Bug 805232 - pem module may attempt to free an uninitialized pointer
pem module may attempt to free an uninitialized pointer
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss (Show other bugs)
x86_64 Unspecified
high Severity high
: rc
: 6.3
Assigned To: Elio Maldonado Batiz
BaseOS QE Security Team
Depends On: 717338
Blocks: 847462
  Show dependency treegraph
Reported: 2012-03-20 13:14 EDT by Elio Maldonado Batiz
Modified: 2015-05-06 07:42 EDT (History)
8 users (show)

See Also:
Fixed In Version: nss-3.13.3-6.el6
Doc Type: Bug Fix
Doc Text:
No Documentation needed
Story Points: ---
Clone Of: 717338
: 847462 (view as bug list)
Last Closed: 2012-06-20 03:24:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Intialize the pointer to NULL (517 bytes, patch)
2012-03-20 15:26 EDT, Elio Maldonado Batiz
no flags Details | Diff
init pointer to NULL and also bail out if mem alloc fails (1.59 KB, patch)
2012-03-20 19:51 EDT, Elio Maldonado Batiz
rrelyea: review+
Details | Diff

  None (edit)
Description Elio Maldonado Batiz 2012-03-20 13:14:26 EDT
+++ This bug was initially created as a clone of Bug #717338 +++

Description of problem:
When my application attempts to load a private key file, it crashes in pem_CreateObject().

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. SECMOD_LoadUserModule(libnsspem.so)
Actual results:
pem_CreateObject() passes an uninitialized certDER.data to nss_ZFreeIf()

Additional info:
When I cut it down to the bare minimum to try to create a simpler reproducer, I don't get a crash any more, but valgrind at least still flags the errors.

--- Additional comment from nalin@redhat.com on 2011-06-28 11:24:30 EDT ---

Created attachment 510308 [details]
minimal attempt at a reproducer

--- Additional comment from nalin@redhat.com on 2011-06-28 11:59:56 EDT ---

Created attachment 510313 [details]
patch for NSS which fixes my application

--- Additional comment from emaldona@redhat.com on 2011-09-12 12:09:05 EDT ---

Nalin, I'm picking up your patch. It will be applied with other I have in the queue. Thanks.
Comment 1 Elio Maldonado Batiz 2012-03-20 13:20:38 EDT
I was comparing the sources after all approved patches had been applied to RHEL 6.3 and Fedora and I noticed that we are missing this one. I recommend picking this up for RHEL 6.3.
Comment 3 Elio Maldonado Batiz 2012-03-20 15:26:55 EDT
Created attachment 571508 [details]
Intialize the pointer to NULL

This is Nalin' patch updated so it applies after all the other patches.
Comment 4 Bob Relyea 2012-03-20 18:24:07 EDT
Elio, can you attack a pointer to the full pobject.c The given context is not enough to review the patch.

Comment 5 Elio Maldonado Batiz 2012-03-20 19:19:01 EDT
Aha, looking at the bigger context I realized the patch needs a bit more work.
Comment 6 Elio Maldonado Batiz 2012-03-20 19:51:36 EDT
Created attachment 571565 [details]
init pointer to NULL and also bail out if mem alloc fails
Comment 9 Elio Maldonado Batiz 2012-04-30 18:33:11 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    New Contents:
No Documentation needed
Comment 10 Bob Relyea 2012-05-04 13:15:18 EDT
Comment on attachment 571565 [details]
init pointer to NULL and also bail out if mem alloc fails

r+ relyea
Comment 12 errata-xmlrpc 2012-06-20 03:24:18 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.