packages/firefox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
firefox/CVE-2020-15668.patch

39 lines
1.8 KiB
Diff
Raw Blame History

# HG changeset patch
# User Kevin Jacobs <kjacobs@mozilla.com>
# Date 1594335948 0
# Thu Jul 09 23:05:48 2020 +0000
# Node ID 06be9b59deb034f3ec6ab93c55e3ba4039f690cd
# Parent 93092fe1e43c69a0b7e7b2960b4b55524ba30db0
Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs
2020-07-09 J.C. Jones <jjones@mozilla.com>
* lib/softoken/pkcs11.c:
Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs
Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before
accessing slot after obtaining it, even though slotLock is defined
as its lock. [0]
[0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8
a9fbde/lib/softoken/pkcs11i.h#320-321
[58c2abd7404e] [tip]
diff -r 93092fe1e43c -r 06be9b59deb0 security/nss/lib/softoken/pkcs11.c
--- a/security/nss/lib/softoken/pkcs11.c Thu Jul 09 23:16:09 2020 +0000
+++ b/security/nss/lib/softoken/pkcs11.c Thu Jul 09 23:05:48 2020 +0000
@@ -3661,10 +3661,12 @@
PORT_Memcpy(pInfo->model, "NSS 3 ", 16);
PORT_Memcpy(pInfo->serialNumber, "0000000000000000", 16);
PORT_Memcpy(pInfo->utcTime, "0000000000000000", 16);
- pInfo->ulMaxSessionCount = 0; /* arbitrarily large */
+ pInfo->ulMaxSessionCount = 0; /* arbitrarily large */
+ pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */
+ PZ_Lock(slot->slotLock); /* Protect sessionCount / rwSessioncount */
pInfo->ulSessionCount = slot->sessionCount;
- pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */
pInfo->ulRwSessionCount = slot->rwSessionCount;
+ PZ_Unlock(slot->slotLock); /* Unlock before sftk_getKeyDB */
pInfo->firmwareVersion.major = 0;
pInfo->firmwareVersion.minor = 0;
PORT_Memcpy(pInfo->label, slot->tokDescription, sizeof(pInfo->label));
Reference in New Issue View Git Blame Copy Permalink