[tbb-commits] [tor-browser] 280/311: Bug 1761497 - land NSS NSS_3_76_1_RTM UPGRADE_NSS_RELEASE, r=djackson a=dmeehan

gitolite role git at cupani.torproject.org
Tue Apr 26 15:31:20 UTC 2022


This is an automated email from the git hooks/post-receive script.

pierov pushed a commit to branch geckoview-99.0.1-11.0-1
in repository tor-browser.

commit b6f3a4ba95c52b0d969db13ce7742eb917093a01
Author: John Schanck <jschanck at mozilla.com>
AuthorDate: Mon Mar 28 16:55:14 2022 +0000

    Bug 1761497 - land NSS NSS_3_76_1_RTM UPGRADE_NSS_RELEASE, r=djackson a=dmeehan
    
    
    2022-03-25  John M. Schanck  <jschanck at mozilla.com>
    
            * doc/rst/releases/nss_3_76_1.rst:
            Release notes for NSS 3.76.1
            [0e6c67470eed] [NSS_3_76_1_RTM] <NSS_3_76_1_BRANCH>
    
    2022-03-23  John M. Schanck  <jschanck at mozilla.com>
    
            * lib/dev/dev.h, lib/dev/devslot.c, lib/dev/devt.h,
            lib/dev/devtoken.c, lib/pk11wrap/dev3hack.c:
            Bug 1756271 - Remove token member from NSSSlot struct. r=rrelyea
    
            [41966ff1253b] <NSS_3_76_1_BRANCH>
    
    2022-03-25  John M. Schanck  <jschanck at mozilla.com>
    
            * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
            Set version numbers to 3.76.1 final
            [48ff4cd9bada] <NSS_3_76_1_BRANCH>
    
    2022-03-03  Dennis Jackson  <djackson at mozilla.com>
    
            * .hgtags:
            Added tag NSS_3_76_RTM for changeset b5b9832a3898
            [c0f05af06d3c] <NSS_3_76_BRANCH>
    
    Differential Revision: https://phabricator.services.mozilla.com/D142226
---
 security/nss/TAG-INFO                        |  2 +-
 security/nss/coreconf/coreconf.dep           |  1 +
 security/nss/doc/rst/releases/nss_3_76_1.rst | 68 ++++++++++++++++++++++++++
 security/nss/lib/dev/dev.h                   |  5 --
 security/nss/lib/dev/devslot.c               | 73 +++++++++++++++-------------
 security/nss/lib/dev/devt.h                  |  1 -
 security/nss/lib/dev/devtoken.c              |  7 ---
 security/nss/lib/nss/nss.h                   |  4 +-
 security/nss/lib/pk11wrap/dev3hack.c         | 19 --------
 security/nss/lib/softoken/softkver.h         |  4 +-
 security/nss/lib/util/nssutil.h              |  4 +-
 11 files changed, 116 insertions(+), 72 deletions(-)

diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO
index 90ac9f28043f1..2e161b0a8c6cb 100644
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1 +1 @@
-NSS_3_76_RTM
\ No newline at end of file
+NSS_3_76_1_RTM
\ No newline at end of file
diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep
index 5182f75552c81..590d1bfaeee3f 100644
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -10,3 +10,4 @@
  */
 
 #error "Do not include this header file."
+
diff --git a/security/nss/doc/rst/releases/nss_3_76_1.rst b/security/nss/doc/rst/releases/nss_3_76_1.rst
new file mode 100644
index 0000000000000..2aee3ef12e9d8
--- /dev/null
+++ b/security/nss/doc/rst/releases/nss_3_76_1.rst
@@ -0,0 +1,68 @@
+.. _mozilla_projects_nss_nss_3_76_1_release_notes:
+
+NSS 3.76.1 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+   Network Security Services (NSS) 3.76.1 was released on **28 March 2022**.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+   The HG tag is NSS_3_76_1_RTM. NSS 3.76.1 requires NSPR 4.32 or newer.
+
+   NSS 3.76.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+   -  Source tarballs:
+      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_76_1_RTM/src/
+
+   Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.76.1:
+
+`Changes in NSS 3.76.1 <#changes_in_nss_3.76.1>`__
+----------------------------------------------------
+
+.. container::
+
+   - Bug 1756271 - Remove token member from NSSSlot struct.
+
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+   NSS 3.76.1 shared libraries are backwards-compatible with all older NSS 3.x shared
+   libraries. A program linked with older NSS 3.x shared libraries will work with
+   this new version of the shared libraries without recompiling or
+   relinking. Furthermore, applications that restrict their use of NSS APIs to the
+   functions listed in NSS Public Functions will remain compatible with future
+   versions of the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+   Bugs discovered should be reported by filing a bug report on
+   `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
+
+`Notes <#notes>`__
+------------------
+
+.. container::
+
+   This release improves the stability of NSS when used in a multi-threaded
+   environment. In particular, it fixes memory safety violations that can occur
+   when PKCS#11 tokens are removed while in use (CVE-2022-1097). We presume
+   that with enough effort these memory safety violations are exploitable.
+
diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h
index 26ac8957e9102..6430511442796 100644
--- a/security/nss/lib/dev/dev.h
+++ b/security/nss/lib/dev/dev.h
@@ -146,7 +146,6 @@ nssModule_GetCertOrder(
  * nssSlot_Destroy
  * nssSlot_AddRef
  * nssSlot_GetName
- * nssSlot_GetTokenName
  * nssSlot_IsTokenPresent
  * nssSlot_IsPermanent
  * nssSlot_IsFriendly
@@ -176,10 +175,6 @@ NSS_EXTERN NSSUTF8 *
 nssSlot_GetName(
     NSSSlot *slot);
 
-NSS_EXTERN NSSUTF8 *
-nssSlot_GetTokenName(
-    NSSSlot *slot);
-
 NSS_EXTERN NSSModule *
 nssSlot_GetModule(
     NSSSlot *slot);
diff --git a/security/nss/lib/dev/devslot.c b/security/nss/lib/dev/devslot.c
index 5021408bf06f2..ccd90ac9729d6 100644
--- a/security/nss/lib/dev/devslot.c
+++ b/security/nss/lib/dev/devslot.c
@@ -12,7 +12,9 @@
 #include "ckhelper.h"
 #endif /* CKHELPER_H */
 
-#include "pk11pub.h"
+#include "pkim.h"
+#include "dev3hack.h"
+#include "pk11func.h"
 
 /* measured in seconds */
 #define NSSSLOT_TOKEN_DELAY_TIME 1
@@ -79,13 +81,6 @@ nssSlot_GetName(
     return slot->base.name;
 }
 
-NSS_IMPLEMENT NSSUTF8 *
-nssSlot_GetTokenName(
-    NSSSlot *slot)
-{
-    return nssToken_GetName(slot->token);
-}
-
 NSS_IMPLEMENT void
 nssSlot_ResetDelay(
     NSSSlot *slot)
@@ -123,11 +118,13 @@ nssSlot_IsTokenPresent(
 {
     CK_RV ckrv;
     PRStatus nssrv;
+    NSSToken *nssToken = NULL;
     /* XXX */
     nssSession *session;
     CK_SLOT_INFO slotInfo;
     void *epv;
     PRBool isPresent = PR_FALSE;
+    PRBool doUpdateCachedCerts = PR_FALSE;
 
     /* permanent slots are always present unless they're disabled */
     if (nssSlot_IsPermanent(slot)) {
@@ -169,23 +166,24 @@ nssSlot_IsTokenPresent(
 
     PZ_Unlock(slot->isPresentLock);
 
+    nssToken = PK11Slot_GetNSSToken(slot->pk11slot);
+    if (!nssToken) {
+        isPresent = PR_FALSE;
+        goto done;
+    }
+
     nssSlot_EnterMonitor(slot);
     ckrv = CKAPI(epv)->C_GetSlotInfo(slot->slotID, &slotInfo);
     nssSlot_ExitMonitor(slot);
     if (ckrv != CKR_OK) {
-        slot->token->base.name[0] = 0; /* XXX */
+        nssToken->base.name[0] = 0; /* XXX */
         isPresent = PR_FALSE;
         goto done;
     }
     slot->ckFlags = slotInfo.flags;
     /* check for the presence of the token */
     if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) {
-        if (!slot->token) {
-            /* token was never present */
-            isPresent = PR_FALSE;
-            goto done;
-        }
-        session = nssToken_GetDefaultSession(slot->token);
+        session = nssToken_GetDefaultSession(nssToken);
         if (session) {
             nssSession_EnterMonitor(session);
             /* token is not present */
@@ -197,21 +195,21 @@ nssSlot_IsTokenPresent(
             }
             nssSession_ExitMonitor(session);
         }
-        if (slot->token->base.name[0] != 0) {
+        if (nssToken->base.name[0] != 0) {
             /* notify the high-level cache that the token is removed */
-            slot->token->base.name[0] = 0; /* XXX */
-            nssToken_NotifyCertsNotVisible(slot->token);
+            nssToken->base.name[0] = 0; /* XXX */
+            nssToken_NotifyCertsNotVisible(nssToken);
         }
-        slot->token->base.name[0] = 0; /* XXX */
+        nssToken->base.name[0] = 0; /* XXX */
         /* clear the token cache */
-        nssToken_Remove(slot->token);
+        nssToken_Remove(nssToken);
         isPresent = PR_FALSE;
         goto done;
     }
     /* token is present, use the session info to determine if the card
      * has been removed and reinserted.
      */
-    session = nssToken_GetDefaultSession(slot->token);
+    session = nssToken_GetDefaultSession(nssToken);
     if (session) {
         PRBool tokenRemoved;
         nssSession_EnterMonitor(session);
@@ -237,17 +235,31 @@ nssSlot_IsTokenPresent(
      * a token it doesn't recognize. invalidate all the old
      * information we had on this token, if we can't refresh, clear
      * the present flag */
-    nssToken_NotifyCertsNotVisible(slot->token);
-    nssToken_Remove(slot->token);
-    /* token has been removed, need to refresh with new session */
-    nssrv = nssSlot_Refresh(slot);
-    isPresent = PR_TRUE;
+    nssToken_NotifyCertsNotVisible(nssToken);
+    nssToken_Remove(nssToken);
+    if (nssToken->base.name[0] == 0) {
+        doUpdateCachedCerts = PR_TRUE;
+    }
+    if (PK11_InitToken(slot->pk11slot, PR_FALSE) != SECSuccess) {
+        isPresent = PR_FALSE;
+        goto done;
+    }
+    if (doUpdateCachedCerts) {
+        nssTrustDomain_UpdateCachedTokenCerts(nssToken->trustDomain,
+                                              nssToken);
+    }
+    nssrv = nssToken_Refresh(nssToken);
     if (nssrv != PR_SUCCESS) {
-        slot->token->base.name[0] = 0; /* XXX */
+        nssToken->base.name[0] = 0; /* XXX */
         slot->ckFlags &= ~CKF_TOKEN_PRESENT;
         isPresent = PR_FALSE;
+        goto done;
     }
+    isPresent = PR_TRUE;
 done:
+    if (nssToken) {
+        (void)nssToken_Destroy(nssToken);
+    }
     /* Once we've set up the condition variable,
      * Before returning, it's necessary to:
      *  1) Set the lastTokenPingTime so that any other threads waiting on this
@@ -283,12 +295,7 @@ nssSlot_GetToken(
     NSSToken *rvToken = NULL;
 
     if (nssSlot_IsTokenPresent(slot)) {
-        /* Even if a token should be present, check `slot->token` too as it
-         * might be gone already. This would happen mostly on shutdown. */
-        nssSlot_EnterMonitor(slot);
-        if (slot->token)
-            rvToken = nssToken_AddRef(slot->token);
-        nssSlot_ExitMonitor(slot);
+        rvToken = PK11Slot_GetNSSToken(slot->pk11slot);
     }
 
     return rvToken;
diff --git a/security/nss/lib/dev/devt.h b/security/nss/lib/dev/devt.h
index 06a57ad05b19b..19af26f08177e 100644
--- a/security/nss/lib/dev/devt.h
+++ b/security/nss/lib/dev/devt.h
@@ -81,7 +81,6 @@ typedef enum {
 struct NSSSlotStr {
     struct nssDeviceBaseStr base;
     NSSModule *module; /* Parent */
-    NSSToken *token;   /* Peer */
     CK_SLOT_ID slotID;
     CK_FLAGS ckFlags; /* from CK_SLOT_INFO.flags */
     struct nssSlotAuthInfoStr authInfo;
diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c
index a7dbffc1a41f2..5e65dfdb1b555 100644
--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@@ -32,13 +32,6 @@ nssToken_Destroy(
             PK11_FreeSlot(tok->pk11slot);
             PZ_DestroyLock(tok->base.lock);
             nssTokenObjectCache_Destroy(tok->cache);
-
-            /* We're going away, let the nssSlot know in case it's held
-             * alive by someone else. Usually we should hold the last ref. */
-            nssSlot_EnterMonitor(tok->slot);
-            tok->slot->token = NULL;
-            nssSlot_ExitMonitor(tok->slot);
-
             (void)nssSlot_Destroy(tok->slot);
             return nssArena_Destroy(tok->base.arena);
         }
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
index e15929fb951d9..374e8578faae2 100644
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -22,10 +22,10 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.76" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.76.1" _NSS_CUSTOMIZED
 #define NSS_VMAJOR 3
 #define NSS_VMINOR 76
-#define NSS_VPATCH 0
+#define NSS_VPATCH 1
 #define NSS_VBUILD 0
 #define NSS_BETA PR_FALSE
 
diff --git a/security/nss/lib/pk11wrap/dev3hack.c b/security/nss/lib/pk11wrap/dev3hack.c
index 4877f945053a0..2d41a34d85282 100644
--- a/security/nss/lib/pk11wrap/dev3hack.c
+++ b/security/nss/lib/pk11wrap/dev3hack.c
@@ -179,7 +179,6 @@ nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot)
     if (!rvToken->slot) {
         goto loser;
     }
-    rvToken->slot->token = rvToken;
     if (rvToken->defaultSession)
         rvToken->defaultSession->slot = rvToken->slot;
     return rvToken;
@@ -227,24 +226,6 @@ nssToken_Refresh(NSSToken *token)
     return token->defaultSession ? PR_SUCCESS : PR_FAILURE;
 }
 
-NSS_IMPLEMENT PRStatus
-nssSlot_Refresh(NSSSlot *slot)
-{
-    PK11SlotInfo *nss3slot = slot->pk11slot;
-    PRBool doit = PR_FALSE;
-    if (slot->token && slot->token->base.name[0] == 0) {
-        doit = PR_TRUE;
-    }
-    if (PK11_InitToken(nss3slot, PR_FALSE) != SECSuccess) {
-        return PR_FAILURE;
-    }
-    if (doit) {
-        nssTrustDomain_UpdateCachedTokenCerts(slot->token->trustDomain,
-                                              slot->token);
-    }
-    return nssToken_Refresh(slot->token);
-}
-
 NSS_IMPLEMENT PRStatus
 nssToken_GetTrustOrder(NSSToken *tok)
 {
diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h
index d0c907bd0a29e..bcc3948584c91 100644
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -17,10 +17,10 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION "3.76" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.76.1" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR 3
 #define SOFTOKEN_VMINOR 76
-#define SOFTOKEN_VPATCH 0
+#define SOFTOKEN_VPATCH 1
 #define SOFTOKEN_VBUILD 0
 #define SOFTOKEN_BETA PR_FALSE
 
diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h
index 7cdb319881970..d73435270257b 100644
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -19,10 +19,10 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.76"
+#define NSSUTIL_VERSION "3.76.1"
 #define NSSUTIL_VMAJOR 3
 #define NSSUTIL_VMINOR 76
-#define NSSUTIL_VPATCH 0
+#define NSSUTIL_VPATCH 1
 #define NSSUTIL_VBUILD 0
 #define NSSUTIL_BETA PR_FALSE
 

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.


More information about the tbb-commits mailing list