1591363 - PBKDF2 memory leak in NSC_GenerateKey if key length > MAX_KEY_LEN (256)

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P1)

Description

[Guido Vranken]

Attachment: pbkdf2_leak_poc.cpp

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0

Steps to reproduce:

PBKDF2 with keysize > 256
See attached file.

Actual results:

Memory leak (NSSPKCS5PBEParameter allocated but not freed).

In NSC_GenerateKey, after NSSPKCS5PBEParameter has been allocated to pbe_param by nsc_SetupPBEKeyGen, the following checks return to caller without freeing pbe_param:

/* make sure we aren't going to overflow the buffer */
if (sizeof(buf) < key_length) {
    /* someone is getting pretty optimistic about how big their key can
     * be... */
    crv = CKR_TEMPLATE_INCONSISTENT;
}    

if (crv != CKR_OK) {
    goto loser;
} 

Expected results:

No memory leak.

Comment 1

[J.C. Jones [:jcj] (he/him)]

Marcus, can you confirm/triage?

Comment 2

[Marcus Burghardt]

Sure. I will deal with this this tomorrow.

Comment 3

[Marcus Burghardt]

Confirmed. Sending a patch soon.

Comment 4

[Marcus Burghardt]

Attachment: Bug 1591363 - PBKDF2 memory leaks in NSC_GenerateKey. r=jcj

Comment 5

[Marcus Burghardt]

During the flow analysis, I could find another leak similar with the reported in this bug. Both were fixed in this patch.

Comment 6

[J.C. Jones [:jcj] (he/him)]

https://hg.mozilla.org/projects/nss/rev/7ef8d2604494dcd1785151a00d27e0bcf4989574

Comment 7

[J.C. Jones [:jcj] (he/him)]

Attachment: Bug 1591363 - Fixup double-free of params in nsc_SetupPBEKeyGen r=keeler

Caused in commit 7ef8d2604494.

Comment 8

[J.C. Jones [:jcj] (he/him)]

Fixup needed for coverity issue discovered upon uplift: https://phabricator.services.mozilla.com/D52779#1605218

Comment 9

[J.C. Jones [:jcj] (he/him)]

https://hg.mozilla.org/projects/nss/rev/87f35ba4c82f17204c6714f10559a37896f0314f