Closed Bug 1899402 (CVE-2024-11704) Opened 1 year ago Closed 7 months ago

Double free in sec_pkcs7_decoder_start_decrypt()

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(firefox-esr115 wontfix, firefox-esr128135+ fixed, firefox131 wontfix, firefox132 wontfix, firefox133 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 135+ fixed
firefox131 --- wontfix
firefox132 --- wontfix
firefox133 --- fixed

People

(Reporter: mozillabugs, Assigned: KaiE)

References

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main133+][adv-ESR128.7+])

Attachments

(2 files)

Bug 1899402 - Correctly destroy bulkkey in error scenario. r=jschanck
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
314 bytes, text/plain
Details

sec_pkcs7_decoder_start_decrypt() (security/nss/lib/pkcs7/p7decode.c) calls PK11_FreeSymKey() twice for the same key on an error path. The issue occurs if line 538-9 fails, returning NULL. Line 544 then unconditionally frees bulkkey, the condition on line 546 is true, and line 549 transfers control to line 562. Line 563 then frees bulkkey again.

sec_pkcs7_decoder_start_decrypt() is linked into the FF executable, but I haven't found where FF uses it. It is definitely used by TBird for S/MIME.

Code from FIREFOX_126_0_RELEASE:

    468: static SECStatus
    469: sec_pkcs7_decoder_start_decrypt(
    ...
    473: {
    474:     PK11SymKey *bulkkey = NULL;
    ...
    538:     decryptobj = sec_PKCS7CreateDecryptObject(bulkkey,
    539:                                               &(enccinfo->contentEncAlg));
    540: 
    541:     /*
    542:      * We are done with (this) bulkkey now.
    543:      */
    544:     PK11_FreeSymKey(bulkkey);
    545: 
    546:     if (decryptobj == NULL) {
    547:         p7dcx->error = PORT_GetError();
    548:         PORT_SetError(0);
    549:         goto no_decryption;
    550:     }
    ...
    562: no_decryption:
    563:     PK11_FreeSymKey(bulkkey);
    ...
    579: }

I'm working on a POC.

Flags: sec-bounty?

I haven't found where FF uses

I don't see any code coverage of this in Firefox, either. We do use PKCS7 for signing addons, but not encrypting as far as I know.

Double-free in pretty straight line code is probably fine most of the time, but there's a chance something reallocates that space in the tiny bit of time between line 544 and the jump to line 562

Keywords: csectype-race, csectype-uaf, sec-low
Severity: -- → S3
Priority: -- → P3
Attachment #9427580 - Attachment description: Bug 1899402 - Correctly destroy bulkkey in error scenario. r=#nss-reviewers → Bug 1899402 - Correctly destroy bulkkey in error scenario. r=jschanck

Is there a tracking flag for NSS patches that could potentially get backported to the branch used by ESR?
Might be nice to backport for Thunderbird 128 branch / NSS 3.101.x as a ride along, if another 3.101.x release is made.

Do you have any preference for timing the commit to NSS, given a release was just cut?
Commit now, or wait until we're closer to the next NSS release?

https://hg.mozilla.org/projects/nss/rev/14b1f7c417707ebff0200fd87df58c758e530e75

Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Assignee: nobody → kaie
Group: crypto-core-security → core-security-release
status-firefox131: --- → wontfix
status-firefox132: --- → wontfix
status-firefox133: --- → fixed
status-firefox-esr115: --- → wontfix
status-firefox-esr128: --- → affected
Flags: sec-bounty? → sec-bounty+
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main133+]
Attached file advisory.txt
Alias: CVE-2024-11704
Blocks: 1936150
Whiteboard: [post-critsmash-triage][adv-main133+] → [post-critsmash-triage][adv-main133+][adv-ESR128.7+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: