago
|
Attachment #9084186 -
Attachment description: Bug 1572593 - Don't overrun memory in ssl_ConstructExtensions → Bug 1572593 - Reset advertised extensions in ssl_ConstructExtensions
|
|
Assignee | |
Comment 3•4 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.46
|
|
Assignee | |
Comment 4•4 years ago
|
||
ASAN leaks detected in https://tools.taskcluster.net/task-inspector/#APb1Inj5THW11yH1J0Sx-A
=================================================================
==349==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 51451 byte(s) in 23 object(s) allocated from:
#0 0x558460 in __interceptor_malloc (/home/worker/dist/Debug/bin/ssl_gtest+0x558460)
#1 0x7f528ad8379c in PR_Malloc /home/worker/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:435:55
#2 0x7f528bf196bc in PORT_Alloc_Util /home/worker/nss/out/Debug/../../lib/util/secport.c:87:14
#3 0x7f5287191fab in pkcs11_allocStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:360:33
#4 0x7f5287191fe4 in pkcs11_copyStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:370:27
#5 0x7f52871a0568 in DecodeDBCertEntry /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:743:27
#6 0x7f52871a6a24 in certcallback /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4368:10
#7 0x7f52871973cd in nsslowcert_TraverseDBEntries /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4232:18
#8 0x7f5287197867 in TraversePermCertsNoLocking /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4408:10
#9 0x7f528719766d in nsslowcert_TraversePermCerts /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4427:10
#10 0x7f528717e218 in lg_searchCertsAndTrust /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:521:9
#11 0x7f528717cd88 in lg_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:812:9
#12 0x7f528717b90a in lg_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:863:11
#13 0x7f52874b6c78 in sftkdb_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/sftkdb.c:1229:11
#14 0x7f528744c23e in sftk_searchDatabase /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4775:11
#15 0x7f528744ce49 in sftk_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4924:15
#16 0x7f528744c9c5 in NSC_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4978:11
#17 0x10aeaf3 in nssToken_TraverseCertificates /home/worker/nss/out/Debug/../../lib/dev/devtoken.c:1489:12
#18 0x1096b29 in NSSTrustDomain_TraverseCertificates /home/worker/nss/out/Debug/../../lib/pki/trustdomain.c:1019:23
#19 0x10e3868 in PK11_TraverseSlotCerts /home/worker/nss/out/Debug/../../lib/pk11wrap/pk11cert.c:478:5
#20 0xfe7ac6 in CERT_GetSSLCACerts /home/worker/nss/out/Debug/../../lib/certhigh/certhigh.c:664:10
#21 0xcaa46a in nss_test::CheckCertReqAgainstDefaultCAs(CERTDistNamesStr const*) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:325:32
#22 0xca9e8b in nss_test::TlsAgent::GetClientAuthDataHook(void*, PRFileDesc*, CERTDistNamesStr*, CERTCertificateStr**, SECKEYPrivateKeyStr**) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:343:3
#23 0xec3d0b in ssl3_CompleteHandleCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:7508:25
#24 0xefa9f9 in ssl3_HandleCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:7465:10
#25 0xedbf4f in ssl3_HandlePostHelloHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11951:18
#26 0xed5ebf in ssl3_HandleHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11875:22
#27 0xedf4cc in ssl3_HandleHandshake /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12049:18
#28 0xedcbca in ssl3_HandleNonApplicationData /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12568:22
#29 0xee2eb6 in ssl3_HandleRecord /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12849:12
Direct leak of 35792 byte(s) in 16 object(s) allocated from:
#0 0x558460 in __interceptor_malloc (/home/worker/dist/Debug/bin/ssl_gtest+0x558460)
#1 0x7f528ad8379c in PR_Malloc /home/worker/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:435:55
#2 0x7f528bf196bc in PORT_Alloc_Util /home/worker/nss/out/Debug/../../lib/util/secport.c:87:14
#3 0x7f5287191fab in pkcs11_allocStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:360:33
#4 0x7f5287191fe4 in pkcs11_copyStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:370:27
#5 0x7f52871a0568 in DecodeDBCertEntry /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:743:27
#6 0x7f52871a6a24 in certcallback /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4368:10
#7 0x7f52871973cd in nsslowcert_TraverseDBEntries /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4232:18
#8 0x7f5287197867 in TraversePermCertsNoLocking /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4408:10
#9 0x7f528719766d in nsslowcert_TraversePermCerts /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4427:10
#10 0x7f528717e218 in lg_searchCertsAndTrust /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:521:9
#11 0x7f528717cd88 in lg_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:812:9
#12 0x7f528717b90a in lg_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:863:11
#13 0x7f52874b6c78 in sftkdb_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/sftkdb.c:1229:11
#14 0x7f528744c23e in sftk_searchDatabase /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4775:11
#15 0x7f528744ce49 in sftk_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4924:15
#16 0x7f528744c9c5 in NSC_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4978:11
#17 0x10aeaf3 in nssToken_TraverseCertificates /home/worker/nss/out/Debug/../../lib/dev/devtoken.c:1489:12
#18 0x1096b29 in NSSTrustDomain_TraverseCertificates /home/worker/nss/out/Debug/../../lib/pki/trustdomain.c:1019:23
#19 0x10e3868 in PK11_TraverseSlotCerts /home/worker/nss/out/Debug/../../lib/pk11wrap/pk11cert.c:478:5
#20 0xfe7ac6 in CERT_GetSSLCACerts /home/worker/nss/out/Debug/../../lib/certhigh/certhigh.c:664:10
#21 0xcaa46a in nss_test::CheckCertReqAgainstDefaultCAs(CERTDistNamesStr const*) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:325:32
#22 0xca9e8b in nss_test::TlsAgent::GetClientAuthDataHook(void*, PRFileDesc*, CERTDistNamesStr*, CERTCertificateStr**, SECKEYPrivateKeyStr**) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:343:3
#23 0xec3d0b in ssl3_CompleteHandleCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:7508:25
#24 0xefa9f9 in ssl3_HandleCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:7465:10
#25 0xedbf4f in ssl3_HandlePostHelloHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11951:18
#26 0xed5ebf in ssl3_HandleHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11875:22
#27 0xe907b0 in dtls_HandleHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/dtlscon.c:248:12
#28 0xe8f3c4 in dtls_HandleHandshake /home/worker/nss/out/Debug/../../lib/ssl/dtlscon.c:364:18
#29 0xedcbea in ssl3_HandleNonApplicationData /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12570:22
Direct leak of 33555 byte(s) in 15 object(s) allocated from:
#0 0x558460 in __interceptor_malloc (/home/worker/dist/Debug/bin/ssl_gtest+0x558460)
#1 0x7f528ad8379c in PR_Malloc /home/worker/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:435:55
#2 0x7f528bf196bc in PORT_Alloc_Util /home/worker/nss/out/Debug/../../lib/util/secport.c:87:14
#3 0x7f5287191fab in pkcs11_allocStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:360:33
#4 0x7f5287191fe4 in pkcs11_copyStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:370:27
#5 0x7f52871a0568 in DecodeDBCertEntry /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:743:27
#6 0x7f52871a6a24 in certcallback /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4368:10
#7 0x7f52871973cd in nsslowcert_TraverseDBEntries /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4232:18
#8 0x7f5287197867 in TraversePermCertsNoLocking /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4408:10
#9 0x7f528719766d in nsslowcert_TraversePermCerts /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4427:10
#10 0x7f528717e218 in lg_searchCertsAndTrust /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:521:9
#11 0x7f528717cd88 in lg_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:812:9
#12 0x7f528717b90a in lg_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:863:11
#13 0x7f52874b6c78 in sftkdb_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/sftkdb.c:1229:11
#14 0x7f528744c23e in sftk_searchDatabase /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4775:11
#15 0x7f528744ce49 in sftk_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4924:15
#16 0x7f528744c9c5 in NSC_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4978:11
#17 0x10aeaf3 in nssToken_TraverseCertificates /home/worker/nss/out/Debug/../../lib/dev/devtoken.c:1489:12
#18 0x1096b29 in NSSTrustDomain_TraverseCertificates /home/worker/nss/out/Debug/../../lib/pki/trustdomain.c:1019:23
#19 0x10e3868 in PK11_TraverseSlotCerts /home/worker/nss/out/Debug/../../lib/pk11wrap/pk11cert.c:478:5
#20 0xfe7ac6 in CERT_GetSSLCACerts /home/worker/nss/out/Debug/../../lib/certhigh/certhigh.c:664:10
#21 0xcaa46a in nss_test::CheckCertReqAgainstDefaultCAs(CERTDistNamesStr const*) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:325:32
#22 0xca9e8b in nss_test::TlsAgent::GetClientAuthDataHook(void*, PRFileDesc*, CERTDistNamesStr*, CERTCertificateStr**, SECKEYPrivateKeyStr**) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:343:3
#23 0xec3d0b in ssl3_CompleteHandleCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:7508:25
#24 0xf8d651 in tls13_HandleCertificateVerify /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:4268:14
#25 0xf88383 in tls13_HandlePostHelloHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:932:20
#26 0xed5ed7 in ssl3_HandleHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11877:22
#27 0xe907b0 in dtls_HandleHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/dtlscon.c:248:12
#28 0xe8f3c4 in dtls_HandleHandshake /home/worker/nss/out/Debug/../../lib/ssl/dtlscon.c:364:18
#29 0xedcbea in ssl3_HandleNonApplicationData /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12570:22
Direct leak of 31318 byte(s) in 14 object(s) allocated from:
#0 0x558460 in __interceptor_malloc (/home/worker/dist/Debug/bin/ssl_gtest+0x558460)
#1 0x7f528ad8379c in PR_Malloc /home/worker/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:435:55
#2 0x7f528bf196bc in PORT_Alloc_Util /home/worker/nss/out/Debug/../../lib/util/secport.c:87:14
#3 0x7f5287191fab in pkcs11_allocStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:360:33
#4 0x7f5287191fe4 in pkcs11_copyStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:370:27
#5 0x7f52871a0568 in DecodeDBCertEntry /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:743:27
#6 0x7f52871a6a24 in certcallback /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4368:10
#7 0x7f52871973cd in nsslowcert_TraverseDBEntries /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4232:18
#8 0x7f5287197867 in TraversePermCertsNoLocking /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4408:10
#9 0x7f528719766d in nsslowcert_TraversePermCerts /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4427:10
#10 0x7f528717e218 in lg_searchCertsAndTrust /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:521:9
#11 0x7f528717cd88 in lg_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:812:9
#12 0x7f528717b90a in lg_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:863:11
#13 0x7f52874b6c78 in sftkdb_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/sftkdb.c:1229:11
#14 0x7f528744c23e in sftk_searchDatabase /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4775:11
#15 0x7f528744ce49 in sftk_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4924:15
#16 0x7f528744c9c5 in NSC_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4978:11
#17 0x10aeaf3 in nssToken_TraverseCertificates /home/worker/nss/out/Debug/../../lib/dev/devtoken.c:1489:12
#18 0x1096b29 in NSSTrustDomain_TraverseCertificates /home/worker/nss/out/Debug/../../lib/pki/trustdomain.c:1019:23
#19 0x10e3868 in PK11_TraverseSlotCerts /home/worker/nss/out/Debug/../../lib/pk11wrap/pk11cert.c:478:5
#20 0xfe7ac6 in CERT_GetSSLCACerts /home/worker/nss/out/Debug/../../lib/certhigh/certhigh.c:664:10
#21 0xcaa46a in nss_test::CheckCertReqAgainstDefaultCAs(CERTDistNamesStr const*) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:325:32
#22 0xca9e8b in nss_test::TlsAgent::GetClientAuthDataHook(void*, PRFileDesc*, CERTDistNamesStr*, CERTCertificateStr**, SECKEYPrivateKeyStr**) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:343:3
#23 0xec3d0b in ssl3_CompleteHandleCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:7508:25
#24 0xf8d651 in tls13_HandleCertificateVerify /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:4268:14
#25 0xf88383 in tls13_HandlePostHelloHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:932:20
#26 0xed5ed7 in ssl3_HandleHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11877:22
#27 0xedf4cc in ssl3_HandleHandshake /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12049:18
#28 0xedcbca in ssl3_HandleNonApplicationData /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12568:22
#29 0xee2eb6 in ssl3_HandleRecord /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12849:12
Direct leak of 11185 byte(s) in 5 object(s) allocated from:
#0 0x558460 in __interceptor_malloc (/home/worker/dist/Debug/bin/ssl_gtest+0x558460)
#1 0x7f528ad8379c in PR_Malloc /home/worker/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:435:55
#2 0x7f528bf196bc in PORT_Alloc_Util /home/worker/nss/out/Debug/../../lib/util/secport.c:87:14
#3 0x7f5287191fab in pkcs11_allocStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:360:33
#4 0x7f5287191fe4 in pkcs11_copyStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:370:27
#5 0x7f52871a0568 in DecodeDBCertEntry /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:743:27
#6 0x7f52871a6a24 in certcallback /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4368:10
#7 0x7f52871973cd in nsslowcert_TraverseDBEntries /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4232:18
#8 0x7f5287197867 in TraversePermCertsNoLocking /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4408:10
#9 0x7f528719766d in nsslowcert_TraversePermCerts /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4427:10
#10 0x7f528717e218 in lg_searchCertsAndTrust /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:521:9
#11 0x7f528717cd88 in lg_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:812:9
#12 0x7f528717b90a in lg_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:863:11
#13 0x7f52874b6c78 in sftkdb_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/sftkdb.c:1229:11
#14 0x7f528744c23e in sftk_searchDatabase /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4775:11
#15 0x7f528744ce49 in sftk_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4924:15
#16 0x7f528744c9c5 in NSC_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4978:11
#17 0x10aeaf3 in nssToken_TraverseCertificates /home/worker/nss/out/Debug/../../lib/dev/devtoken.c:1489:12
#18 0x1096b29 in NSSTrustDomain_TraverseCertificates /home/worker/nss/out/Debug/../../lib/pki/trustdomain.c:1019:23
#19 0x10e3868 in PK11_TraverseSlotCerts /home/worker/nss/out/Debug/../../lib/pk11wrap/pk11cert.c:478:5
#20 0xfe7ac6 in CERT_GetSSLCACerts /home/worker/nss/out/Debug/../../lib/certhigh/certhigh.c:664:10
#21 0xcaa46a in nss_test::CheckCertReqAgainstDefaultCAs(CERTDistNamesStr const*) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:325:32
#22 0xca9e8b in nss_test::TlsAgent::GetClientAuthDataHook(void*, PRFileDesc*, CERTDistNamesStr*, CERTCertificateStr**, SECKEYPrivateKeyStr**) /home/worker/nss/out/Debug/../../gtests/ssl_gtest/tls_agent.cc:343:3
#23 0xec3d0b in ssl3_CompleteHandleCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:7508:25
#24 0xf8b6b2 in tls13_HandleCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:2556:14
#25 0xf8836b in tls13_HandlePostHelloHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:929:20
#26 0xed5ed7 in ssl3_HandleHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11877:22
#27 0xedf4cc in ssl3_HandleHandshake /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12049:18
#28 0xedcbca in ssl3_HandleNonApplicationData /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12568:22
#29 0xee2eb6 in ssl3_HandleRecord /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12849:12
Direct leak of 2237 byte(s) in 1 object(s) allocated from:
#0 0x558460 in __interceptor_malloc (/home/worker/dist/Debug/bin/ssl_gtest+0x558460)
#1 0x7f528ad8379c in PR_Malloc /home/worker/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:435:55
#2 0x7f528bf196bc in PORT_Alloc_Util /home/worker/nss/out/Debug/../../lib/util/secport.c:87:14
#3 0x7f5287191fab in pkcs11_allocStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:360:33
#4 0x7f5287191fe4 in pkcs11_copyStaticData /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:370:27
#5 0x7f52871a0568 in DecodeDBCertEntry /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:743:27
#6 0x7f52871a6a24 in certcallback /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4368:10
#7 0x7f52871973cd in nsslowcert_TraverseDBEntries /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4232:18
#8 0x7f5287197867 in TraversePermCertsNoLocking /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4408:10
#9 0x7f528719766d in nsslowcert_TraversePermCerts /home/worker/nss/out/Debug/../../lib/softoken/legacydb/pcertdb.c:4427:10
#10 0x7f528717e218 in lg_searchCertsAndTrust /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:521:9
#11 0x7f528717cd88 in lg_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:812:9
#12 0x7f528717b90a in lg_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/legacydb/lgfind.c:863:11
#13 0x7f52874b6c78 in sftkdb_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/sftkdb.c:1229:11
#14 0x7f528744c23e in sftk_searchDatabase /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4775:11
#15 0x7f528744ce49 in sftk_searchTokenList /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4924:15
#16 0x7f528744c9c5 in NSC_FindObjectsInit /home/worker/nss/out/Debug/../../lib/softoken/pkcs11.c:4978:11
#17 0x10aeaf3 in nssToken_TraverseCertificates /home/worker/nss/out/Debug/../../lib/dev/devtoken.c:1489:12
#18 0x1096b29 in NSSTrustDomain_TraverseCertificates /home/worker/nss/out/Debug/../../lib/pki/trustdomain.c:1019:23
#19 0x10e3868 in PK11_TraverseSlotCerts /home/worker/nss/out/Debug/../../lib/pk11wrap/pk11cert.c:478:5
#20 0xfe7ac6 in CERT_GetSSLCACerts /home/worker/nss/out/Debug/../../lib/certhigh/certhigh.c:664:10
#21 0xf29425 in ssl_SetupCAListOnce /home/worker/nss/out/Debug/../../lib/ssl/sslcert.c:43:36
#22 0x7f528ada3ead in PR_CallOnceWithArg /home/worker/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c:799:21
#23 0xf29384 in ssl_SetupCAList /home/worker/nss/out/Debug/../../lib/ssl/sslcert.c:52:23
#24 0xf29595 in ssl_GetCertificateRequestCAs /home/worker/nss/out/Debug/../../lib/ssl/sslcert.c:76:13
#25 0xfc4793 in tls13_SendCertAuthoritiesXtn /home/worker/nss/out/Debug/../../lib/ssl/tls13exthandle.c:1025:10
#26 0xf14881 in ssl_ConstructExtensions /home/worker/nss/out/Debug/../../lib/ssl/ssl3ext.c:771:14
#27 0xf8787c in tls13_SendCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:2252:10
#28 0xf87224 in SSLExp_SendCertificateRequest /home/worker/nss/out/Debug/../../lib/ssl/tls13con.c:901:10
#29 0x685b23 in nss_test::TlsConnectStreamTls13_PostHandshakeAuth_Test::TestBody() /home/worker/nss/out/Debug/../../gtests/ssl_gtest/ssl_auth_unittest.cc:230:3
SUMMARY: AddressSanitizer: 165538 byte(s) leaked in 74 allocation(s).
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Comment 5•4 years ago
|
||
The error is https://searchfox.org/nss/source/lib/softoken/legacydb/pcertdb.c#4370
certcallback don’t clean up the newly-allocated entry on error, and neither does the callee, DecodeDBCertEntry.
|
|
Assignee | |
Comment 6•4 years ago
|
||
|
|
||
Comment 7•4 years ago
|
||
Comment on attachment 9085531 [details]
Bug 1572593 - Fix memory leak in DecodeDBCertEntry on error r?kjacobs
Revision D42004 was moved to bug 1573945. Setting attachment 9085531 [details] to obsolete.
Attachment #9085531 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 8•4 years ago
|
||
Moved the new patch to its own bug: To fix that will be non-trivial.
For now I'm going to re-revert part of https://hg.mozilla.org/projects/nss/rev/1ca362213631d6edc885b6b965b52ecffcf29afd to un-break trunk.
Even though the leak is still there.
|
Reporter | |
Comment 9•4 years ago
|
||
|
|
Assignee | |
Comment 10•4 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 4 years ago → 4 years ago
Resolution: --- → FIXED
|
||
Updated•4 years ago
|
Group: crypto-core-security → core-security-release
|
|
||
Updated•3 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•