mp_toradix buffer overflow (write)
Categories
(NSS :: Libraries, defect, P3)
Tracking
(Not tracked)
People
(Reporter: guidovranken, Assigned: kjacobs)
Details
(Keywords: csectype-bounds, sec-other)
Attachments
(2 files)
|
1.03 KB,
patch
|
Details | Diff | Splinter Review | |
|
47 bytes,
text/x-phabricator-request
|
Details | Review |
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
Steps to reproduce:
Compile and run attached proof of concept.
Optionally compile NSS + PoC with AddressSanitizer.
Found with Cryptofuzz.
Use of mp_toradix appears very limited within NSS. Marking as security in case third-party dependencies upon NSS are affected.
Actual results:
Buffer overflow (write, 1 byte) in mp_toradix() with an output buffer the size suggested by mp_radix_size()
Expected results:
No buffer overflow
|
||
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
The priority flag is not set for this bug.
:jcj, could you have a look please?
For more information, please visit auto_nag documentation.
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Comment 2•5 years ago
|
||
The priority flag is not set for this bug.
:jcj, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
||
Comment 3•5 years ago
|
||
Confirmed. This might take a bit of time to get to, but thank you for the report!
|
Reporter | |
Comment 4•5 years ago
|
||
You're welcome :).
|
|
||
Updated•5 years ago
|
|
Assignee | |
Comment 5•5 years ago
|
||
|
|
Assignee | |
Comment 6•5 years ago
|
||
Thanks for the report.
There isn't any exposure for Firefox where mp_radix_size is unused, but this is a tricky corner case and a good catch (since in most cases the size will be overestimated, leaving sufficient room).
|
|
Assignee | |
Comment 7•4 years ago
|
||
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
Description
•