Closed Bug 1949145 Opened 1 year ago Closed 11 months ago

Memory leak in nss_cms_before_data

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mdauer, Assigned: djackson)

References

(Blocks 1 open bug)

Details

(Whiteboard: [fuzzblocker])

Attachments

(6 files)

clusterfuzz-testcase-smime-5675185185554432
86 bytes, application/octet-stream
Details
clusterfuzz-testcase-minimized-smime-5675185185554432
28 bytes, application/octet-stream
Details
Bug 1949145 - Allocate child CMS decoders via arena. r=#nss-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Bug 1949145 - Handle invalid CMS ContentInfo gracefully. r=#nss-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Bug 1949145 - Clean up how CMSDecoder is torn down. r=#nss-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Bug 1949145 - Make sure content is cleaned up when tearing down CMSDecoder. r=#nss-reviewers
48 bytes, text/x-phabricator-request
Details | Review

OSS-Fuzz: https://oss-fuzz.com/testcase-detail/5675185185554432

Details

The NSSCMSDecoderContext allocated in nss_cms_before_data is never free'd:

    childp7dcx = PORT_ZNew(NSSCMSDecoderContext);

To reproduce, perform the following steps:

  1. Build NSS with ./build.sh -c --fuzz --disable-tests
  2. Run /path/to/dist/Debug/bin/nssfuzz-smime /path/to/testcase

The severity field is not set for this bug.
:beurdouche, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(bbeurdouche)
Whiteboard: [fuzzblocker]
Assignee: nobody → djackson
Severity: -- → S4
Priority: -- → P1
Flags: needinfo?(bbeurdouche)

Just sharing what I found since I spent quite some time looking into this, but couldn't find a fix:
So, the allocated childp7dxc should in theory get free'd again in nss_cms_after_data here. nss_cms_after_data is called by nss_cms_decoder_notify here and is the notify callback for the ASN1 decoder. My guess would be that we reach a state in the ASN1 decoder where sec_asn1d_notify_after should be called, but isn't. I think the last state->place was duringSequence. Setting DEBUG_ASN1D_STATE was quite useful, though you may need to remove the state->place >= 0 checks to get it to compile.

Attaching the minimized testcase from OSS-Fuzz

Blocks: nss-fuzzing-bugs
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: