Closed Bug 1839258 (CVE-2024-6609) Opened 2 years ago Closed 1 year ago

AddressSanitizer: global-buffer-overflow on NSS PORT_FreeArena_Util -> PL_ClearArenaPool after calloc and malloc failure

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(firefox-esr115 wontfix, firefox126 wontfix, firefox127 wontfix, firefox128 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox126 --- wontfix
firefox127 --- wontfix
firefox128 --- fixed

People

(Reporter: sourc7, Assigned: karthik.bhargavan)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main128+])

Attachments

(2 files)

asan-global-buffer-overflow-read-8.txt
4.82 KB, text/plain
Details
advisory.txt
147 bytes, text/plain
Details

When running new RTCPeerConnection() and fillMemory using JS code to exhaust the process virtual memory, on Firefox compiled with AddressSanitizer, I able to hit AddressSanitizer: global-buffer-overflow, sometimes it hit SEGV on unknown address, and sometimes "fault was caused by a dereference of a high value address" is included, it hit on NSS PORT_FreeArena_Util -> PL_ClearArenaPool, this one is quite rare to trigger on ASan, compared to Bug 1838197 is very common.

I've investigated for a days, it caused after calloc failure on ec_NewKey at mp_init(&k), the ec_NewKey is returning ecPriv value from calloc failure, then malloc failure on SEC_ASN1EncodeItem is triggered goto ecgn_done; which freed up the ecPriv on PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE);

Flags: sec-bounty?
Assignee: nobody → nobody
Group: firefox-core-security → crypto-core-security
Component: Security → Libraries
Product: Firefox → NSS
Version: unspecified → other

The severity field is not set for this bug.
:beurdouche, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(bbeurdouche)
Flags: needinfo?(bbeurdouche)
Flags: needinfo?(bbeurdouche)

John, can you please check priority and severity on this when you have a min ? Thanks !

Severity: -- → S2
Flags: needinfo?(jschanck)
Priority: -- → P2

This will be fixed when we finish upgrading the P-384 and P-521 code. I assume RTCPeerConnection() uses P-256, and that case is already fixed.

Depends on: 1854438, 1854439
Flags: needinfo?(jschanck)
Flags: needinfo?(bbeurdouche)

Fixed by Bug 1854438 and Bug 1854439 in NSS 101.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Assignee: nobody → karthik.bhargavan
Group: crypto-core-security → core-security-release
status-firefox126: --- → wontfix
status-firefox127: --- → wontfix
status-firefox128: --- → fixed
status-firefox-esr115: --- → wontfix
Flags: sec-bounty? → sec-bounty+

Our bounty guidelines for "Memory Corruption triggered by an OOM condition" is $1500
https://www.mozilla.org/en-US/security/client-bug-bounty/

Flags: qe-verify-
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main128+]
Alias: CVE-2024-6609

Are you sure this was addressed by bug 1854438 and bug 1854439? I was looking at the issue as reported in comment 0 for potential backports to older versions of NSS, and the code issue that PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE); is called on an potentially already free'd arena is still there. It might not be triggerable through OOM allocation failures, but can we be absolutely sure that no other code path present or future might lead to that? As a matter of defense in depth, it would seem like we should at least add a if (key) key->ecParams.arena = NULL to ec_NewKey's cleanup.

Flags: needinfo?(jschanck)

The core issue was that ec_NewKey was using CHECK_MPI_OK after CHECK_SEC_OK without resetting rv. So if mp_init failed here, the function would return the value rv = SECSuccess that was set here without assigning a value to *privKey.

You are right that the two bugs I linked above did not actually fix the issue. Those were prerequisites for a larger cleanup effort that I did in Bug 1898627, which landed simultaneously.

Flags: needinfo?(jschanck)

(In reply to John Schanck [:jschanck] from comment #8)

The core issue was that ec_NewKey was using CHECK_MPI_OK after CHECK_SEC_OK without resetting rv. So if mp_init failed here, the function would return the value rv = SECSuccess that was set here without assigning a value to *privKey.

You are right that the two bugs I linked above did not actually fix the issue. Those were prerequisites for a larger cleanup effort that I did in Bug 1898627, which landed simultaneously.

But this code path is on the failure case? https://searchfox.org/mozilla-central/rev/0c55d51c0d2a9b672e42ad40ea54f90267f92a8e/security/nss/lib/softoken/pkcs11c.c#5874 and the arena is always freed on cleanup ?

Oh, I see. So a fix for older versions would be to apply the following to the cleanup code path in ec_NewKey, right? https://searchfox.org/nss/rev/ba9330537e6e94971de8b9bc49460891b23afd4f/lib/freebl/ec.c#379-382

Yes, that would work.

Is it ok to attach the information in comment 11 to public information about the CVE? (I think that would end up on https://security-tracker.debian.org/tracker/CVE-2024-6609)

Flags: needinfo?(jschanck)

Fine by me.

Flags: needinfo?(jschanck)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: