Bug 1174527
Summary: | Segfault in pk12util when using -l option with certain .p12 files | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Elio Maldonado Batiz <emaldona> | ||||||||||||
Component: | nss | Assignee: | Elio Maldonado Batiz <emaldona> | ||||||||||||
Status: | CLOSED ERRATA | QA Contact: | Hubert Kario <hkario> | ||||||||||||
Severity: | high | Docs Contact: | |||||||||||||
Priority: | unspecified | ||||||||||||||
Version: | 7.2 | CC: | hkario, ksrot, ovasik, pkis, rrelyea | ||||||||||||
Target Milestone: | rc | ||||||||||||||
Target Release: | --- | ||||||||||||||
Hardware: | x86_64 | ||||||||||||||
OS: | Linux | ||||||||||||||
Whiteboard: | |||||||||||||||
Fixed In Version: | nss-3.16.2.3-5.el7 | Doc Type: | Bug Fix | ||||||||||||
Doc Text: |
Cause: The pkcs #12 decoder didn't properly check the destination buffer length when decoding.
Consequence: A segmentation fault resulted in the pk12util tool when using -l option to list the contents of certain pkcs 12 encoded files
Fix: The decoder has been fixed to perform the needed check.
Result: The pk12util can now list the encoded files.
|
Story Points: | --- | ||||||||||||
Clone Of: | Environment: | ||||||||||||||
Last Closed: | 2015-03-05 08:29:23 UTC | Type: | Bug | ||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||
Documentation: | --- | CRM: | |||||||||||||
Verified Versions: | Category: | --- | |||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
Embargoed: | |||||||||||||||
Bug Depends On: | |||||||||||||||
Bug Blocks: | 1180596, 1182933 | ||||||||||||||
Attachments: |
|
Description
Elio Maldonado Batiz
2014-12-16 01:37:50 UTC
Created attachment 969386 [details]
simplified version of Hubert's test
It can be used in system without Beaker and works wiithout using valgrind.
The results of my additiobal testing are as follows. I tested using Hubert's test with Beaker and my simplified version that doesn't require Beaker. 1) On rhel-6.6 and I can reproduce the segfault on x86_64, i686 is fine. 2) On fedora f21 I can reproduce the segfault on x86_64, i686 is fine. 3) Using my simpler test with the upstream source tree it segfaults on x86_64 and fine on i686 The stack trace is the one in Comment 0 I traced execution on the gdb for x86_64 (where it fails) and on i686 (where it doesn't) and on both the code path followed is the same. gdb shows me that dest-len = 2, but dest-data is "" (on both). That explains the segfault. How come it doesn't segfault on i686? With the following changes to nss/lib/pkcs12/p12local.c - if((dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) { + if ((PORT_Strlen(dest->data) >= 2) && + (dest->data[dest->len-1] || dest->data[dest->len-2]) && + zeroTerm) { the segfault doesn't happen. Created attachment 969387 [details]
Gets rid of the segfault on x86_64
Created attachment 969405 [details]
Gets rid of the segfault on x86_64
identical to the one submitted upstream
If the crash is because data->len-2 is negative, the better test is if ((data->len < 2) && ..... ) Rather than if ((strlen(data->data) <=2) && ... ) bob NOTE: if you want this in 7.1, you'd need to ask and justify it as a blocker. (In reply to Bob Relyea from comment #6) > If the crash is because data->len-2 is negative, the better test is > > if ((data->len < 2) && ..... ) I think you meant to type > if ((dest->len < 2) && ..... ) and see my comment at: https://bugzilla.redhat.com/show_bug.cgi?id=1181614#c7 Created attachment 981212 [details] Fix the segfault - corrected version without breaking the python-nss sanity check as previous one did as explained in https://bugzilla.redhat.com/show_bug.cgi?id=1181614#c7 Created attachment 981584 [details]
all changes including nss.spec changes
Comment on attachment 981212 [details]
Fix the segfault - corrected version
r+ rrelyea
*** Bug 1181614 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0364.html |