Closed
Bug 495634
Opened 15 years ago
Closed 15 years ago
write overflow in nss_ckmdSessionObject_SetAttribute
Categories
(NSS :: Libraries, defect, P1)
Tracking
(status1.9.1 unaffected)
RESOLVED
FIXED
3.12.4
Tracking | Status | |
---|---|---|
status1.9.1 | --- | unaffected |
People
(Reporter: bhackett1024, Assigned: nelson)
Details
(Whiteboard: [sg:nse] not part of Mozilla clients or official NSS binary releases)
Attachments
(1 file)
1.02 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 Build Identifier: nss_ckmdSessionObject_SetAttribute in security/nss/lib/ckfw/sessobj.c has an allocation which it does not scale by the size of the element type, leading to a write overflow. The relevant code is pasted below. I don't know whether this is exploitable (I don't have much familiarity with the Firefox or NSS code and this was found with a code scanning tool). BEGIN_CODE nssCKMDSessionObject *obj; ... CK_ATTRIBUTE_TYPE_PTR rt; ... rt = (CK_ATTRIBUTE_TYPE_PTR)nss_ZRealloc(obj->types, (obj->n + 1)); if( (CK_ATTRIBUTE_TYPE_PTR)NULL == rt ) { ... } obj->attributes = ra; obj->types = rt; obj->attributes[obj->n] = n; obj->types[obj->n] = attribute; obj->n++; END CODE The call to nss_ZRealloc allocates obj->n+1 bytes instead of (obj->n+1)*sizeof(CK_ATTRIBUTE_TYPE) bytes (CK_ATTRIBUTE_TYPE is an unsigned long), so the write to obj->types[obj->n] will overflow as well as future reads and writes of obj->types. Reproducible: Always
Assignee | ||
Comment 1•15 years ago
|
||
This is not a vulnerability in Firefox or other Mozilla products that use NSS. AFAIK, It is not a vulnerability in the official binary releases of NSS. It may be a vulnerability in certain PKCS#11 modules that are built using NSS's "Crypto Key Frame Work" (CKFW). Potentially vulnerable modules include some whose source code is part of NSS, and some third party PKCS#11 modules. NSS has the following PKCS#11 modules based on CKFW: - nssckbi (see note 1) - nssckdbm (See note 2) - nssmkey (See note 2) - nsscapi (See note 2) Note 1: All the objects in NSSCKBI are read-only objects. Their attributes may not be set at run time. Consequently, the vulnerable code cited in this bug is dead code in nssckbi. Note 2: These PKCS#11 modules are not built as part of the normal "default" builds of NSS. However, some companies and projects may build these and include them in their product distributions. I have set this bug to P1 in case some product does ship one or more of these modules, but if none of these modules are known to be shipped, it can be lowered to P2. The affected code is outside of the FIPS bounday. I will shortly attach a patch.
Assignee: nobody → nelson
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows Vista → All
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → 3.12.4
Version: unspecified → 3.0
Assignee | ||
Comment 2•15 years ago
|
||
In this patch I - correct the computation for the realloc, - eliminate the unnecessary cast of NULL (as previously done for most other occurrences in this file in rev 1.14), and - Remove an unnecessary and failure-prone realloc call in an error path. Bob, please review.
Attachment #380641 -
Flags: review?(rrelyea)
Updated•15 years ago
|
Flags: wanted1.9.1.x-
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
Updated•15 years ago
|
Whiteboard: [sg:nse] not part of Mozilla clients or official NSS binary releases
Comment 3•15 years ago
|
||
Comment on attachment 380641 [details] [diff] [review] Patch v1 for NSS Trunk r+. I've convinced myself that the code setting ra is correct (I suspect realloc won't reduce the size in any case. the bug fix is also correct. bob
Attachment #380641 -
Flags: review?(rrelyea) → review+
Assignee | ||
Comment 4•15 years ago
|
||
Checking in ckfw/sessobj.c; new revision: 1.15; previous revision: 1.14
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•15 years ago
|
status1.9.1:
--- → unaffected
Flags: wanted1.9.1.x-
Updated•14 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•