Closed Bug 1640260 Opened 5 years ago Closed 5 years ago

Uninitialized/allocated pointer in NSC_GenerateKey could be freed, leading to buffer overflow

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kjacobs, Assigned: kjacobs)

Details

(Keywords: csectype-uninitialized, sec-low)

Attachments

(2 files)

webcrypto.html
114 bytes, text/html
Details
Bug 1640260 - Initialize PBE params
47 bytes, text/x-phabricator-request
Details | Review

While adding some tests, I got an odd ASAN dump:

=================================================================
==86056==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeefbfd3f0 at pc 0x0001034ed79d bp 0x7ffeefbfd290 sp 0x7ffeefbfd288
READ of size 8 at 0x7ffeefbfd3f0 thread T0
    #0 0x1034ed79c in FreeArenaList plarena.c:204
    #1 0x1034ed8b8 in PL_FreeArenaPool plarena.c:227
    #2 0x1034316b7 in PORT_FreeArena_Util secport.c:380
    #3 0x1075d21f4 in nsspkcs5_DestroyPBEParameter lowpbe.c:1178
    #4 0x107627569 in NSC_GenerateKey pkcs11c.c:4635
    #5 0x1011dc04e in PK11_KeyGenWithTemplate pk11skey.c:1187
    #6 0x1011db1c8 in pk11_TokenKeyGenWithFlagsAndKeyType pk11skey.c:1029
    #7 0x1011dc335 in PK11_TokenKeyGen pk11skey.c:1089
    #8 0x1011dc43b in PK11_KeyGen pk11skey.c:1102
    #9 0x100d422cf in nss_test::Tls13PskTest_ExtPskLargePsk_Test::TestBody() tls_psk_unittest.cc:90

There's an unitialized pointer pbe_params in NSC_GenerateKey [1]. Some mechanisms call a setup function that returns a CKR value, and we also check the requested key size. If these result in anything other than CKR_OK, we end up calling nsspkcs5_DestroyPBEParameter on random memory. The cause here was requesting a key larger than 256B, but there are other ways to induce it.

I haven't found a Firefox exploit path (e.g. webcrypto) yet, but I'm still auditing.

[1] https://searchfox.org/mozilla-central/source/security/nss/lib/softoken/pkcs11c.c#4475,4634

Attached file webcrypto.html
Assignee: nobody → kjacobs.bugzilla
Severity: -- → S3
Keywords: csectype-uninitialized, sec-low
Attachment #9151158 - Attachment description: Bug 1640260 - Fix an intiailization issue with PBE params → Bug 1640260 - Fix an initialization issue with PBE params
Attachment #9151158 - Attachment description: Bug 1640260 - Fix an initialization issue with PBE params → Bug 1640260 - Initialize PBE params

https://hg.mozilla.org/projects/nss/rev/8fe22033a88e7fb75d451455ca841017ce50f9c1

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.53
Group: crypto-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: