Closed
Bug 572809
Opened 14 years ago
Closed 14 years ago
PK11_GenerateKeyPair doesn't null check parameters, dereferences and crashes
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.7
People
(Reporter: KaiE, Assigned: KaiE)
References
Details
(Whiteboard: [sg:dos null-deref])
Attachments
(1 file)
782 bytes,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
Call PK11_GenerateKeyPair with type CKM_DSA_KEY_PAIR_GEN, use NULL for parameters, and it will crash. Should crashes be security sensitive? Please open if you think it's not necessary. I'll also mark the related bug 104103 as sensitive, because I will add a way to trigger this crash from web content.
Assignee | ||
Comment 1•14 years ago
|
||
Please see bug 104103 comment 13 for further details about the crash.
Assignee | ||
Comment 2•14 years ago
|
||
My reading of the code is, PK11_GenerateKeyPairWithOpFlags will always typecast and dereference "params". I propose that a null check (and error return) is added to function PK11_GenerateKeyPairWithOpFlags.
Comment 4•14 years ago
|
||
Comment on attachment 452033 [details] [diff] [review] Patch v1 r=nelson I agree with your analysis, Kai.
Attachment #452033 -
Flags: review?(rrelyea) → review+
Assignee | ||
Updated•14 years ago
|
Priority: -- → P1
Target Milestone: --- → 3.12.7
Assignee | ||
Comment 5•14 years ago
|
||
Checking in lib/pk11wrap/pk11akey.c; /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11akey.c,v <-- pk11akey.c new revision: 1.30; previous revision: 1.29 done
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 6•14 years ago
|
||
A null-deref is generally a "safe" crash and doesn't normally need to be security-sensitive in client code (execution jumping to null is another story, but just trying to read it isn't bad). Writing to null needs investigation to make sure null is the only possible bad value (e.g. you forgot to check the return value from malloc before writing to it) and that there isn't some alternate path that could cause you to write to arbitrary values.
Whiteboard: [sg:dos null-deref]
Comment 7•14 years ago
|
||
This is a duplicate of 4-year-old public Bug 343868. It is already public. It need not be security sensitive any more.
Assignee: nobody → kaie
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•