Closed Bug 617565 Opened 14 years ago Closed 13 years ago

Prevent buffer overflow in PK11_DeriveWithTemplate template handling

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.12.11

People

(Reporter: briansmith, Assigned: briansmith)

Details

Attachments

(1 file, 4 obsolete files)

Prevent buffer overflow in PK11_DeriveWithTemplate and pk11_AnyUnwrapKey (v5)
3.04 KB, patch
Details | Diff | Splinter Review 
Now that PK11_DeriveWithTemplate is public it needs to check its inputs more carefully to avoid stack corruption due to buffer overflow in the local keyTemplate array.
Attached patch Patch to prevent buffer overflow (obsolete) — Splinter Review 
Assignee: nobody → bsmith

        Attachment #496117 -
        Flags: review?(rrelyea)

    
    

    
  


  
tab -> space

        Attachment #496117 -
        Attachment is obsolete: true

        Attachment #496118 -
        Flags: review?(rrelyea)

        Attachment #496117 -
        Flags: review?(rrelyea)
Target Milestone: --- → 3.12.9

    
    

    
  
I think it's a good idea to include it in the 3.12.9 release. Bob, what do you think?

    
    

    
  
Comment on attachment 496118 [details] [diff] [review]
Patch to prevent buffer overflow in PK11_DeriveWithTemplate (v2)

r- Mostly for style.

In general, I think it's a optimizing a little to much to save 4 words on the stack.

Other style issues are the backwards jump to a label as an exit. In general NSS leaps forward to the end to clean up, though repeating PORT_SetError(); return NULL; seems more reasonable.

What I would prefer is doing something simpler, however. Define MAX_ADD_ADDRS to 4, then either:

check numAttrs > (MAX_TEMPLATE_ATTRS - MAX_ADD_ADDRS) or
make keyTemplate sizeof MAX_TEMPLATE_ATTRS+MAX_ADD_ADDRS.

This also has the advantage that we can document exactly how big the template the application can give us without worrying about whether or not they have specified CKA_CLASS, CKA_KEY_TYPE, CKA_VALUE_LEN (and keysize != 0) or operation (and operation != CKA_FLAGS_ONLY),

        Attachment #496118 -
        Flags: review?(rrelyea) → review-

    
    

    
  


  
Addresses review comments.

Note that this assertion:

   PR_ASSERT(templateCount <= MAX_TEMPL_ATTRS + MAX_ADD_ATTRS);

is mostly only useful for documentation purposes because it asserting that the buffer overflow did not occur after it (would have) occurred, and the buffer overflow itself would likely cause a wrong value of templateCount to be calculated.

I had forgotten about this bug during the call earlier today but I think the fix should also land in 3.12.9.

        Attachment #496118 -
        Attachment is obsolete: true

        Attachment #501823 -
        Flags: review?(rrelyea)

    
  
Target Milestone: 3.12.9 → 3.12.10

    
    

    
  
Comment on attachment 501823 [details] [diff] [review]
Prevent buffer overflow in PK11_DeriveWithTemplate (v3)

r+ rrelyea

        Attachment #501823 -
        Flags: review?(rrelyea) → review+

    
    

    
  
Comment on attachment 501823 [details] [diff] [review]
Prevent buffer overflow in PK11_DeriveWithTemplate (v3)

>+#   define MAX_ADD_ATTRS 4

We don't indent C preprocessor # directives like this.
Please rewrite it as

#define MAX_ADD_ATTRS 4

>+    PR_ASSERT(templateCount <= MAX_TEMPL_ATTRS + MAX_ADD_ATTRS);

Please use
    sizeof(keyTemplate) / sizeof(keyTemplate[0])
instead of
    MAX_TEMPL_ATTRS + MAX_ADD_ATTRS

    
    

    
  


  
Patch addressing Wan-Teh's comments above.

        Attachment #501823 -
        Attachment is obsolete: true

        Attachment #514864 -
        Flags: review?(wtc)

    
    

    
  
Comment on attachment 514864 [details] [diff] [review]
Prevent buffer overflow in PK11_DeriveWithTemplate (v4)

r=wtc.

IMPORTANT: pk11_AnyUnwrapKey has the same bug:
http://mxr.mozilla.org/security/search?string=first+copy+caller+attributes+in.

Please fix pk11_AnyUnwrapKey, too.  I suggest
you create a new function for the common code
shared by the two functions.  Note that pk11_AnyUnwrapKey
requires CKA_VALUE_LEN be last in the template:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/pk11wrap/pk11skey.c&rev=1.122&mark=2058#2052

If you don't have time, just fix pk11_AnyUnwrapKey.

>+#define MAX_ADD_ATTRS 4
>+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS + MAX_ADD_ATTRS];
>+#undef MAX_ADD_ATTRS

If you want to limit MAX_ADD_ATTRS within this function,
you can also define it as a constant:
      const int MAX_ADD_ATTRS = 4;
or
      const int maxAddAttrs = 4;

It'd be nice to explain why it's 4.
(Because we may add CKA_CLASS, CKA_KEY_TYPE, CKA_VALUE_LEN,
and operation to the attribute template.)

        Attachment #514864 -
        Flags: review?(wtc) → review+
Target Milestone: 3.12.10 → 3.12.11

    
    

    
  


  
Replacing the macro with a const int doesn't work.

Patched checked in on the NSS trunk (NSS 3.13) and the
NSS_3_12_BRANCH (NSS 3.12.11).

Checking in pk11skey.c;
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11skey.c,v  <--  pk11skey.c
new revision: 1.123; previous revision: 1.122
done

Checking in pk11skey.c;
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11skey.c,v  <--  pk11skey.c
new revision: 1.119.2.3; previous revision: 1.119.2.2
done

        Attachment #514864 -
        Attachment is obsolete: true

    
  
Status: NEW → RESOLVED
Closed: 13 years ago
Priority: -- → P2
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: