Closed Bug 1593401 Opened 5 years ago Closed 5 years ago

AddressSanitizer: heap-use-after-free z:\build\build\src\security\nss\lib\cryptohi\seckey.c:1025 in SECKEY_PublicKeyStrengthInBits

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(firefox-esr68- wontfix, firefox71 wontfix, firefox72 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr68 - wontfix
firefox71 --- wontfix
firefox72 --- fixed

People

(Reporter: CosminS, Assigned: kjacobs)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-race, csectype-uaf, sec-moderate, Whiteboard: [adv-main72-][post-critsmash-triage])

Attachments

(1 file)

Bug 1593401 - Fix race condition in self-encrypt functions
47 bytes, text/x-phabricator-request
Details | Review

Th push: https://treeherder.mozilla.org/#/jobs?repo=autoland&selectedJob=274182692&resultStatus=testfailed%2Cbusted%2Cexception&classifiedState=unclassified&revision=ae8a16518084434ca7ff1af082d321923c490787&searchStr=Windows%2C10%2Cx64%2Casan%2CMochitests%2Ctest-windows10-64-asan%2Fopt-mochitest-browser-chrome-e10s-7%2CM%28bc7%29

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=274182692&repo=autoland&lineNumber=5606
Raw log: https://taskcluster-artifacts.net/cQX2JcFFRnejVF-VG2rQaw/0/public/logs/live_backing.log

[task 2019-11-02T00:25:46.309Z] 00:25:46 ERROR - ==8012==ERROR: AddressSanitizer: heap-use-after-free on address 0x12193ef5d2a8 at pc 0x7ff82d94de3f bp 0x00697787c480 sp 0x00697787c4c8
[task 2019-11-02T00:25:46.309Z] 00:25:46 INFO - READ of size 4 at 0x12193ef5d2a8 thread T3
[task 2019-11-02T00:25:46.347Z] 00:25:46 INFO - #0 0x7ff82d94de3e in SECKEY_PublicKeyStrengthInBits z:\build\build\src\security\nss\lib\cryptohi\seckey.c:1025
[task 2019-11-02T00:25:46.347Z] 00:25:46 INFO - #1 0x7ff82d94db68 in SECKEY_PublicKeyStrength z:\build\build\src\security\nss\lib\cryptohi\seckey.c:1010
[task 2019-11-02T00:25:46.347Z] 00:25:46 INFO - #2 0x7ff82db0923e in ssl_GenerateSelfEncryptKeysOnce z:\build\build\src\security\nss\lib\ssl\sslsnce.c:1806
[task 2019-11-02T00:25:46.347Z] 00:25:46 INFO - #3 0x7ff82d8e8e39 in PR_CallOnceWithArg z:\build\build\src\nsprpub\pr\src\misc\prinit.c:807
[task 2019-11-02T00:25:46.347Z] 00:25:46 INFO - #4 0x7ff82db08be7 in ssl_GetSelfEncryptKeys z:\build\build\src\security\nss\lib\ssl\sslsnce.c:1820
[task 2019-11-02T00:25:46.348Z] 00:25:46 INFO - #5 0x7ff82daa0839 in ssl_SelfEncryptProtect z:\build\build\src\security\nss\lib\ssl\selfencrypt.c:290
[task 2019-11-02T00:25:46.348Z] 00:25:46 INFO - #6 0x7ff82dae7296 in ssl3_EncodeSessionTicket z:\build\build\src\security\nss\lib\ssl\ssl3exthandle.c:824
[task 2019-11-02T00:25:46.348Z] 00:25:46 INFO - #7 0x7ff82db30520 in tls13_SendNewSessionTicket z:\build\build\src\security\nss\lib\ssl\tls13con.c:4939
[task 2019-11-02T00:25:46.349Z] 00:25:46 INFO - #8 0x7ff82db24237 in tls13_HandlePostHelloHandshakeMessage z:\build\build\src\security\nss\lib\ssl\tls13con.c:942
[task 2019-11-02T00:25:46.349Z] 00:25:46 INFO - #9 0x7ff82dac227b in ssl3_HandleHandshakeMessage z:\build\build\src\security\nss\lib\ssl\ssl3con.c:12048
[task 2019-11-02T00:25:46.350Z] 00:25:46 INFO - #10 0x7ff82dacf0ba in ssl3_HandleNonApplicationData z:\build\build\src\security\nss\lib\ssl\ssl3con.c:12739
[task 2019-11-02T00:25:46.350Z] 00:25:46 INFO - #11 0x7ff82dad167c in ssl3_HandleRecord z:\build\build\src\security\nss\lib\ssl\ssl3con.c:13021
[task 2019-11-02T00:25:46.351Z] 00:25:46 INFO - #12 0x7ff82daed86e in ssl3_GatherCompleteHandshake z:\build\build\src\security\nss\lib\ssl\ssl3gthr.c:512
[task 2019-11-02T00:25:46.352Z] 00:25:46 INFO - #13 0x7ff82daf2dfa in ssl_GatherRecord1stHandshake z:\build\build\src\security\nss\lib\ssl\sslcon.c:73
[task 2019-11-02T00:25:46.352Z] 00:25:46 INFO - #14 0x7ff82db01e04 in ssl_SecureRecv z:\build\build\src\security\nss\lib\ssl\sslsecur.c:808
[task 2019-11-02T00:25:46.353Z] 00:25:46 INFO - #15 0x7ff82db1c055 in ssl_Recv z:\build\build\src\security\nss\lib\ssl\sslsock.c:3104
[task 2019-11-02T00:25:46.353Z] 00:25:46 INFO - #16 0x7ff711565032 (Z:\task_1572652749\build\tests\bin\ssltunnel.exe+0x140005032)
[task 2019-11-02T00:25:46.354Z] 00:25:46 INFO - #17 0x7ff82d8fba1a in wstart z:\build\build\src\nsprpub\pr\src\misc\prtpool.c:209
[task 2019-11-02T00:25:46.354Z] 00:25:46 INFO - #18 0x7ff82d9073dd in _PR_NativeRunThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:399
[task 2019-11-02T00:25:46.355Z] 00:25:46 INFO - #19 0x7ff82d8d73f4 in pr_root z:\build\build\src\nsprpub\pr\src\md\windows\w95thred.c:139
[task 2019-11-02T00:25:46.355Z] 00:25:46 INFO - #20 0x7ff842c4c4bd (C:\Windows\System32\ucrtbase.dll+0x18001c4bd)
[task 2019-11-02T00:25:46.356Z] 00:25:46 INFO - #21 0x7ff82dd1f838 (Z:\task_1572652749\build\tests\bin\clang_rt.asan_dynamic-x86_64.dll+0x18003f838)
[task 2019-11-02T00:25:46.356Z] 00:25:46 INFO - #22 0x7ff8463a3033 (C:\Windows\System32\KERNEL32.DLL+0x180013033)
[task 2019-11-02T00:25:46.356Z] 00:25:46 INFO - #23 0x7ff846801460 (C:\Windows\SYSTEM32\ntdll.dll+0x180071460)
[task 2019-11-02T00:25:46.357Z] 00:25:46 INFO - 0x12193ef5d2a8 is located 40 bytes inside of 2048-byte region [0x12193ef5d280,0x12193ef5da80)
[task 2019-11-02T00:25:46.357Z] 00:25:46 INFO - freed by thread T6 here:
[task 2019-11-02T00:25:46.357Z] 00:25:46 INFO - #0 0x7ff82dd14ae4 (Z:\task_1572652749\build\tests\bin\clang_rt.asan_dynamic-x86_64.dll+0x180034ae4)
[task 2019-11-02T00:25:46.358Z] 00:25:46 INFO - #1 0x7ff82da644f4 in PL_FinishArenaPool z:\build\build\src\nsprpub\lib\ds\plarena.c:227
[task 2019-11-02T00:25:46.358Z] 00:25:46 INFO - #2 0x7ff82da53014 in PORT_FreeArena_Util z:\build\build\src\security\nss\lib\util\secport.c:380
[task 2019-11-02T00:25:46.361Z] 00:25:46 INFO - #3 0x7ff82db08a97 in ssl_SetSelfEncryptKeyPair z:\build\build\src\security\nss\lib\ssl\sslsnce.c:1715
[task 2019-11-02T00:25:46.361Z] 00:25:46 INFO - #4 0x7ff82daf260c in ssl_PopulateKeyPair z:\build\build\src\security\nss\lib\ssl\sslcert.c:289
[task 2019-11-02T00:25:46.361Z] 00:25:46 INFO - #5 0x7ff82daf2337 in SSL_ConfigSecureServerWithCertChain z:\build\build\src\security\nss\lib\ssl\sslcert.c:892
[task 2019-11-02T00:25:46.362Z] 00:25:46 INFO - #6 0x7ff82daf2026 in SSL_ConfigSecureServer z:\build\build\src\security\nss\lib\ssl\sslcert.c:703
[task 2019-11-02T00:25:46.362Z] 00:25:46 INFO - #7 0x7ff711562d68 (Z:\task_1572652749\build\tests\bin\ssltunnel.exe+0x140002d68)
[task 2019-11-02T00:25:46.362Z] 00:25:46 INFO - #8 0x7ff7115655f3 (Z:\task_1572652749\build\tests\bin\ssltunnel.exe+0x1400055f3)
[task 2019-11-02T00:25:46.362Z] 00:25:46 INFO - #9 0x7ff82d8fba1a in wstart z:\build\build\src\nsprpub\pr\src\misc\prtpool.c:209
[task 2019-11-02T00:25:46.362Z] 00:25:46 INFO - #10 0x7ff82d9073dd in _PR_NativeRunThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:399
[task 2019-11-02T00:25:46.362Z] 00:25:46 INFO - #11 0x7ff82d8d73f4 in pr_root z:\build\build\src\nsprpub\pr\src\md\windows\w95thred.c:139
[task 2019-11-02T00:25:46.363Z] 00:25:46 INFO - #12 0x7ff842c4c4bd (C:\Windows\System32\ucrtbase.dll+0x18001c4bd)
[task 2019-11-02T00:25:46.363Z] 00:25:46 INFO - #13 0x7ff82dd1f838 (Z:\task_1572652749\build\tests\bin\clang_rt.asan_dynamic-x86_64.dll+0x18003f838)
[task 2019-11-02T00:25:46.363Z] 00:25:46 INFO - #14 0x7ff8463a3033 (C:\Windows\System32\KERNEL32.DLL+0x180013033)
[task 2019-11-02T00:25:46.363Z] 00:25:46 INFO - #15 0x7ff846801460 (C:\Windows\SYSTEM32\ntdll.dll+0x180071460)
[task 2019-11-02T00:25:46.363Z] 00:25:46 INFO - previously allocated by thread T3 here:
[task 2019-11-02T00:25:46.363Z] 00:25:46 INFO - #0 0x7ff82dd14bf4 (Z:\task_1572652749\build\tests\bin\clang_rt.asan_dynamic-x86_64.dll+0x180034bf4)
[task 2019-11-02T00:25:46.363Z] 00:25:46 INFO - #1 0x7ff82da63e73 in PL_ArenaAllocate z:\build\build\src\nsprpub\lib\ds\plarena.c:134
[task 2019-11-02T00:25:46.363Z] 00:25:46 INFO - #2 0x7ff82da52e13 in PORT_ArenaAlloc_Util z:\build\build\src\security\nss\lib\util\secport.c:318
[task 2019-11-02T00:25:46.363Z] 00:25:46 INFO - #3 0x7ff82da52f49 in PORT_ArenaZAlloc_Util z:\build\build\src\security\nss\lib\util\secport.c:339
[task 2019-11-02T00:25:46.363Z] 00:25:46 INFO - #4 0x7ff82d94e483 in SECKEY_CopyPublicKey z:\build\build\src\security\nss\lib\cryptohi\seckey.c:1131
[task 2019-11-02T00:25:46.364Z] 00:25:46 INFO - #5 0x7ff82db08a61 in ssl_SetSelfEncryptKeyPair z:\build\build\src\security\nss\lib\ssl\sslsnce.c:1701
[task 2019-11-02T00:25:46.364Z] 00:25:46 INFO - #6 0x7ff82daf260c in ssl_PopulateKeyPair z:\build\build\src\security\nss\lib\ssl\sslcert.c:289
[task 2019-11-02T00:25:46.364Z] 00:25:46 INFO - #7 0x7ff82daf2337 in SSL_ConfigSecureServerWithCertChain z:\build\build\src\security\nss\lib\ssl\sslcert.c:892
[task 2019-11-02T00:25:46.364Z] 00:25:46 INFO - #8 0x7ff82daf2026 in SSL_ConfigSecureServer z:\build\build\src\security\nss\lib\ssl\sslcert.c:703
[task 2019-11-02T00:25:46.364Z] 00:25:46 INFO - #9 0x7ff711562d68 (Z:\task_1572652749\build\tests\bin\ssltunnel.exe+0x140002d68)
[task 2019-11-02T00:25:46.364Z] 00:25:46 INFO - #10 0x7ff7115655f3 (Z:\task_1572652749\build\tests\bin\ssltunnel.exe+0x1400055f3)
[task 2019-11-02T00:25:46.364Z] 00:25:46 INFO - #11 0x7ff82d8fba1a in wstart z:\build\build\src\nsprpub\pr\src\misc\prtpool.c:209
[task 2019-11-02T00:25:46.364Z] 00:25:46 INFO - #12 0x7ff82d9073dd in _PR_NativeRunThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:399
[task 2019-11-02T00:25:46.364Z] 00:25:46 INFO - #13 0x7ff82d8d73f4 in pr_root z:\build\build\src\nsprpub\pr\src\md\windows\w95thred.c:139
[task 2019-11-02T00:25:46.365Z] 00:25:46 INFO - #14 0x7ff842c4c4bd (C:\Windows\System32\ucrtbase.dll+0x18001c4bd)
[task 2019-11-02T00:25:46.365Z] 00:25:46 INFO - #15 0x7ff82dd1f838 (Z:\task_1572652749\build\tests\bin\clang_rt.asan_dynamic-x86_64.dll+0x18003f838)
[task 2019-11-02T00:25:46.365Z] 00:25:46 INFO - #16 0x7ff8463a3033 (C:\Windows\System32\KERNEL32.DLL+0x180013033)
[task 2019-11-02T00:25:46.365Z] 00:25:46 INFO - #17 0x7ff846801460 (C:\Windows\SYSTEM32\ntdll.dll+0x180071460)
[task 2019-11-02T00:25:46.365Z] 00:25:46 INFO - Thread T3 created by T0 here:
[task 2019-11-02T00:25:46.365Z] 00:25:46 INFO - #0 0x7ff82dd2095c (Z:\task_1572652749\build\tests\bin\clang_rt.asan_dynamic-x86_64.dll+0x18004095c)
[task 2019-11-02T00:25:46.365Z] 00:25:46 INFO - #1 0x7ff842c4c0c6 (C:\Windows\System32\ucrtbase.dll+0x18001c0c6)
[task 2019-11-02T00:25:46.366Z] 00:25:46 INFO - #2 0x7ff82d8d721d in _PR_MD_CREATE_THREAD z:\build\build\src\nsprpub\pr\src\md\windows\w95thred.c:153
[task 2019-11-02T00:25:46.366Z] 00:25:46 INFO - #3 0x7ff82d9082ec in _PR_NativeCreateThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:1058
[task 2019-11-02T00:25:46.366Z] 00:25:46 INFO - #4 0x7ff82d908c95 in _PR_CreateThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:1184
[task 2019-11-02T00:25:46.366Z] 00:25:46 INFO - #5 0x7ff82d8fb08e in PR_CreateThreadPool z:\build\build\src\nsprpub\pr\src\misc\prtpool.c:689
[task 2019-11-02T00:25:46.366Z] 00:25:46 INFO - #6 0x7ff71156db34 (Z:\task_1572652749\build\tests\bin\ssltunnel.exe+0x14000db34)
[task 2019-11-02T00:25:46.366Z] 00:25:46 INFO - #7 0x7ff711570287 (Z:\task_1572652749\build\tests\bin\ssltunnel.exe+0x140010287)
[task 2019-11-02T00:25:46.366Z] 00:25:46 INFO - #8 0x7ff8463a3033 (C:\Windows\System32\KERNEL32.DLL+0x180013033)
[task 2019-11-02T00:25:46.366Z] 00:25:46 INFO - #9 0x7ff846801460 (C:\Windows\SYSTEM32\ntdll.dll+0x180071460)
[task 2019-11-02T00:25:46.367Z] 00:25:46 INFO - Thread T6 created by T2 here:
[task 2019-11-02T00:25:46.367Z] 00:25:46 INFO - #0 0x7ff82dd2095c (Z:\task_1572652749\build\tests\bin\clang_rt.asan_dynamic-x86_64.dll+0x18004095c)
[task 2019-11-02T00:25:46.367Z] 00:25:46 INFO - #1 0x7ff842c4c0c6 (C:\Windows\System32\ucrtbase.dll+0x18001c0c6)
[task 2019-11-02T00:25:46.367Z] 00:25:46 INFO - #2 0x7ff82d8d721d in _PR_MD_CREATE_THREAD z:\build\build\src\nsprpub\pr\src\md\windows\w95thred.c:153
[task 2019-11-02T00:25:46.367Z] 00:25:46 INFO - #3 0x7ff82d9082ec in _PR_NativeCreateThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:1058
[task 2019-11-02T00:25:46.367Z] 00:25:46 INFO - #4 0x7ff82d908c95 in _PR_CreateThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:1184
[task 2019-11-02T00:25:46.367Z] 00:25:46 INFO - #5 0x7ff82d8fe50e in add_to_jobq z:\build\build\src\nsprpub\pr\src\misc\prtpool.c:254
[task 2019-11-02T00:25:46.367Z] 00:25:46 INFO - #6 0x7ff82d8fe26a in PR_QueueJob z:\build\build\src\nsprpub\pr\src\misc\prtpool.c:781
[task 2019-11-02T00:25:46.368Z] 00:25:46 INFO - #7 0x7ff711567fe0 (Z:\task_1572652749\build\tests\bin\ssltunnel.exe+0x140007fe0)
[task 2019-11-02T00:25:46.368Z] 00:25:46 INFO - #8 0x7ff82d8fba1a in wstart z:\build\build\src\nsprpub\pr\src\misc\prtpool.c:209
[task 2019-11-02T00:25:46.368Z] 00:25:46 INFO - #9 0x7ff82d9073dd in _PR_NativeRunThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:399
[task 2019-11-02T00:25:46.368Z] 00:25:46 INFO - #10 0x7ff82d8d73f4 in pr_root z:\build\build\src\nsprpub\pr\src\md\windows\w95thred.c:139
[task 2019-11-02T00:25:46.368Z] 00:25:46 INFO - #11 0x7ff842c4c4bd (C:\Windows\System32\ucrtbase.dll+0x18001c4bd)
[task 2019-11-02T00:25:46.368Z] 00:25:46 INFO - #12 0x7ff82dd1f838 (Z:\task_1572652749\build\tests\bin\clang_rt.asan_dynamic-x86_64.dll+0x18003f838)
[task 2019-11-02T00:25:46.368Z] 00:25:46 INFO - #13 0x7ff8463a3033 (C:\Windows\System32\KERNEL32.DLL+0x180013033)
[task 2019-11-02T00:25:46.368Z] 00:25:46 INFO - #14 0x7ff846801460 (C:\Windows\SYSTEM32\ntdll.dll+0x180071460)
[task 2019-11-02T00:25:46.369Z] 00:25:46 INFO - Thread T2 created by T0 here:
[task 2019-11-02T00:25:46.369Z] 00:25:46 INFO - #0 0x7ff82dd2095c (Z:\task_1572652749\build\tests\bin\clang_rt.asan_dynamic-x86_64.dll+0x18004095c)
[task 2019-11-02T00:25:46.369Z] 00:25:46 INFO - #1 0x7ff842c4c0c6 (C:\Windows\System32\ucrtbase.dll+0x18001c0c6)
[task 2019-11-02T00:25:46.369Z] 00:25:46 INFO - #2 0x7ff82d8d721d in _PR_MD_CREATE_THREAD z:\build\build\src\nsprpub\pr\src\md\windows\w95thred.c:153
[task 2019-11-02T00:25:46.369Z] 00:25:46 INFO - #3 0x7ff82d9082ec in _PR_NativeCreateThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:1058
[task 2019-11-02T00:25:46.369Z] 00:25:46 INFO - #4 0x7ff82d908c95 in _PR_CreateThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:1184
[task 2019-11-02T00:25:46.369Z] 00:25:46 INFO - #5 0x7ff82d8fb08e in PR_CreateThreadPool z:\build\build\src\nsprpub\pr\src\misc\prtpool.c:689
[task 2019-11-02T00:25:46.369Z] 00:25:46 INFO - #6 0x7ff71156db34 (Z:\task_1572652749\build\tests\bin\ssltunnel.exe+0x14000db34)
[task 2019-11-02T00:25:46.370Z] 00:25:46 INFO - #7 0x7ff711570287 (Z:\task_1572652749\build\tests\bin\ssltunnel.exe+0x140010287)
[task 2019-11-02T00:25:46.370Z] 00:25:46 INFO - #8 0x7ff8463a3033 (C:\Windows\System32\KERNEL32.DLL+0x180013033)
[task 2019-11-02T00:25:46.370Z] 00:25:46 INFO - #9 0x7ff846801460 (C:\Windows\SYSTEM32\ntdll.dll+0x180071460)
[task 2019-11-02T00:25:46.370Z] 00:25:46 INFO - SUMMARY: AddressSanitizer: heap-use-after-free z:\build\build\src\security\nss\lib\cryptohi\seckey.c:1025 in SECKEY_PublicKeyStrengthInBits
[task 2019-11-02T00:25:46.370Z] 00:25:46 INFO - Shadow bytes around the buggy address:
[task 2019-11-02T00:25:46.370Z] 00:25:46 INFO - 0x042266ceba00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
[task 2019-11-02T00:25:46.370Z] 00:25:46 INFO - 0x042266ceba10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2019-11-02T00:25:46.370Z] 00:25:46 INFO - 0x042266ceba20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2019-11-02T00:25:46.370Z] 00:25:46 INFO - 0x042266ceba30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2019-11-02T00:25:46.371Z] 00:25:46 INFO - 0x042266ceba40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2019-11-02T00:25:46.371Z] 00:25:46 INFO - =>0x042266ceba50: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
[task 2019-11-02T00:25:46.371Z] 00:25:46 INFO - 0x042266ceba60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2019-11-02T00:25:46.371Z] 00:25:46 INFO - 0x042266ceba70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2019-11-02T00:25:46.371Z] 00:25:46 INFO - 0x042266ceba80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2019-11-02T00:25:46.371Z] 00:25:46 INFO - 0x042266ceba90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2019-11-02T00:25:46.371Z] 00:25:46 INFO - 0x042266cebaa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2019-11-02T00:25:46.371Z] 00:25:46 INFO - Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2019-11-02T00:25:46.371Z] 00:25:46 INFO - Addressable: 00
[task 2019-11-02T00:25:46.371Z] 00:25:46 INFO - Partially addressable: 01 02 03 04 05 06 07
[task 2019-11-02T00:25:46.372Z] 00:25:46 INFO - Heap left redzone: fa
[task 2019-11-02T00:25:46.372Z] 00:25:46 INFO - Freed heap region: fd
[task 2019-11-02T00:25:46.372Z] 00:25:46 INFO - Stack left redzone: f1
[task 2019-11-02T00:25:46.372Z] 00:25:46 INFO - Stack mid redzone: f2
[task 2019-11-02T00:25:46.373Z] 00:25:46 INFO - Stack right redzone: f3
[task 2019-11-02T00:25:46.373Z] 00:25:46 INFO - Stack after return: f5
[task 2019-11-02T00:25:46.373Z] 00:25:46 INFO - Stack use after scope: f8
[task 2019-11-02T00:25:46.373Z] 00:25:46 INFO - Global redzone: f9
[task 2019-11-02T00:25:46.373Z] 00:25:46 INFO - Global init order: f6
[task 2019-11-02T00:25:46.373Z] 00:25:46 INFO - Poisoned by user: f7
[task 2019-11-02T00:25:46.373Z] 00:25:46 INFO - Container overflow: fc
[task 2019-11-02T00:25:46.373Z] 00:25:46 INFO - Array cookie: ac
[task 2019-11-02T00:25:46.374Z] 00:25:46 INFO - Intra object redzone: bb
[task 2019-11-02T00:25:46.374Z] 00:25:46 INFO - ASan internal: fe
[task 2019-11-02T00:25:46.374Z] 00:25:46 INFO - Left alloca redzone: ca
[task 2019-11-02T00:25:46.374Z] 00:25:46 INFO - Right alloca redzone: cb
[task 2019-11-02T00:25:46.374Z] 00:25:46 INFO - Shadow gap: cc
[task 2019-11-02T00:25:46.374Z] 00:25:46 INFO - ==8012==ABORTING
[task 2019-11-02T00:25:46.797Z] 00:25:46 INFO - GECKO(8428) | JavaScript error: resource://gre/actors/PictureInPictureChild.jsm, line 76: InvalidStateError: An attempt was made to use an object that is not, or is no longer, usable
[task 2019-11-02T00:25:49.086Z] 00:25:49 INFO - GECKO(8428) | 1572654349079 Marionette TRACE Received observer notification marionette-startup-requested
[task 2019-11-02T00:25:49.086Z] 00:25:49 INFO - GECKO(8428) | 1572654349079 Marionette TRACE Waiting until startup recorder finished recording startup scripts...
[task 2019-11-02T00:25:49.136Z] 00:25:49 INFO - GECKO(8428) | 1572654349130 Marionette TRACE All scripts recorded.
[task 2019-11-02T00:25:49.299Z] 00:25:49 INFO - GECKO(8428) | 1572654349297 Marionette INFO Listening on port 2828
[task 2019-11-02T00:25:49.299Z] 00:25:49 INFO - GECKO(8428) | 1572654349298 Marionette DEBUG Remote service is active
[task 2019-11-02T00:25:49.441Z] 00:25:49 INFO - GECKO(8428) | 1572654349432 Marionette DEBUG Accepted connection 0 from 127.0.0.1:51675
[task 2019-11-02T00:25:49.539Z] 00:25:49 INFO - GECKO(8428) | 1572654349531 Marionette DEBUG Closed connection 0
[task 2019-11-02T00:25:49.539Z] 00:25:49 INFO - GECKO(8428) | 1572654349532 Marionette DEBUG Accepted connection 1 from 127.0.0.1:51679
[task 2019-11-02T00:25:49.638Z] 00:25:49 INFO - GECKO(8428) | 1572654349632 Marionette DEBUG Accepted connection 2 from 127.0.0.1:51681
[task 2019-11-02T00:25:49.638Z] 00:25:49 INFO - GECKO(8428) | 1572654349634 Marionette DEBUG Closed connection 2
[task 2019-11-02T00:25:49.638Z] 00:25:49 INFO - GECKO(8428) | 1572654349636 Marionette DEBUG Closed connection 1
[task 2019-11-02T00:25:49.638Z] 00:25:49 INFO - GECKO(8428) | 1572654349637 Marionette DEBUG Accepted connection 3 from 127.0.0.1:51682
[task 2019-11-02T00:25:49.643Z] 00:25:49 INFO - GECKO(8428) | 1572654349641 Marionette DEBUG 3 -> [0,1,"WebDriver:NewSession",{"strictFileInteractability":true}]
[task 2019-11-02T00:25:49.722Z] 00:25:49 INFO - GECKO(8428) | 1572654349716 Marionette TRACE [19] Frame script loaded
[task 2019-11-02T00:25:49.722Z] 00:25:49 INFO - GECKO(8428) | 1572654349720 Marionette TRACE [19] Frame script registered
[task 2019-11-02T00:25:49.727Z] 00:25:49 INFO - GECKO(8428) | 1572654349723 Marionette TRACE [26] Frame script loaded
[task 2019-11-02T00:25:49.727Z] 00:25:49 INFO - GECKO(8428) | 1572654349723 Marionette TRACE [24] Frame script loaded
[task 2019-11-02T00:25:49.727Z] 00:25:49 INFO - GECKO(8428) | 1572654349725 Marionette DEBUG 3 <- [1,1,null,{"sessionId":"a8ac0728-1bf1-4877-98d9-63fde996579c","capabilities":{"browserName":"firefox","browserVersion":"72.0a ... \tmpbk1x84.mozrunner","moz:shutdownTimeout":180000,"moz:useNonSpecCompliantPointerOrigin":false,"moz:webdriverClick":true}}]
[task 2019-11-02T00:25:49.732Z] 00:25:49 INFO - GECKO(8428) | 1572654349727 Marionette TRACE [26] Frame script registered
[task 2019-11-02T00:25:49.732Z] 00:25:49 INFO - GECKO(8428) | 1572654349728 Marionette TRACE [24] Frame script registered
[task 2019-11-02T00:25:49.742Z] 00:25:49 INFO - GECKO(8428) | 1572654349739 Marionette DEBUG 3 -> [0,2,"Addon:Install",{"path":"c:\users\task_1572652749\appdata\local\temp\tmps9u8zs.zip","temporary":false}]
[task 2019-11-02T00:25:49.832Z] 00:25:49 INFO - GECKO(8428) | 1572654349829 Marionette DEBUG 3 <- [1,2,null,{"value":"special-powers@mozilla.org"}]
[task 2019-11-02T00:25:49.857Z] 00:25:49 INFO - GECKO(8428) | 1572654349853 Marionette DEBUG 3 -> [0,3,"Addon:Install",{"path":"c:\users\task_1572652749\appdata\local\temp\tmpycqqvo.zip","temporary":false}]
[task 2019-11-02T00:25:49.937Z] 00:25:49 INFO - GECKO(8428) | 1572654349936 Marionette DEBUG 3 <- [1,3,null,{"value":"mochikit@mozilla.org"}]
[task 2019-11-02T00:25:49.947Z] 00:25:49 INFO - GECKO(8428) | 1572654349943 Marionette DEBUG 3 -> [0,4,"Marionette:GetContext",{}]
[task 2019-11-02T00:25:49.947Z] 00:25:49 INFO - GECKO(8428) | 1572654349944 Marionette DEBUG 3 <- [1,4,null,{"value":"content"}]
[task 2019-11-02T00:25:49.949Z] 00:25:49 INFO - GECKO(8428) | 1572654349947 Marionette DEBUG 3 -> [0,5,"Marionette:SetContext",{"value":"chrome"}]
[task 2019-11-02T00:25:49.949Z] 00:25:49 INFO - GECKO(8428) | 1572654349947 Marionette DEBUG 3 <- [1,5,null,{"value":null}]
[task 2019-11-02T00:25:49.954Z] 00:25:49 INFO - GECKO(8428) | 1572654349951 Marionette DEBUG 3 -> [0,6,"WebDriver:ExecuteScript",{"script":"/* This Source Code Form is subject to the terms of the Mozilla Public\n * License, ... ":"browser-chrome"}],"filename":"Z:\task_1572652749\build\tests\mochitest\runtests.py","sandbox":"default","line":1772}]
[task 2019-11-02T00:25:49.977Z] 00:25:49 INFO - GECKO(8428) | 1572654349975 Marionette DEBUG 3 <- [1,6,null,{"value":null}]
[task 2019-11-02T00:25:50.027Z] 00:25:50 INFO - GECKO(8428) | 1572654350021 Marionette TRACE Received observer notification toplevel-window-ready
[task 2019-11-02T00:25:50.129Z] 00:25:50 INFO - GECKO(8428) | 1572654350126 Marionette DEBUG 3 -> [0,7,"Marionette:SetContext",{"value":"content"}]
[task 2019-11-02T00:25:50.129Z] 00:25:50 INFO - GECKO(8428) | 1572654350127 Marionette DEBUG 3 <- [1,7,null,{"value":null}]
[task 2019-11-02T00:25:50.148Z] 00:25:50 INFO - GECKO(8428) | 1572654350140 Marionette DEBUG 3 -> [0,8,"WebDriver:DeleteSession",{}]
[task 2019-11-02T00:25:50.148Z] 00:25:50 INFO - GECKO(8428) | 1572654350144 Marionette DEBUG 3 <- [1,8,null,{"value":null}]
[task 2019-11-02T00:25:50.208Z] 00:25:50 INFO - runtests.py | Waiting for browser...
[task 2019-11-02T00:25:50.226Z] 00:25:50 INFO - GECKO(8428) | 1572654350218 Marionette DEBUG Closed connection 3
[task 2019-11-02T00:25:50.558Z] 00:25:50 INFO - *** Start BrowserChrome Test Results ***
[task 2019-11-02T00:25:50.597Z] 00:25:50 INFO - checking window state
[task 2019-11-02T00:25:50.657Z] 00:25:50 INFO - TEST-START | browser/components/tests/browser/whats_new_page/browser_whats_new_page.js
[task 2019-11-02T00:25:52.370Z] 00:25:52 INFO - GECKO(8428) | MEMORY STAT heapAllocated not supported in this build configuration.
[task 2019-11-02T00:25:52.370Z] 00:25:52 INFO - GECKO(8428) | MEMORY STAT | vsize 19406195MB | vsizeMaxContiguous 64981334MB | residentFast 900MB
[task 2019-11-02T00:25:52.370Z] 00:25:52 INFO - TEST-OK | browser/components/tests/browser/whats_new_page/browser_whats_new_page.js | took 1715ms
[task 2019-11-02T00:25:52.408Z] 00:25:52 INFO - checking window state
[task 2019-11-02T00:25:54.237Z] 00:25:54 INFO - GECKO(8428) | Completed ShutdownLeaks collections in process 10136
[task 2019-11-02T00:25:54.257Z] 00:25:54 INFO - GECKO(8428) | Completed ShutdownLeaks collections in process 8300
[task 2019-11-02T00:25:54.267Z] 00:25:54 INFO - GECKO(8428) | Completed ShutdownLeaks collections in process 4068
[task 2019-11-02T00:25:54.286Z] 00:25:54 INFO - GECKO(8428) | Completed ShutdownLeaks collections in process 7684
[task 2019-11-02T00:25:54.385Z] 00:25:54 INFO - GECKO(8428) | Completed ShutdownLeaks collections in process 6672
[task 2019-11-02T00:25:55.464Z] 00:25:55 INFO - GECKO(8428) | Completed ShutdownLeaks collections in process 3020

Kevin, can you analyze this when you've a chance?

Flags: needinfo?(kjacobs.bugzilla)

This is a race in SSL server cert configuration. Context: session tickets are enabled and we haven't configured a self encryption keypair (to wrap the symmetric session ticket key), so instead we use the servers certificate's keypair. This is considered to be "implicit configuration". Explicit configuration is done via SSL_SetSessionTicketKeyPair and appears to prevent the problem [1].

The failure conditions are:

  • Thread A allocates and copies the keypair in ssl_SetSelfEncryptKeyPair while handling a new connection.
  • Thread A takes the write lock and sets globalssl_self_encrypt_key_pair.pub/privkey pointers to the copy, then unlocks and returns.
  • Thread A continues to ssl3_EncodeSessionTicket, which will generate the symmetric keys to be wrapped by the above keypair.
  • Thread B meanwhile makes another call to SSL_ConfigSecureServer, which again calls ssl_SetSelfEncryptKeyPair (since no explicit configuration is done) and frees the above in favor of its own copy. This occurs while thread A is somewhere between these two lines: https://searchfox.org/mozilla-central/source/security/nss/lib/ssl/sslsnce.c#2063,2078 (which then does the UAF in WrapSelfEncryptKey).

The simplest fix is to do implicit configuration only once, while allowing explicit configuration to override it. A server can currently be configured implicitly with multiple certs (if their authTypes differ), but the fact that we only track one wrapping keypair internally (and don't re-wrap keys or invalidate cache->ticketKeysValid when the wrapping key changes) makes me think this is a reasonable restriction.

Another option would be to skip updating the ssl_self_encrypt_key_pair if the key is the same on the second call, but that doesn't really solve the problem.

[1] https://searchfox.org/mozilla-central/source/security/nss/lib/ssl/sslsnce.c#1759-1763

Flags: needinfo?(kjacobs.bugzilla)

The priority flag is not set for this bug.
:jcj, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jjones)

:mt, do you have an opinion on whether we should do implicit cert configuration only once, or allow repeated implicit configurations (see: Comment 3)?

If this won't cause any loss of needed functionality, it seems like the best approach here.

Flags: needinfo?(mt)

Doing the implicit configuration just once is a little unfortunate, but I think that we should favour explicit configuration by doing implicit configuration once only.

There are ABI compatibility reasons for maintaining implicit configuration, so we can't realistically remove that at all.

Flags: needinfo?(mt)
Assignee: nobody → kjacobs.bugzilla
Status: NEW → ASSIGNED
Flags: needinfo?(jjones)
Priority: -- → P2

This patch fixes a race/UAF around ssl_GetSelfEncryptKeyPair. Previously, this function would return a pointer to global memory, which could be freed by another thread while in use.

The initially-proposed solution was to limit implicit configuration to occur only once. While this solves the problem within the scope of implicit configuration, explicit configuration could cause the same
UAF (though it would probably be much less frequent, as there are no such crash reports). For a more complete fix, ssl_GetSelfEncryptKeyPair can make a copy of the global key within its critical section.

We can still restrict implicit configuration to occur only once, but it's not necessary to fix the UAF.

//Side note: //It seems there's an unrelated deadlock condition in ssl_GenerateSelfEncryptKeys, in the case where LockSidCacheLock returns null. This is also fixed.

https://hg.mozilla.org/projects/nss/rev/77976f3fefca36adea9d1087915078950283c6d4

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.48

Hi JC, is this something we should leave on the radar for ESR68 uplift this cycle? Looks like it'll be shipping in 72 already by way of being included in the 3.48 release.

Group: crypto-core-security → core-security-release
status-firefox71: --- → wontfix
status-firefox72: --- → fixed
status-firefox-esr68: --- → affected
tracking-firefox-esr68: --- → ?
Flags: needinfo?(jjones)

This doesn't really affect Firefox in a way that could be exploitable. Firefox does use TLS servers (WebRTC, in particular), but unless I am mistaken there isn't much in the way of fine-grained control of the server parameters that would be necessary to prompt this race. I don't see this as needed for ESR, but I'll defer to Kevin/MT for dissenting opinions.

Flags: needinfo?(jjones)

Self-encryption is only used by TLS servers in two ways: for HelloRetryRequest in TLS 1.3 and for session tickets. WebRTC doesn't use DTLS 1.3 and explicitly disables tickets. I think that we can confidently say that Firefox is unaffected by this issue.

Whiteboard: [adv-main72-]
Flags: qe-verify-
Whiteboard: [adv-main72-] → [adv-main72-][post-critsmash-triage]
Group: core-security-release
Duplicate of this bug: 1597723
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: