Closed
Bug 1970079
Opened 1 year ago
Closed 11 months ago
Heap-use-after-free READ in SEC_PKCS7DecoderUpdate
Categories
(NSS :: Libraries, defect, P1)
NSS
Libraries
Tracking
(firefox-esr115 wontfix, firefox-esr128 wontfix, firefox-esr140144+ fixed, firefox140 wontfix, firefox141 wontfix, firefox142 fixed)
People
(Reporter: mdauer, Assigned: djackson)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uaf, sec-moderate, Whiteboard: [adv-main142+r][adv-esr140.4-])
Attachments
(2 files)
OSS-Fuzz: https://oss-fuzz.com/testcase-detail/4806668708020224
To reproduce, perform the following steps:
- Build NSS with
./build.sh -c --fuzz --disable-tests - Run
/path/to/dist/Debug/bin/nssfuzz-pkcs12 /path/to/testcase
|
Reporter | |
Comment 1•1 year ago
|
||
==28759==ERROR: AddressSanitizer: heap-use-after-free on address 0x50c000000e88 at pc 0x5bba204f000a bp 0x7ffd73d271c0 sp 0x7ffd73d271b8
READ of size 8 at 0x50c000000e88 thread T0
#0 0x5bba204f0009 in SEC_PKCS7DecoderUpdate /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:1043:16
#1 0x5bba1fa32507 in sec_pkcs12_decoder_wrap_p7_update /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs12/p12d.c:771:5
#2 0x5bba204bd64e in SEC_ASN1DecoderUpdate_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:2952:13
#3 0x5bba1fa31362 in sec_pkcs12_decoder_asafes_callback /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs12/p12d.c:862:10
#4 0x5bba204f665a in sec_pkcs7_decoder_work_data /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:172:13
#5 0x5bba204f5cb7 in sec_pkcs7_decoder_filter /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:216:5
#6 0x5bba204bd64e in SEC_ASN1DecoderUpdate_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:2952:13
#7 0x5bba204efd59 in SEC_PKCS7DecoderUpdate /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:1046:17
#8 0x5bba1fa30c8c in sec_pkcs12_decode_asafes_cinfo_update /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs12/p12d.c:964:10
#9 0x5bba204bd64e in SEC_ASN1DecoderUpdate_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:2952:13
#10 0x5bba1fa27ee7 in SEC_PKCS12DecoderUpdate /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs12/p12d.c:1297:10
#11 0x5bba1fa1cd43 in LLVMFuzzerTestOneInput /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/pkcs12.cc:37:18
#12 0x5bba1f928104 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x685104) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
#13 0x5bba1f911236 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x66e236) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
#14 0x5bba1f916cea in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x673cea) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
#15 0x5bba1f9414a6 in main (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x69e4a6) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
#16 0x7d79d9c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#17 0x7d79d9c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#18 0x5bba1f90be04 in _start (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x668e04) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
0x50c000000e88 is located 8 bytes inside of 128-byte region [0x50c000000e80,0x50c000000f00)
freed by thread T0 here:
#0 0x5bba1f9dbf9a in free (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x738f9a) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
#1 0x5bba202292f2 in PR_Free /home/mdauer/mercurial/nss-nspr/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:449:5
#2 0x5bba204d5ff2 in PORT_Free_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secport.c:173:9
#3 0x5bba204f01c1 in SEC_PKCS7DecoderFinish /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:1088:5
#4 0x5bba1fa310ed in sec_pkcs12_decoder_asafes_notify /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs12/p12d.c:828:21
#5 0x5bba204c5b9c in sec_asn1d_notify_after /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:441:5
#6 0x5bba204b62d2 in sec_asn1d_next_in_group /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:2013:5
#7 0x5bba204b62d2 in SEC_ASN1DecoderUpdate_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:2823:17
#8 0x5bba1fa31362 in sec_pkcs12_decoder_asafes_callback /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs12/p12d.c:862:10
#9 0x5bba204f665a in sec_pkcs7_decoder_work_data /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:172:13
#10 0x5bba204f5cb7 in sec_pkcs7_decoder_filter /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:216:5
#11 0x5bba204bd64e in SEC_ASN1DecoderUpdate_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:2952:13
#12 0x5bba204efd59 in SEC_PKCS7DecoderUpdate /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:1046:17
#13 0x5bba1fa30c8c in sec_pkcs12_decode_asafes_cinfo_update /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs12/p12d.c:964:10
#14 0x5bba204bd64e in SEC_ASN1DecoderUpdate_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:2952:13
#15 0x5bba1fa27ee7 in SEC_PKCS12DecoderUpdate /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs12/p12d.c:1297:10
#16 0x5bba1fa1cd43 in LLVMFuzzerTestOneInput /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/pkcs12.cc:37:18
#17 0x5bba1f928104 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x685104) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
#18 0x5bba1f911236 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x66e236) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
#19 0x5bba1f916cea in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x673cea) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
#20 0x5bba1f9414a6 in main (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x69e4a6) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
#21 0x7d79d9c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#22 0x7d79d9c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#23 0x5bba1f90be04 in _start (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x668e04) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
previously allocated by thread T0 here:
#0 0x5bba1f9dc41d in calloc (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x73941d) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
#1 0x5bba2022774b in PR_Calloc /home/mdauer/mercurial/nss-nspr/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:434:31
#2 0x5bba204d5ad3 in PORT_ZAlloc_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secport.c:116:14
#3 0x5bba204eec88 in SEC_PKCS7DecoderStart /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:990:36
#4 0x5bba1fa30eb3 in sec_pkcs12_decoder_asafes_notify /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs12/p12d.c:802:37
#5 0x5bba204c50ff in sec_asn1d_notify_before /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:430:5
#6 0x5bba204ba9ff in sec_asn1d_prepare_for_contents /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c
#7 0x5bba204ba9ff in SEC_ASN1DecoderUpdate_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:2811:17
#8 0x5bba1fa31362 in sec_pkcs12_decoder_asafes_callback /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs12/p12d.c:862:10
#9 0x5bba204f665a in sec_pkcs7_decoder_work_data /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:172:13
#10 0x5bba204f5cb7 in sec_pkcs7_decoder_filter /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:216:5
#11 0x5bba204bd64e in SEC_ASN1DecoderUpdate_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:2952:13
#12 0x5bba204efd59 in SEC_PKCS7DecoderUpdate /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:1046:17
#13 0x5bba1fa30c8c in sec_pkcs12_decode_asafes_cinfo_update /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs12/p12d.c:964:10
#14 0x5bba204bd64e in SEC_ASN1DecoderUpdate_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:2952:13
#15 0x5bba1fa27ee7 in SEC_PKCS12DecoderUpdate /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs12/p12d.c:1297:10
#16 0x5bba1fa1cd43 in LLVMFuzzerTestOneInput /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/pkcs12.cc:37:18
#17 0x5bba1f928104 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x685104) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
#18 0x5bba1f911236 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x66e236) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
#19 0x5bba1f916cea in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x673cea) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
#20 0x5bba1f9414a6 in main (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x69e4a6) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
#21 0x7d79d9c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#22 0x7d79d9c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#23 0x5bba1f90be04 in _start (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x668e04) (BuildId: d991b605438118e20a8bd91470661a56d23a9771)
SUMMARY: AddressSanitizer: heap-use-after-free /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:1043:16 in SEC_PKCS7DecoderUpdate
Shadow bytes around the buggy address:
0x50c000000c00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x50c000000c80: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x50c000000d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x50c000000d80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x50c000000e00: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
=>0x50c000000e80: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x50c000000f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50c000000f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50c000001000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50c000001080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50c000001100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
|
||
Updated•1 year ago
|
Keywords: csectype-uaf
|
Assignee | |
Comment 2•1 year ago
|
||
Looks reachable in Firefox, but only by getting the user to import a certificate via some fairly obscure UI
|
|
Assignee | |
Comment 3•1 year ago
|
||
Our p7 decoder is hitting an error and cleaning itself up. However, it's still registered as a filter callback on the asn1 decoder which the p12 decoder is driving.
static void sec_pkcs12_decoder_asafes_notify(void *arg, PRBool before, void *dest, int real_depth) {
[...]
if (!before) {
if (p12dcx->currentASafeP7Dcx != NULL) {
[...]
cinfo = SEC_PKCS7DecoderFinish(p12dcx->currentASafeP7Dcx);
SEC_ASN1DecoderClearFilterProc(p12dcx->aSafeA1Dcx); // Adding this line fixes the use after free
However, this leaks a bunch of asn1 decoders from sec_pkcs12_decoder_safe_contents_notify at lib/pkcs12/p12d.c:499:13. I need to spend some time to track down why they're leaking and where they should be getting cleaned up
|
|
Assignee | |
Comment 4•1 year ago
|
||
|
|
Assignee | |
Comment 5•1 year ago
|
||
It turns out the leak is a separate issue which I've filed bug 1972054 for.
|
||
Comment 6•1 year ago
|
||
There is an r+ patch which didn't land and no activity in this bug for 2 weeks.
:djackson, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit BugBot documentation.
Flags: needinfo?(dkeeler)
Flags: needinfo?(djackson)
|
||
Comment 7•11 months ago
|
||
I think Dennis has been on pto, but I'm sure he'll take care of this when he's available.
Flags: needinfo?(dkeeler)
|
|
Assignee | |
Comment 8•11 months ago
|
||
Status: NEW → RESOLVED
Closed: 11 months ago
Flags: needinfo?(djackson)
Resolution: --- → FIXED
|
||
Updated•11 months ago
|
Attachment #9494661 -
Attachment description: Bug 1970079 - Prevent leaks during pkcs12 decoding. r=#nss-reviewers → (secure)
Status: RESOLVED → NEW
Closed: 11 months ago
Resolution: FIXED → ---
|
|
Assignee | |
Updated•11 months ago
|
Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
|
||
Updated•11 months ago
|
Group: crypto-core-security → core-security-release
status-firefox140:
--- → wontfix
status-firefox141:
--- → wontfix
status-firefox142:
--- → fixed
status-firefox-esr115:
--- → wontfix
status-firefox-esr128:
--- → wontfix
status-firefox-esr140:
--- → affected
|
||
Updated•11 months ago
|
QA Whiteboard: [sec] [qa-triage-done-c143/b142]
Flags: qe-verify-
|
||
Comment 9•11 months ago
|
||
(In reply to Dennis Jackson from comment #2)
Looks reachable in Firefox, but only by getting the user to import a certificate via some fairly obscure UI
That's less obscure for folks in some enterprise environments, or corporate Thunderbird uses. Seems like a good thing to get fixed on ESR-140 and this is a very simple/safe patch.
tracking-firefox-esr140:
--- → 142+
|
|
||
Updated•10 months ago
|
Whiteboard: [adv-main142+r]
|
|
||
Comment 10•10 months ago
|
||
Not going to drive an NSS dot release this cycle for ESR140, but leaving this on the radar for the next opportunity.
tracking-firefox-esr140:
142+ → ---
|
||
Comment 11•8 months ago
|
||
Pushed by djackson@mozilla.com:
https://hg.mozilla.org/projects/nss/rev/a64fedb74bbb
Prevent leaks during pkcs12 decoding. r=nss-reviewers,keeler
|
|
||
Updated•8 months ago
|
|
|
||
Updated•8 months ago
|
|
|
||
Updated•8 months ago
|
Whiteboard: [adv-main142+r] → [adv-main142+r][adv-esr140.4+r]
|
|
||
Updated•8 months ago
|
Whiteboard: [adv-main142+r][adv-esr140.4+r] → [adv-main142+r][adv-esr140.4-]
|
|
||
Updated•8 months ago
|
Whiteboard: [adv-main142+r][adv-esr140.4-] → [adv-main142+r][adv-esr140.4+r]
|
|
||
Updated•8 months ago
|
Whiteboard: [adv-main142+r][adv-esr140.4+r] → [adv-main142+r][adv-esr140.4-]
|
|
||
Updated•2 months ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•