Closed Bug 1597799 Opened 5 years ago Closed 5 years ago

Crash in [@ nssCKFWObject_GetAttributeSize | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue]

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
Unspecified
Windows 10
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox-esr68 unaffected, firefox71 unaffected, firefox72 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox71 --- unaffected
firefox72 --- fixed

People

(Reporter: marcia, Assigned: jcj)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1597799 - Guard against null ptrs in NSSCKFWObject r?kjacobs
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-eb9022ae-df2c-4e05-9af1-0fbbf0191115.

Seen while looking at nightly crash stats: https://bit.ly/2XyeHOm. 13 crashes/16 installs so far. Crashes started in 20191115095319.

Possible regression range based on build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a4ef4d6cdff03e76ed4471faea08e1071b1bf05c&tochange=bbbe694dbff25ce304833a9c2f6520ba9f61fb32

There are several NSS related changes in there - not sure if one of them is involved here.

Top 10 frames of crashing thread:

0 nssckbi.dll nssCKFWObject_GetAttributeSize security/nss/lib/ckfw/object.c:507
1 nssckbi.dll NSSCKFWC_GetAttributeValue security/nss/lib/ckfw/wrap.c:2244
2 nssckbi.dll static unsigned long builtinsC_GetAttributeValue security/nss/lib/ckfw/nssck.api:630
3 nss3.dll PK11_ReadAttribute security/nss/lib/pk11wrap/pk11obj.c:105
4 nss3.dll PK11_FindRawCertsWithSubject security/nss/lib/pk11wrap/pk11obj.c:1970
5 xul.dll mozilla::pkix::Result mozilla::psm::NSSCertDBTrustDomain::FindIssuer security/certverifier/NSSCertDBTrustDomain.cpp:256
6 xul.dll static mozilla::pkix::Result mozilla::pkix::BuildForward security/nss/lib/mozpkix/lib/pkixbuild.cpp:364
7 xul.dll mozilla::pkix::Result mozilla::pkix::PathBuildingStep::Check security/nss/lib/mozpkix/lib/pkixbuild.cpp:211
8 xul.dll static mozilla::pkix::Result mozilla::psm::CheckCandidates security/certverifier/NSSCertDBTrustDomain.cpp:189
9 xul.dll mozilla::pkix::Result mozilla::psm::NSSCertDBTrustDomain::FindIssuer security/certverifier/NSSCertDBTrustDomain.cpp:344
Assignee: nobody → nobody
Component: Security: PSM → Libraries
Product: Core → NSS
QA Contact: jjones
Version: Trunk → other
Flags: needinfo?(jjones)

There are no smoking guns from the uplift that would cause this. Rather, I think a PSM change is the cause.

However, this code has no defenses against NSSCKMDObject being invalid, nor against NSSCKFWObject being invalid.

I've audited all places where NSSCKMDObject could be provided to nssCKFWObject_Create as a null pointer, and while there's a pair of suspicious places, I don't have a precise target.

Both of these nssCKFWObject_Create calls are effectively unguarded. It's up to the implementation of the Cryptoki framework whether the object is returned valid or not: https://searchfox.org/nss/rev/c8d77c45a7e4f168d934b8d2a8b5bca384b97e16/lib/ckfw/mechanism.c#886

I'm going to attach a small patch to cause a clean error return here and check it against try while we look further.

Assignee: nobody → jjones
Status: NEW → ASSIGNED
Flags: needinfo?(jjones)

https://hg.mozilla.org/projects/nss/rev/eab4d3c8c76db3121ed5382b30d5928d70438d12

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.48
Blocks: 1600667
Crash Signature: [@ nssCKFWObject_GetAttributeSize | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue] → [@ nssCKFWObject_GetAttributeSize | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue] [@ NSSCKFWC_GetAttributeValue | PK11_ReadAttribute]
Crash Signature: [@ nssCKFWObject_GetAttributeSize | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue] [@ NSSCKFWC_GetAttributeValue | PK11_ReadAttribute] → [@ nssCKFWObject_GetAttributeSize | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue] [@ NSSCKFWC_GetAttributeValue | PK11_ReadAttribute]
status-firefox72: affectedfixed
status-firefox-esr68: --- → unaffected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: