Open Bug 2011937 Opened 3 months ago Updated 3 months ago

Stack Buffer Overflow in nssilock.c pz_NewLock() via __FILE__ macro (NEED_NSS_ILOCK builds)

Categories

(NSS :: Libraries, defect, P5)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: aswinkumargokulakannan, Unassigned)

References

(
URL
)

Details

(Keywords: ai-involved, reporter-external, Whiteboard: [client-bounty-form])

Attachments

(1 file)

poc.c
1.87 KB, text/x-csrc
Details
Attached file poc.c

Summary

A stack buffer overflow exists in nss/lib/util/nssilock.c when NSS is compiled with NEED_NSS_ILOCK debugging flag enabled.

Vulnerable Code

In pz_NewLock() function, the __FILE__ macro is copied into a fixed 24-byte stack buffer without bounds checking:

// nssilock.c
char filename[24];  // Fixed 24-byte buffer
strcpy(filename, __FILE__);  // Unbounded copy - OVERFLOW

Root Cause

The __FILE__ macro expands to the full source file path at compile time. In typical build environments, this path exceeds 24 characters:

Example: /home/user/builds/nss-3.98/nss/lib/util/nssilock.c (50+ chars)

Steps to Reproduce

  1. Clone NSS repository:
mkdir -p /tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/build
cd /tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/build
git clone https://github.com/nss-dev/nss
cd nss
  1. Build with NEED_NSS_ILOCK and AddressSanitizer:
export CFLAGS="-DNEED_NSS_ILOCK -fsanitize=address -g"
./build.sh
  1. Run any NSS tool that calls PZ_NewLock() - ASAN will report stack buffer overflow

Expected Result

ASAN crash showing stack-buffer-overflow on strcpy() in pz_NewLock()

Suggested Fix

Replace strcpy with bounds-checked alternative:

strncpy(filename, __FILE__, sizeof(filename) - 1);
filename[sizeof(filename) - 1] = '\0';

Affected Versions

Confirmed in NSS 3.98. Likely present in all versions containing nssilock.c.

Impact

  • Stack buffer overflow enabling potential code execution in debug/tracing builds
  • Developers using NEED_NSS_ILOCK for lock debugging are vulnerable
Flags: sec-bounty?
Assignee: nobody → nobody
Group: firefox-core-security → crypto-core-security
Component: Security → Libraries
Product: Firefox → NSS

Arguably not a sec bug since the lock instrumentation code is disabled by default and is only intended to be used in development builds.

I've never personally used NEED_NSS_ILOCK in my time working on NSS, and based on this bug I'm inclined to believe that no one else has either. So it might make sense to remove it.

Group: crypto-core-security
Severity: -- → S4
Priority: -- → P5
See Also: → 2012002
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: