Closed Bug 1837617 Opened 2 years ago Closed 2 years ago

Uninitialized memory while handling slot structures

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jjelen, Unassigned)

Details

Attachments

(2 files)

proposed patch
1.16 KB, patch
Details | Diff | Splinter Review
Bug 1837617: Initialize flags in slot structures r=#nss-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Attached patch proposed patchSplinter Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0

Steps to reproduce:

Running libcacard tests under valgrind:

https://gitlab.freedesktop.org/spice/libcacard/-/issues/15

This points to the use of flagSeries and flagState members, which are not initialized during the structure initialization and first tested in secmod_HandleWaitForSlotEvent (and value is assigned to them only after the first test). I believe the correct fix is to make sure they are initialized when the structure is allocated otherwise it might cause unexpected behavior.

This is available in the master.

Actual results:

valgrind reports memory issues pointing to NSS:

==44832== Thread 3:
==44832== Conditional jump or move depends on uninitialised value(s)
==44832==    at 0x4AC98A7: secmod_HandleWaitForSlotEvent (pk11util.c:1181)
==44832==    by 0x4AC9BCD: SECMOD_WaitForAnyTokenEvent (pk11util.c:1252)
==44832==    by 0x4860DFE: vcard_emul_event_thread (vcard_emul_nss.c:830)
==44832==    by 0x4C04758: _pt_root (ptthread.c:201)
==44832==    by 0x4CB5906: start_thread (pthread_create.c:444)
==44832==    by 0x4D3B773: clone (clone.S:100)
==44832==

Expected results:

NSS should not use uninitialized memory

These flags are not set to initial value when the structure is allocated
and first tested in pk11util.c before they are assigned, causing
conditional jump depending on uninitialized values when invoked under
valgrind, like this:

==44832== Conditional jump or move depends on uninitialised value(s)
==44832== at 0x4AC98A7: secmod_HandleWaitForSlotEvent (pk11util.c:1181)
[...]

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

The patch was merged in last week already https://phabricator.services.mozilla.com/D180434 closing the bug.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME

https://hg.mozilla.org/projects/nss/rev/be670383f98cf577865f0d09bd2dfbdba84f3703
This landed in 3.91, but we don't have the flags in bugzilla for that yet.

Resolution: WORKSFORME → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: