805232 – pem module may attempt to free an uninitialized pointer

Bug 805232 - pem module may attempt to free an uninitialized pointer

Summary: pem module may attempt to free an uninitialized pointer

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	6.3
Hardware:	x86_64
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	6.3
Assignee:	Elio Maldonado Batiz
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	717338
Blocks:	847462
TreeView+	depends on / blocked

Reported:	2012-03-20 17:14 UTC by Elio Maldonado Batiz
Modified:	2015-05-06 11:42 UTC (History)
CC List:	8 users (show)
Fixed In Version:	nss-3.13.3-6.el6
Doc Type:	Bug Fix
Doc Text:	No Documentation needed
Clone Of:	717338
Clones:	847462 (view as bug list)
Environment:
Last Closed:	2012-06-20 07:24:18 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Intialize the pointer to NULL (517 bytes, patch) 2012-03-20 19:26 UTC, Elio Maldonado Batiz	no flags	Details \| Diff
init pointer to NULL and also bail out if mem alloc fails (1.59 KB, patch) 2012-03-20 23:51 UTC, Elio Maldonado Batiz	rrelyea: review+	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:0973	0	normal	SHIPPED_LIVE	Moderate: nss, nss-util, and nspr security, bug fix, and enhancement update	2012-06-19 19:28:14 UTC

Description Elio Maldonado Batiz 2012-03-20 17:14:26 UTC

+++ This bug was initially created as a clone of Bug #717338 +++

Description of problem:
When my application attempts to load a private key file, it crashes in pem_CreateObject().

Version-Release number of selected component (if applicable):
nss-3.12.10-4.fc16.x86_64

How reproducible:
Always

Steps to Reproduce:
1. SECMOD_LoadUserModule(libnsspem.so)
2. PK11_CreateGenericObject(CKA_CLASS=CKO_PRIVATE_KEY,CKA_TOKEN=CK_TRUE)
  
Actual results:
pem_CreateObject() passes an uninitialized certDER.data to nss_ZFreeIf()

Additional info:
When I cut it down to the bare minimum to try to create a simpler reproducer, I don't get a crash any more, but valgrind at least still flags the errors.

--- Additional comment from nalin on 2011-06-28 11:24:30 EDT ---

Created attachment 510308 [details]
minimal attempt at a reproducer

--- Additional comment from nalin on 2011-06-28 11:59:56 EDT ---

Created attachment 510313 [details]
patch for NSS which fixes my application

--- Additional comment from emaldona on 2011-09-12 12:09:05 EDT ---

Nalin, I'm picking up your patch. It will be applied with other I have in the queue. Thanks.

Comment 1 Elio Maldonado Batiz 2012-03-20 17:20:38 UTC

I was comparing the sources after all approved patches had been applied to RHEL 6.3 and Fedora and I noticed that we are missing this one. I recommend picking this up for RHEL 6.3.

Comment 3 Elio Maldonado Batiz 2012-03-20 19:26:55 UTC

Created attachment 571508 [details]
Intialize the pointer to NULL

This is Nalin' patch updated so it applies after all the other patches.

Comment 4 Bob Relyea 2012-03-20 22:24:07 UTC

Elio, can you attack a pointer to the full pobject.c The given context is not enough to review the patch.

Thanks.

Comment 5 Elio Maldonado Batiz 2012-03-20 23:19:01 UTC

Aha, looking at the bigger context I realized the patch needs a bit more work.

Comment 6 Elio Maldonado Batiz 2012-03-20 23:51:36 UTC

Created attachment 571565 [details]
init pointer to NULL and also bail out if mem alloc fails

Comment 9 Elio Maldonado Batiz 2012-04-30 22:33:11 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No Documentation needed

Comment 10 Bob Relyea 2012-05-04 17:15:18 UTC

Comment on attachment 571565 [details]
init pointer to NULL and also bail out if mem alloc fails

r+ relyea

Comment 12 errata-xmlrpc 2012-06-20 07:24:18 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0973.html

Note You need to log in before you can comment on or make changes to this bug.