firefox/CVE-2020-15668.patch

# HG changeset patch
# User Kevin Jacobs <kjacobs@mozilla.com>
# Date 1594335948 0
#      Thu Jul 09 23:05:48 2020 +0000
# Node ID 06be9b59deb034f3ec6ab93c55e3ba4039f690cd
# Parent  93092fe1e43c69a0b7e7b2960b4b55524ba30db0
Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs
2020-07-09  J.C. Jones  <jjones@mozilla.com>

        * lib/softoken/pkcs11.c:
        Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs

        Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before
        accessing slot after obtaining it, even though slotLock is defined
        as its lock. [0]

        [0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8
        a9fbde/lib/softoken/pkcs11i.h#320-321
        [58c2abd7404e] [tip]

diff -r 93092fe1e43c -r 06be9b59deb0 security/nss/lib/softoken/pkcs11.c
--- a/security/nss/lib/softoken/pkcs11.c	Thu Jul 09 23:16:09 2020 +0000
+++ b/security/nss/lib/softoken/pkcs11.c	Thu Jul 09 23:05:48 2020 +0000
@@ -3661,10 +3661,12 @@
     PORT_Memcpy(pInfo->model, "NSS 3           ", 16);
     PORT_Memcpy(pInfo->serialNumber, "0000000000000000", 16);
     PORT_Memcpy(pInfo->utcTime, "0000000000000000", 16);
-    pInfo->ulMaxSessionCount = 0; /* arbitrarily large */
+    pInfo->ulMaxSessionCount = 0;   /* arbitrarily large */
+    pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */
+    PZ_Lock(slot->slotLock);        /* Protect sessionCount / rwSessioncount */
     pInfo->ulSessionCount = slot->sessionCount;
-    pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */
     pInfo->ulRwSessionCount = slot->rwSessionCount;
+    PZ_Unlock(slot->slotLock); /* Unlock before sftk_getKeyDB */
     pInfo->firmwareVersion.major = 0;
     pInfo->firmwareVersion.minor = 0;
     PORT_Memcpy(pInfo->label, slot->tokDescription, sizeof(pInfo->label));
fix CVE-2020-15664 CVE-2020-15665 CVE-2020-15666 CVE-2020-15667 CVE-2020-15668 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678 2020-12-18 11:52:37 +08:00			`# HG changeset patch`
			`# User Kevin Jacobs <kjacobs@mozilla.com>`
			`# Date 1594335948 0`
			`# Thu Jul 09 23:05:48 2020 +0000`
			`# Node ID 06be9b59deb034f3ec6ab93c55e3ba4039f690cd`
			`# Parent 93092fe1e43c69a0b7e7b2960b4b55524ba30db0`
			`Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs`
			`2020-07-09 J.C. Jones <jjones@mozilla.com>`

			`* lib/softoken/pkcs11.c:`
			`Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs`

			`Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before`
			`accessing slot after obtaining it, even though slotLock is defined`
			`as its lock. [0]`

			`[0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8`
			`a9fbde/lib/softoken/pkcs11i.h#320-321`
			`[58c2abd7404e] [tip]`

			`diff -r 93092fe1e43c -r 06be9b59deb0 security/nss/lib/softoken/pkcs11.c`
			`--- a/security/nss/lib/softoken/pkcs11.c Thu Jul 09 23:16:09 2020 +0000`
			`+++ b/security/nss/lib/softoken/pkcs11.c Thu Jul 09 23:05:48 2020 +0000`
			`@@ -3661,10 +3661,12 @@`
			`PORT_Memcpy(pInfo->model, "NSS 3 ", 16);`
			`PORT_Memcpy(pInfo->serialNumber, "0000000000000000", 16);`
			`PORT_Memcpy(pInfo->utcTime, "0000000000000000", 16);`
			`- pInfo->ulMaxSessionCount = 0; /* arbitrarily large */`
			`+ pInfo->ulMaxSessionCount = 0; /* arbitrarily large */`
			`+ pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */`
			`+ PZ_Lock(slot->slotLock); /* Protect sessionCount / rwSessioncount */`
			`pInfo->ulSessionCount = slot->sessionCount;`
			`- pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */`
			`pInfo->ulRwSessionCount = slot->rwSessionCount;`
			`+ PZ_Unlock(slot->slotLock); /* Unlock before sftk_getKeyDB */`
			`pInfo->firmwareVersion.major = 0;`
			`pInfo->firmwareVersion.minor = 0;`
			`PORT_Memcpy(pInfo->label, slot->tokDescription, sizeof(pInfo->label));`