Closed
Bug 1600667
Opened 5 years ago
Closed 2 years ago
Crash in [@ nssCKFWObject_GetAttributeSize | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue]
Categories
(NSS :: Libraries, defect, P2)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1766978
People
(Reporter: jcj, Unassigned)
References
(Blocks 1 open bug)
Details
Crash Data
Crashing thread:
Top 10 frames of crashing thread:
0 nssckbi.dll nssCKFWObject_GetAttributeSize security/nss/lib/ckfw/object.c:507
1 nssckbi.dll NSSCKFWC_GetAttributeValue security/nss/lib/ckfw/wrap.c:2244
2 nssckbi.dll static unsigned long builtinsC_GetAttributeValue security/nss/lib/ckfw/nssck.api:630
3 nss3.dll PK11_ReadAttribute security/nss/lib/pk11wrap/pk11obj.c:105
4 nss3.dll PK11_FindRawCertsWithSubject security/nss/lib/pk11wrap/pk11obj.c:1970
5 xul.dll mozilla::pkix::Result mozilla::psm::NSSCertDBTrustDomain::FindIssuer security/certverifier/NSSCertDBTrustDomain.cpp:256
6 xul.dll static mozilla::pkix::Result mozilla::pkix::BuildForward security/nss/lib/mozpkix/lib/pkixbuild.cpp:364
7 xul.dll mozilla::pkix::Result mozilla::pkix::PathBuildingStep::Check security/nss/lib/mozpkix/lib/pkixbuild.cpp:211
8 xul.dll static mozilla::pkix::Result mozilla::psm::CheckCandidates security/certverifier/NSSCertDBTrustDomain.cpp:189
9 xul.dll mozilla::pkix::Result mozilla::psm::NSSCertDBTrustDomain::FindIssuer security/certverifier/NSSCertDBTrustDomain.cpp:344
However, this code has no defenses against NSSCKMDObject being invalid, nor against NSSCKFWObject being invalid.
I've audited all places where NSSCKMDObject could be provided to nssCKFWObject_Create as a null pointer, and while there's a pair of suspicious places, I don't have a precise target.
Both of these nssCKFWObject_Create calls are effectively unguarded. It's up to the implementation of the Cryptoki framework whether the object is returned valid or not: https://searchfox.org/nss/rev/c8d77c45a7e4f168d934b8d2a8b5bca384b97e16/lib/ckfw/mechanism.c#886
In Bug 1597799 I added defenses to the code, but whatever caused the unexpected nullptr is still out there.
Comment 1•5 years ago
|
||
Adding the signature so it gets picked up in crash stats.
Crash Signature: [@ nssCKFWObject_GetAttributeSize | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue]
Updated•2 years ago
|
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•