Closed Bug 1921768 (CVE-2024-11705) Opened 11 months ago Closed 11 months ago

SEGV in NSC_DeriveKey

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(firefox-esr115 unaffected, firefox-esr128 unaffected, firefox131 wontfix, firefox132 wontfix, firefox133 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox131 --- wontfix
firefox132 --- wontfix
firefox133 --- fixed

People

(Reporter: coffeys, Assigned: jschanck)

References

(Regression)

Details

(Keywords: regression, reporter-external, sec-low, Whiteboard: [nss-nofx][post-critsmash-triage][adv-main133+])

Attachments

(2 files)

Bug 1921768 - allow null phKey in NSC_DeriveKey. r=rrelyea
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
375 bytes, text/plain
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36

Steps to reproduce:

Called C_DeriveKey and passed NULL for phKey value:

NSC_DeriveKey(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
CK_OBJECT_HANDLE_PTR phKey)

Actual results:

SEGV due to libsoftokn3.so with NSS >= 3.103

libsoftokn3.so+0x305cd

issue in lib/softoken/pkcs11c.c

With recent code change in NSC_DeriveKey function, there's an assumption that phKey variable is non-NULL

https://github.com/nss-dev/nss/commit/9adf6e998915668f86d38436ed494ec7a468a9de#diff-02ad66dc66d5472ca33807f52cddf27086f41089d968a6a81e991577ed000abfR7392

Presuming it's non-NULL seems to be an issue. The PKCS#11 v3.0 current mechanism specification hints that phKey should be NULL for certain mechanisms :

"the parameter phKey passed to C_DeriveKey is unnecessary, and should be a NULL_PTR." under "2.39.6 Key and MAC derivation"

Assignee: nobody → jschanck
Severity: -- → S4
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Keywords: sec-low
Priority: -- → P3
Whiteboard: [nss-nofx]

https://hg.mozilla.org/projects/nss/rev/9549d3d6d8ea9db8a28ae7e93e10478cd5272387

Status: ASSIGNED → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
Group: crypto-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [nss-nofx] → [nss-nofx][post-critsmash-triage]
Whiteboard: [nss-nofx][post-critsmash-triage] → [nss-nofx][post-critsmash-triage][adv-main133+]
Alias: CVE-2024-11705
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: