Closed Bug 1804662 Opened 2 years ago Closed 2 years ago

Assertion failure: (padsize == 0) || (pcount % padsize) == 0, at ../../lib/pkcs7/p7local.c:461

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86_64
Linux
Type:
defect

Tracking

(firefox-esr102 wontfix, firefox109 wontfix, firefox110 wontfix, firefox111 wontfix, firefox112 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox109 --- wontfix
firefox110 --- wontfix
firefox111 --- wontfix
firefox112 --- fixed

People

(Reporter: decoder, Assigned: jschanck)

References

Details

(Keywords: crash, sec-other, testcase, Whiteboard: [nss-triage][post-critsmash-triage][adv-main112-])

Attachments

(3 files)

Detailed Crash Information
3.44 KB, text/plain
Details
Testcase
92 bytes, application/octet-stream
Details
Bug 1804662 - remove data length assertion in sec_PKCS7Decrypt. r=#nss-reviewers
48 bytes, text/x-phabricator-request
Details | Review

The attached testcase crashes on nss revision a3669ed2c606+ (debug build with ASan/fuzzing).

For detailed crash information, see attachment.

To reproduce the issue, perform the following steps:

  1. Build NSS with fuzzing enabled and patch from bug 1804646 applied: ./build.sh --asan --clang --fuzz (assuming mozbuild clang/clang++ is on PATH and matching NSPR with ASan is installed/used).
  2. Run nssfuzz- test.bin

I don't think this is a security problem but keeping this hidden until all PKCS12 issues are resolved and the fuzzer itself is public.

Attached file Testcase
Group: core-security → crypto-core-security
Keywords: sec-other

The severity field is not set for this bug.
:beurdouche, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(bbeurdouche)
Flags: needinfo?(bbeurdouche)
Whiteboard: [nss-triage]

Yeah that assertion shouldn't be there---it fires if the (untrusted) input is of the wrong length. It's safe to remove the assertion since the if block after it correctly returns an error. I think sec-other is fine since this only affects debug builds.

https://hg.mozilla.org/projects/nss/rev/056fbe59c60555d6ca93d7d40c675955f1a9aa2c

Group: crypto-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox109: affectedwontfix
status-firefox110: --- → wontfix
status-firefox111: --- → wontfix
status-firefox112: --- → fixed
status-firefox-esr102: --- → wontfix
Resolution: --- → FIXED
Target Milestone: --- → 3.89
Assignee: nobody → jschanck
Flags: qe-verify-
Whiteboard: [nss-triage] → [nss-triage][post-critsmash-triage]
Whiteboard: [nss-triage][post-critsmash-triage] → [nss-triage][post-critsmash-triage][adv-main112-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: