Closed Bug 1600667 Opened 3 years ago Closed 2 months ago

Crash in [@ nssCKFWObject_GetAttributeSize | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue]

Categories

(NSS :: Libraries, defect, P2)

defect

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1766978

People

(Reporter: jcj, Unassigned)

References

(Blocks 1 open bug)

Details

Crash Data

Crashing thread:

Top 10 frames of crashing thread:

0 nssckbi.dll nssCKFWObject_GetAttributeSize security/nss/lib/ckfw/object.c:507
1 nssckbi.dll NSSCKFWC_GetAttributeValue security/nss/lib/ckfw/wrap.c:2244
2 nssckbi.dll static unsigned long builtinsC_GetAttributeValue security/nss/lib/ckfw/nssck.api:630
3 nss3.dll PK11_ReadAttribute security/nss/lib/pk11wrap/pk11obj.c:105
4 nss3.dll PK11_FindRawCertsWithSubject security/nss/lib/pk11wrap/pk11obj.c:1970
5 xul.dll mozilla::pkix::Result mozilla::psm::NSSCertDBTrustDomain::FindIssuer security/certverifier/NSSCertDBTrustDomain.cpp:256
6 xul.dll static mozilla::pkix::Result mozilla::pkix::BuildForward security/nss/lib/mozpkix/lib/pkixbuild.cpp:364
7 xul.dll mozilla::pkix::Result mozilla::pkix::PathBuildingStep::Check security/nss/lib/mozpkix/lib/pkixbuild.cpp:211
8 xul.dll static mozilla::pkix::Result mozilla::psm::CheckCandidates security/certverifier/NSSCertDBTrustDomain.cpp:189
9 xul.dll mozilla::pkix::Result mozilla::psm::NSSCertDBTrustDomain::FindIssuer security/certverifier/NSSCertDBTrustDomain.cpp:344

However, this code has no defenses against NSSCKMDObject being invalid, nor against NSSCKFWObject being invalid.

I've audited all places where NSSCKMDObject could be provided to nssCKFWObject_Create as a null pointer, and while there's a pair of suspicious places, I don't have a precise target.

Both of these nssCKFWObject_Create calls are effectively unguarded. It's up to the implementation of the Cryptoki framework whether the object is returned valid or not: https://searchfox.org/nss/rev/c8d77c45a7e4f168d934b8d2a8b5bca384b97e16/lib/ckfw/mechanism.c#886

In Bug 1597799 I added defenses to the code, but whatever caused the unexpected nullptr is still out there.

Adding the signature so it gets picked up in crash stats.

Crash Signature: [@ nssCKFWObject_GetAttributeSize | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue]
Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1766978
You need to log in before you can comment on or make changes to this bug.