Closed Bug 495634 Opened 15 years ago Closed 15 years ago

write overflow in nss_ckmdSessionObject_SetAttribute

Categories

(NSS :: Libraries, defect, P1)

defect

Tracking

(status1.9.1 unaffected)

RESOLVED FIXED
3.12.4
Tracking Status
status1.9.1 --- unaffected

People

(Reporter: bhackett1024, Assigned: nelson)

Details

(Whiteboard: [sg:nse] not part of Mozilla clients or official NSS binary releases)

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Build Identifier: 

nss_ckmdSessionObject_SetAttribute in security/nss/lib/ckfw/sessobj.c has an allocation which it does not scale by the size of the element type, leading to a write overflow.  The relevant code is pasted below.

I don't know whether this is exploitable (I don't have much familiarity with the Firefox or NSS code and this was found with a code scanning tool).

BEGIN_CODE

  nssCKMDSessionObject *obj;
...
  CK_ATTRIBUTE_TYPE_PTR rt;
...

  rt = (CK_ATTRIBUTE_TYPE_PTR)nss_ZRealloc(obj->types, (obj->n + 1));
  if( (CK_ATTRIBUTE_TYPE_PTR)NULL == rt ) {
...
  }

  obj->attributes = ra;
  obj->types = rt;
  obj->attributes[obj->n] = n;
  obj->types[obj->n] = attribute;
  obj->n++;

END CODE

The call to nss_ZRealloc allocates obj->n+1 bytes instead of (obj->n+1)*sizeof(CK_ATTRIBUTE_TYPE) bytes (CK_ATTRIBUTE_TYPE is an unsigned long), so the write to obj->types[obj->n] will overflow as well as future reads and writes of obj->types.


Reproducible: Always
This is not a vulnerability in Firefox or other Mozilla products that use NSS.
AFAIK, It is not a vulnerability in the official binary releases of NSS.

It may be a vulnerability in certain PKCS#11 modules that are built using 
NSS's "Crypto Key Frame Work" (CKFW).  Potentially vulnerable modules include
some whose source code is part of NSS, and some third party PKCS#11 modules.

NSS has the following PKCS#11 modules based on CKFW:
   - nssckbi    (see note 1)
   - nssckdbm   (See note 2)
   - nssmkey    (See note 2)
   - nsscapi    (See note 2)

Note 1: All the objects in NSSCKBI are read-only objects.  Their attributes 
may not be set at run time.  Consequently, the vulnerable code cited in this 
bug is dead code in nssckbi.

Note 2: These PKCS#11 modules are not built as part of the normal "default"
builds of NSS.  However, some companies and projects may build these and 
include them in their product distributions.  I have set this bug to P1 in 
case some product does ship one or more of these modules, but if none of 
these modules are known to be shipped, it can be lowered to P2.

The affected code is outside of the FIPS bounday.

I will shortly attach a patch.
Assignee: nobody → nelson
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows Vista → All
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → 3.12.4
Version: unspecified → 3.0
In this patch I 
- correct the computation for the realloc,
- eliminate the unnecessary cast of NULL (as previously done for most other 
occurrences in this file in rev 1.14), and
- Remove an unnecessary and failure-prone realloc call in an error path.

Bob, please review.
Attachment #380641 - Flags: review?(rrelyea)
Flags: wanted1.9.1.x-
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
Whiteboard: [sg:nse] not part of Mozilla clients or official NSS binary releases
Comment on attachment 380641 [details] [diff] [review]
Patch v1 for NSS Trunk

r+. I've convinced myself that the code setting ra is correct (I suspect realloc won't reduce the size in any case.

the bug fix is also correct.

bob
Attachment #380641 - Flags: review?(rrelyea) → review+
Checking in ckfw/sessobj.c; new revision: 1.15; previous revision: 1.14
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Flags: wanted1.9.1.x-
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: