Segmentation fault in SECITEM_Hash during pkcs12 processing
Categories
(NSS :: Libraries, defect, P3)
Tracking
(firefox-esr115 unaffected, firefox-esr128 unaffected, firefox133 unaffected, firefox134 wontfix, firefox135 fixed)
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox133 | --- | unaffected |
| firefox134 | --- | wontfix |
| firefox135 | --- | fixed |
People
(Reporter: marc, Assigned: rrelyea)
References
(Regression)
Details
(4 keywords, Whiteboard: [post-critsmash-triage][adv-main135-])
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Steps to reproduce:
I ran pk12util -l secitem_hash_pw_start.pk12 -Wstart .
This occurs with the current packages on Ubuntu 24.04.1
--> libnss3/noble,now 2:3.98-1build1 amd64 [installed]
Depending on where this function is called from it might be a security bug due to session disruption and in general availability effects.
Actual results:
It crashed in SECITEM_Hash.
(gdb) bt
#0 0x00007ffff7f822cc in SECITEM_Hash () from /lib/x86_64-linux-gnu/libnssutil3.so
#1 0x00007ffff7f6ac16 in PL_HashTableLookupConst () from /lib/x86_64-linux-gnu/libplds4.so
#2 0x00007ffff7f8bcd4 in SECOID_FindOID_Util () from /lib/x86_64-linux-gnu/libnssutil3.so
#3 0x00007ffff7f8bd9d in SECOID_FindOIDTag_Util () from /lib/x86_64-linux-gnu/libnssutil3.so
#4 0x00007ffff7f19b28 in SEC_PKCS12DecoderIterateNext () from /lib/x86_64-linux-gnu/libsmime3.so
#5 0x00005555555598cb in ?? ()
#6 0x00007ffff7be81ca in __libc_start_call_main (main=main@entry=0x555555559300, argc=argc@entry=4, argv=argv@entry=0x7fffffffdd88) at ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x00007ffff7be828b in __libc_start_main_impl (main=0x555555559300, argc=4, argv=0x7fffffffdd88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdd78)
at ../csu/libc-start.c:360
#8 0x000055555555c4c5 in ?? ()
The crash location seems to map to:
https://github.com/servo/nss/blob/949eb9848f4fa5f83756f3ab7fdf9b0d3f20d37f/lib/util/secitem.c#L326
It looks like the *key parameter is not properly validated.
Expected results:
No crash, nice error message.
|
||
Updated•1 year ago
|
|
|
||
Comment 1•1 year ago
|
||
I'm pretty sure the only way to get to this functionality in Firefox is to manually import a PKCS#12 user cert. I can't see any reason a server would be messing with these, but maybe there are cases?
|
||
Comment 2•1 year ago
|
||
hg bisect tells me this was fixed by bug 1923767. In any case, I don't think Firefox could ever even run this code.
|
|
||
Comment 3•1 year ago
•
|
||
Nevermind - this was reintroduced with bug 1930797 and the "ignore integrity" (-I) option.
|
||
Updated•1 year ago
|
|
Assignee | |
Comment 4•1 year ago
|
||
I'll take a look. The code for -I shouldn't be triggered, however, if you don't actually specify -I.
|
|
Assignee | |
Comment 5•1 year ago
|
||
It's not failing for me on the latest builds. Is there more that needs to happen on the command line... like a password?
|
|
Assignee | |
Comment 6•1 year ago
|
||
pk12util -I -l secitem_hash_pw_start.pk12
Enter password for PKCS12 file:
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
pk12util: PKCS12 decode iterate bags failed: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
|
|
Assignee | |
Comment 7•1 year ago
|
||
k12util -l secitem_hash_pw_start.pk12
Enter password for PKCS12 file:
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
|
|
||
Comment 8•1 year ago
|
||
Try -Wstart?
|
Reporter | |
Comment 9•1 year ago
|
||
Yes, "start" is the password for the pkcs12 file.
|
|
Assignee | |
Comment 10•1 year ago
|
||
Ah the period made the command line look like part of the filename to me.
So pk12util -l does not fail on the current build, but pk12util -I -l with the password does.
The previous fix only masked the problem (pk12util is just a utility, the underlying problem is in the pkcs12 processing code. pk12util isn't the only way to get there, applications can call the underlying pkcs12 code and wide up crashing).
I'll include a patch to make sure p12 code isn't calling through invalid pointers.
I'll also patch the secoid code to verify if we are calling with NULL pointers.
|
|
Assignee | |
Comment 11•1 year ago
|
||
The crash now only happens in pk12util if integrity is ignored. The underlying crash, however is the result of errors in the pk12util handling. It is dereferencing pointers that can be null without checking them. This patch fixes the dereference issues as well as making SECOID_GetOID more robust.
There is a question of why errors in the cert bag looks like integrity errors. That may have been an issue with the previous patch.
|
||
Comment 12•11 months ago
|
||
The severity field is not set for this bug.
:beurdouche, could you have a look please?
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 13•11 months ago
|
||
|
|
||
Updated•11 months ago
|
|
||
Updated•11 months ago
|
|
||
Comment 14•11 months ago
|
||
Bob, can you please set priority and severity when you have time? : ) Thanks!
|
|
Assignee | |
Updated•11 months ago
|
|
||
Updated•11 months ago
|
|
||
Updated•10 months ago
|
|
|
Reporter | |
Comment 15•8 months ago
|
||
Is the bug missing here? https://www.mozilla.org/en-US/security/advisories/mfsa2025-07/
|
||
Comment 16•8 months ago
|
||
Comment 2 seemed to indicate that this bug never affected Firefox, but only NSS.
That's why this was tagged as not to be included in the Firefox release advisories.
Did you find a way to trigger this bug from Firefox prior to version 135?
If so, we'll be happy to include it after all.
|
|
||
Updated•6 months ago
|
Description
•