# HG changeset patch
# User Kevin Jacobs <kjacobs@mozilla.com>
# Date 1594335948 0
#      Thu Jul 09 23:05:48 2020 +0000
# Node ID 06be9b59deb034f3ec6ab93c55e3ba4039f690cd
# Parent  93092fe1e43c69a0b7e7b2960b4b55524ba30db0
Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs
2020-07-09  J.C. Jones  <jjones@mozilla.com>

        * lib/softoken/pkcs11.c:
        Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs

        Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before
        accessing slot after obtaining it, even though slotLock is defined
        as its lock. [0]

        [0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8
        a9fbde/lib/softoken/pkcs11i.h#320-321
        [58c2abd7404e] [tip]

diff -r 93092fe1e43c -r 06be9b59deb0 security/nss/lib/softoken/pkcs11.c
--- a/security/nss/lib/softoken/pkcs11.c	Thu Jul 09 23:16:09 2020 +0000
+++ b/security/nss/lib/softoken/pkcs11.c	Thu Jul 09 23:05:48 2020 +0000
@@ -3661,10 +3661,12 @@
     PORT_Memcpy(pInfo->model, "NSS 3           ", 16);
     PORT_Memcpy(pInfo->serialNumber, "0000000000000000", 16);
     PORT_Memcpy(pInfo->utcTime, "0000000000000000", 16);
-    pInfo->ulMaxSessionCount = 0; /* arbitrarily large */
+    pInfo->ulMaxSessionCount = 0;   /* arbitrarily large */
+    pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */
+    PZ_Lock(slot->slotLock);        /* Protect sessionCount / rwSessioncount */
     pInfo->ulSessionCount = slot->sessionCount;
-    pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */
     pInfo->ulRwSessionCount = slot->rwSessionCount;
+    PZ_Unlock(slot->slotLock); /* Unlock before sftk_getKeyDB */
     pInfo->firmwareVersion.major = 0;
     pInfo->firmwareVersion.minor = 0;
     PORT_Memcpy(pInfo->label, slot->tokDescription, sizeof(pInfo->label));