Closed Bug 1804662 Opened 2 years ago Closed 1 year ago

Assertion failure: (padsize == 0) || (pcount % padsize) == 0, at ../../lib/pkcs7/p7local.c:461

Categories

(NSS :: Libraries, defect)

x86_64
Linux
defect

Tracking

(firefox-esr102 wontfix, firefox109 wontfix, firefox110 wontfix, firefox111 wontfix, firefox112 fixed)

RESOLVED FIXED
Tracking Status
firefox-esr102 --- wontfix
firefox109 --- wontfix
firefox110 --- wontfix
firefox111 --- wontfix
firefox112 --- fixed

People

(Reporter: decoder, Assigned: jschanck)

Details

(Keywords: crash, sec-other, testcase, Whiteboard: [nss-triage][post-critsmash-triage][adv-main112-])

Attachments

(3 files)

The attached testcase crashes on nss revision a3669ed2c606+ (debug build with ASan/fuzzing).

For detailed crash information, see attachment.

To reproduce the issue, perform the following steps:

  1. Build NSS with fuzzing enabled and patch from bug 1804646 applied: ./build.sh --asan --clang --fuzz (assuming mozbuild clang/clang++ is on PATH and matching NSPR with ASan is installed/used).
  2. Run nssfuzz- test.bin

I don't think this is a security problem but keeping this hidden until all PKCS12 issues are resolved and the fuzzer itself is public.

Attached file Testcase
Group: core-security → crypto-core-security
Keywords: sec-other

The severity field is not set for this bug.
:beurdouche, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(bbeurdouche)
Flags: needinfo?(bbeurdouche)
Whiteboard: [nss-triage]

Yeah that assertion shouldn't be there---it fires if the (untrusted) input is of the wrong length. It's safe to remove the assertion since the if block after it correctly returns an error. I think sec-other is fine since this only affects debug builds.

Group: crypto-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 3.89
Assignee: nobody → jschanck
Flags: qe-verify-
Whiteboard: [nss-triage] → [nss-triage][post-critsmash-triage]
Whiteboard: [nss-triage][post-critsmash-triage] → [nss-triage][post-critsmash-triage][adv-main112-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: