Closed Bug 1760998 (CVE-2022-38476) Opened 3 years ago Closed 3 years ago

Intermittent SUMMARY: ThreadSanitizer: data race /builds/worker/checkouts/gecko/security/nss/lib/softoken/sftkpwd.c:657:29 in sftkdb_switchKeys

Categories

(NSS :: Libraries, defect, P5)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(firefox-esr91 wontfix, firefox-esr102104+ fixed, firefox101 wontfix, firefox102 wontfix, firefox103 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 104+ fixed
firefox101 --- wontfix
firefox102 --- wontfix
firefox103 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: jschanck)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-race, intermittent-failure, sec-low, Whiteboard: [post-critsmash-triage][adv-main103+][adv-esr102.2+])

Attachments

(3 files)

tsan_log.txt
33.07 KB, text/plain
Details
Bug 1760998 - avoid data race on primary password change. r=rrelyea
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
279 bytes, text/plain
Details

Filed by: mlaza [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=372055923&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/G560dVCyTB6eDQYbysjRcw/runs/0/artifacts/public/logs/live_backing.log

[task 2022-03-23T12:46:44.566Z] 12:46:44     INFO - TEST-START | browser/components/enterprisepolicies/tests/browser/browser_policy_masterpassword.js
[task 2022-03-23T12:46:44.844Z] 12:46:44     INFO - GECKO(2993) | MP change from  to omgsecret!
[task 2022-03-23T12:46:44.953Z] 12:46:44     INFO - GECKO(2993) | ==================
[task 2022-03-23T12:46:44.954Z] 12:46:44     INFO - GECKO(2993) | WARNING: ThreadSanitizer: data race (pid=2993)
[task 2022-03-23T12:46:44.955Z] 12:46:44     INFO - GECKO(2993) |   Write of size 8 at 0x7b200021a320 by main thread (mutexes: write M226722785161565008, write M229819009905384160):
[task 2022-03-23T12:46:44.957Z] 12:46:44     INFO - GECKO(2993) |     #0 sftkdb_switchKeys /builds/worker/checkouts/gecko/security/nss/lib/softoken/sftkpwd.c:657:29 (libsoftokn3.so+0x50e3e)
[task 2022-03-23T12:46:44.959Z] 12:46:44     INFO - GECKO(2993) |     #1 sftkdb_finishPasswordCheck /builds/worker/checkouts/gecko/security/nss/lib/softoken/sftkpwd.c:1083:9 (libsoftokn3.so+0x50e3e)
[task 2022-03-23T12:46:44.959Z] 12:46:44     INFO - GECKO(2993) |     #2 sftkdb_CheckPassword /builds/worker/checkouts/gecko/security/nss/lib/softoken/sftkpwd.c:946:10 (libsoftokn3.so+0x51141)
[task 2022-03-23T12:46:44.963Z] 12:46:44     INFO - GECKO(2993) |     #3 sftkdb_ChangePassword /builds/worker/checkouts/gecko/security/nss/lib/softoken/sftkpwd.c:1377:14 (libsoftokn3.so+0x51aa6)
[task 2022-03-23T12:46:44.963Z] 12:46:44     INFO - GECKO(2993) |     #4 NSC_SetPIN /builds/worker/checkouts/gecko/security/nss/lib/softoken/pkcs11.c:4102:10 (libsoftokn3.so+0x1fee5)
[task 2022-03-23T12:46:44.963Z] 12:46:44     INFO - GECKO(2993) |     #5 PK11_ChangePW /builds/worker/checkouts/gecko/security/nss/lib/pk11wrap/pk11auth.c:514:11 (libnss3.so+0x6608e)
...
[task 2022-03-23T12:46:45.107Z] 12:46:45     INFO - GECKO(2993) |     #22 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3 (libxul.so+0x198dfbc)
[task 2022-03-23T12:46:45.108Z] 12:46:45     INFO - GECKO(2993) |     #23 nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:389:10 (libxul.so+0xfbacdc)
[task 2022-03-23T12:46:45.108Z] 12:46:45     INFO - GECKO(2993) |     #24 _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5 (libnspr4.so+0x44fad)
[task 2022-03-23T12:46:45.109Z] 12:46:45     INFO - GECKO(2993) | SUMMARY: ThreadSanitizer: data race /builds/worker/checkouts/gecko/security/nss/lib/softoken/sftkpwd.c:657:29 in sftkdb_switchKeys
[task 2022-03-23T12:46:45.110Z] 12:46:45     INFO - GECKO(2993) | ==================
[task 2022-03-23T12:46:45.142Z] 12:46:45     INFO - GECKO(2993) | Exiting due to channel error.
[task 2022-03-23T12:46:45.142Z] 12:46:45     INFO - GECKO(2993) | Exiting due to channel error.
[task 2022-03-23T12:46:45.143Z] 12:46:45     INFO - GECKO(2993) | Exiting due to channel error.
[task 2022-03-23T12:46:45.143Z] 12:46:45     INFO - GECKO(2993) | Exiting due to channel error.
[task 2022-03-23T12:46:45.144Z] 12:46:45     INFO - GECKO(2993) | Exiting due to channel error.
[task 2022-03-23T12:46:45.144Z] 12:46:45     INFO - GECKO(2993) | Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=15.5342) Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=13.6667) Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=139.979) Exiting due to channel error.
[task 2022-03-23T12:46:45.145Z] 12:46:45     INFO - GECKO(2993) | Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=17.7682) Exiting due to channel error.
[task 2022-03-23T12:46:45.149Z] 12:46:45     INFO - GECKO(2993) | Exiting due to channel error.
[task 2022-03-23T12:46:46.191Z] 12:46:46     INFO - GECKO(2993) | Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=304.854)
[task 2022-03-23T12:46:46.192Z] 12:46:46     INFO - TEST-INFO | Main app process: killed by SIGIOT
[task 2022-03-23T12:46:46.193Z] 12:46:46     INFO - Buffered messages logged at 12:46:44
[task 2022-03-23T12:46:46.194Z] 12:46:46     INFO - Entering test bound policies_headjs_startWithCleanSlate
[task 2022-03-23T12:46:46.194Z] 12:46:46     INFO - TEST-PASS | browser/components/enterprisepolicies/tests/browser/browser_policy_masterpassword.js | Engine is inactive at the start of the test -
Attached file tsan_log.txt

Since changing the primary password is a manual and rare action this doesn't seem like a very exploitable issue in practice

Keywords: csectype-race, sec-low

This read of keyHandle->passwordKey.data should be protected by keyHandle->passwordLock. Likewise in sftkdb_PWCached.

I agree that the data race doesn't seem very dangerous. But while reviewing the surrounding code I found that neither sftkdb_CloseDB nor sftkdb_ResetKeyDB take keyHandle->passwordLock before freeing keyHandle->passwordKey. So there's potential for a UAF there (although it's possible the database transactions in sftkdb_CloseDB and sftkdb_ResetKeyDB get in the way).

Assignee: nobody → jschanck
Blocks: 1763237
Target Milestone: --- → 3.80

https://hg.mozilla.org/projects/nss/rev/b030c91396ffa8eccaaf2f35ce670c849db23bb2

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Group: crypto-core-security → core-security-release
status-firefox101: --- → wontfix
status-firefox102: --- → wontfix
status-firefox103: --- → fixed
status-firefox-esr102: --- → affected
status-firefox-esr91: --- → wontfix
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main103+r]
No longer blocks: 1780022
Whiteboard: [post-critsmash-triage][adv-main103+r] → [post-critsmash-triage][adv-main103+][adv-esr102.2+]
Attached file advisory.txt
Alias: CVE-2022-38476
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: