[tbb-commits] [tor-browser] 280/311: Bug 1761497 - land NSS NSS_3_76_1_RTM UPGRADE_NSS_RELEASE, r=djackson a=dmeehan
gitolite role
git at cupani.torproject.org
Tue Apr 26 15:31:20 UTC 2022
This is an automated email from the git hooks/post-receive script.
pierov pushed a commit to branch geckoview-99.0.1-11.0-1
in repository tor-browser.
commit b6f3a4ba95c52b0d969db13ce7742eb917093a01
Author: John Schanck <jschanck at mozilla.com>
AuthorDate: Mon Mar 28 16:55:14 2022 +0000
Bug 1761497 - land NSS NSS_3_76_1_RTM UPGRADE_NSS_RELEASE, r=djackson a=dmeehan
2022-03-25 John M. Schanck <jschanck at mozilla.com>
* doc/rst/releases/nss_3_76_1.rst:
Release notes for NSS 3.76.1
[0e6c67470eed] [NSS_3_76_1_RTM] <NSS_3_76_1_BRANCH>
2022-03-23 John M. Schanck <jschanck at mozilla.com>
* lib/dev/dev.h, lib/dev/devslot.c, lib/dev/devt.h,
lib/dev/devtoken.c, lib/pk11wrap/dev3hack.c:
Bug 1756271 - Remove token member from NSSSlot struct. r=rrelyea
[41966ff1253b] <NSS_3_76_1_BRANCH>
2022-03-25 John M. Schanck <jschanck at mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.76.1 final
[48ff4cd9bada] <NSS_3_76_1_BRANCH>
2022-03-03 Dennis Jackson <djackson at mozilla.com>
* .hgtags:
Added tag NSS_3_76_RTM for changeset b5b9832a3898
[c0f05af06d3c] <NSS_3_76_BRANCH>
Differential Revision: https://phabricator.services.mozilla.com/D142226
---
security/nss/TAG-INFO | 2 +-
security/nss/coreconf/coreconf.dep | 1 +
security/nss/doc/rst/releases/nss_3_76_1.rst | 68 ++++++++++++++++++++++++++
security/nss/lib/dev/dev.h | 5 --
security/nss/lib/dev/devslot.c | 73 +++++++++++++++-------------
security/nss/lib/dev/devt.h | 1 -
security/nss/lib/dev/devtoken.c | 7 ---
security/nss/lib/nss/nss.h | 4 +-
security/nss/lib/pk11wrap/dev3hack.c | 19 --------
security/nss/lib/softoken/softkver.h | 4 +-
security/nss/lib/util/nssutil.h | 4 +-
11 files changed, 116 insertions(+), 72 deletions(-)
diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO
index 90ac9f28043f1..2e161b0a8c6cb 100644
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1 +1 @@
-NSS_3_76_RTM
\ No newline at end of file
+NSS_3_76_1_RTM
\ No newline at end of file
diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep
index 5182f75552c81..590d1bfaeee3f 100644
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -10,3 +10,4 @@
*/
#error "Do not include this header file."
+
diff --git a/security/nss/doc/rst/releases/nss_3_76_1.rst b/security/nss/doc/rst/releases/nss_3_76_1.rst
new file mode 100644
index 0000000000000..2aee3ef12e9d8
--- /dev/null
+++ b/security/nss/doc/rst/releases/nss_3_76_1.rst
@@ -0,0 +1,68 @@
+.. _mozilla_projects_nss_nss_3_76_1_release_notes:
+
+NSS 3.76.1 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.76.1 was released on **28 March 2022**.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_76_1_RTM. NSS 3.76.1 requires NSPR 4.32 or newer.
+
+ NSS 3.76.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_76_1_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.76.1:
+
+`Changes in NSS 3.76.1 <#changes_in_nss_3.76.1>`__
+----------------------------------------------------
+
+.. container::
+
+ - Bug 1756271 - Remove token member from NSSSlot struct.
+
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.76.1 shared libraries are backwards-compatible with all older NSS 3.x shared
+ libraries. A program linked with older NSS 3.x shared libraries will work with
+ this new version of the shared libraries without recompiling or
+ relinking. Furthermore, applications that restrict their use of NSS APIs to the
+ functions listed in NSS Public Functions will remain compatible with future
+ versions of the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report on
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
+
+`Notes <#notes>`__
+------------------
+
+.. container::
+
+ This release improves the stability of NSS when used in a multi-threaded
+ environment. In particular, it fixes memory safety violations that can occur
+ when PKCS#11 tokens are removed while in use (CVE-2022-1097). We presume
+ that with enough effort these memory safety violations are exploitable.
+
diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h
index 26ac8957e9102..6430511442796 100644
--- a/security/nss/lib/dev/dev.h
+++ b/security/nss/lib/dev/dev.h
@@ -146,7 +146,6 @@ nssModule_GetCertOrder(
* nssSlot_Destroy
* nssSlot_AddRef
* nssSlot_GetName
- * nssSlot_GetTokenName
* nssSlot_IsTokenPresent
* nssSlot_IsPermanent
* nssSlot_IsFriendly
@@ -176,10 +175,6 @@ NSS_EXTERN NSSUTF8 *
nssSlot_GetName(
NSSSlot *slot);
-NSS_EXTERN NSSUTF8 *
-nssSlot_GetTokenName(
- NSSSlot *slot);
-
NSS_EXTERN NSSModule *
nssSlot_GetModule(
NSSSlot *slot);
diff --git a/security/nss/lib/dev/devslot.c b/security/nss/lib/dev/devslot.c
index 5021408bf06f2..ccd90ac9729d6 100644
--- a/security/nss/lib/dev/devslot.c
+++ b/security/nss/lib/dev/devslot.c
@@ -12,7 +12,9 @@
#include "ckhelper.h"
#endif /* CKHELPER_H */
-#include "pk11pub.h"
+#include "pkim.h"
+#include "dev3hack.h"
+#include "pk11func.h"
/* measured in seconds */
#define NSSSLOT_TOKEN_DELAY_TIME 1
@@ -79,13 +81,6 @@ nssSlot_GetName(
return slot->base.name;
}
-NSS_IMPLEMENT NSSUTF8 *
-nssSlot_GetTokenName(
- NSSSlot *slot)
-{
- return nssToken_GetName(slot->token);
-}
-
NSS_IMPLEMENT void
nssSlot_ResetDelay(
NSSSlot *slot)
@@ -123,11 +118,13 @@ nssSlot_IsTokenPresent(
{
CK_RV ckrv;
PRStatus nssrv;
+ NSSToken *nssToken = NULL;
/* XXX */
nssSession *session;
CK_SLOT_INFO slotInfo;
void *epv;
PRBool isPresent = PR_FALSE;
+ PRBool doUpdateCachedCerts = PR_FALSE;
/* permanent slots are always present unless they're disabled */
if (nssSlot_IsPermanent(slot)) {
@@ -169,23 +166,24 @@ nssSlot_IsTokenPresent(
PZ_Unlock(slot->isPresentLock);
+ nssToken = PK11Slot_GetNSSToken(slot->pk11slot);
+ if (!nssToken) {
+ isPresent = PR_FALSE;
+ goto done;
+ }
+
nssSlot_EnterMonitor(slot);
ckrv = CKAPI(epv)->C_GetSlotInfo(slot->slotID, &slotInfo);
nssSlot_ExitMonitor(slot);
if (ckrv != CKR_OK) {
- slot->token->base.name[0] = 0; /* XXX */
+ nssToken->base.name[0] = 0; /* XXX */
isPresent = PR_FALSE;
goto done;
}
slot->ckFlags = slotInfo.flags;
/* check for the presence of the token */
if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) {
- if (!slot->token) {
- /* token was never present */
- isPresent = PR_FALSE;
- goto done;
- }
- session = nssToken_GetDefaultSession(slot->token);
+ session = nssToken_GetDefaultSession(nssToken);
if (session) {
nssSession_EnterMonitor(session);
/* token is not present */
@@ -197,21 +195,21 @@ nssSlot_IsTokenPresent(
}
nssSession_ExitMonitor(session);
}
- if (slot->token->base.name[0] != 0) {
+ if (nssToken->base.name[0] != 0) {
/* notify the high-level cache that the token is removed */
- slot->token->base.name[0] = 0; /* XXX */
- nssToken_NotifyCertsNotVisible(slot->token);
+ nssToken->base.name[0] = 0; /* XXX */
+ nssToken_NotifyCertsNotVisible(nssToken);
}
- slot->token->base.name[0] = 0; /* XXX */
+ nssToken->base.name[0] = 0; /* XXX */
/* clear the token cache */
- nssToken_Remove(slot->token);
+ nssToken_Remove(nssToken);
isPresent = PR_FALSE;
goto done;
}
/* token is present, use the session info to determine if the card
* has been removed and reinserted.
*/
- session = nssToken_GetDefaultSession(slot->token);
+ session = nssToken_GetDefaultSession(nssToken);
if (session) {
PRBool tokenRemoved;
nssSession_EnterMonitor(session);
@@ -237,17 +235,31 @@ nssSlot_IsTokenPresent(
* a token it doesn't recognize. invalidate all the old
* information we had on this token, if we can't refresh, clear
* the present flag */
- nssToken_NotifyCertsNotVisible(slot->token);
- nssToken_Remove(slot->token);
- /* token has been removed, need to refresh with new session */
- nssrv = nssSlot_Refresh(slot);
- isPresent = PR_TRUE;
+ nssToken_NotifyCertsNotVisible(nssToken);
+ nssToken_Remove(nssToken);
+ if (nssToken->base.name[0] == 0) {
+ doUpdateCachedCerts = PR_TRUE;
+ }
+ if (PK11_InitToken(slot->pk11slot, PR_FALSE) != SECSuccess) {
+ isPresent = PR_FALSE;
+ goto done;
+ }
+ if (doUpdateCachedCerts) {
+ nssTrustDomain_UpdateCachedTokenCerts(nssToken->trustDomain,
+ nssToken);
+ }
+ nssrv = nssToken_Refresh(nssToken);
if (nssrv != PR_SUCCESS) {
- slot->token->base.name[0] = 0; /* XXX */
+ nssToken->base.name[0] = 0; /* XXX */
slot->ckFlags &= ~CKF_TOKEN_PRESENT;
isPresent = PR_FALSE;
+ goto done;
}
+ isPresent = PR_TRUE;
done:
+ if (nssToken) {
+ (void)nssToken_Destroy(nssToken);
+ }
/* Once we've set up the condition variable,
* Before returning, it's necessary to:
* 1) Set the lastTokenPingTime so that any other threads waiting on this
@@ -283,12 +295,7 @@ nssSlot_GetToken(
NSSToken *rvToken = NULL;
if (nssSlot_IsTokenPresent(slot)) {
- /* Even if a token should be present, check `slot->token` too as it
- * might be gone already. This would happen mostly on shutdown. */
- nssSlot_EnterMonitor(slot);
- if (slot->token)
- rvToken = nssToken_AddRef(slot->token);
- nssSlot_ExitMonitor(slot);
+ rvToken = PK11Slot_GetNSSToken(slot->pk11slot);
}
return rvToken;
diff --git a/security/nss/lib/dev/devt.h b/security/nss/lib/dev/devt.h
index 06a57ad05b19b..19af26f08177e 100644
--- a/security/nss/lib/dev/devt.h
+++ b/security/nss/lib/dev/devt.h
@@ -81,7 +81,6 @@ typedef enum {
struct NSSSlotStr {
struct nssDeviceBaseStr base;
NSSModule *module; /* Parent */
- NSSToken *token; /* Peer */
CK_SLOT_ID slotID;
CK_FLAGS ckFlags; /* from CK_SLOT_INFO.flags */
struct nssSlotAuthInfoStr authInfo;
diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c
index a7dbffc1a41f2..5e65dfdb1b555 100644
--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@@ -32,13 +32,6 @@ nssToken_Destroy(
PK11_FreeSlot(tok->pk11slot);
PZ_DestroyLock(tok->base.lock);
nssTokenObjectCache_Destroy(tok->cache);
-
- /* We're going away, let the nssSlot know in case it's held
- * alive by someone else. Usually we should hold the last ref. */
- nssSlot_EnterMonitor(tok->slot);
- tok->slot->token = NULL;
- nssSlot_ExitMonitor(tok->slot);
-
(void)nssSlot_Destroy(tok->slot);
return nssArena_Destroy(tok->base.arena);
}
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
index e15929fb951d9..374e8578faae2 100644
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -22,10 +22,10 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define NSS_VERSION "3.76" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.76.1" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 76
-#define NSS_VPATCH 0
+#define NSS_VPATCH 1
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE
diff --git a/security/nss/lib/pk11wrap/dev3hack.c b/security/nss/lib/pk11wrap/dev3hack.c
index 4877f945053a0..2d41a34d85282 100644
--- a/security/nss/lib/pk11wrap/dev3hack.c
+++ b/security/nss/lib/pk11wrap/dev3hack.c
@@ -179,7 +179,6 @@ nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot)
if (!rvToken->slot) {
goto loser;
}
- rvToken->slot->token = rvToken;
if (rvToken->defaultSession)
rvToken->defaultSession->slot = rvToken->slot;
return rvToken;
@@ -227,24 +226,6 @@ nssToken_Refresh(NSSToken *token)
return token->defaultSession ? PR_SUCCESS : PR_FAILURE;
}
-NSS_IMPLEMENT PRStatus
-nssSlot_Refresh(NSSSlot *slot)
-{
- PK11SlotInfo *nss3slot = slot->pk11slot;
- PRBool doit = PR_FALSE;
- if (slot->token && slot->token->base.name[0] == 0) {
- doit = PR_TRUE;
- }
- if (PK11_InitToken(nss3slot, PR_FALSE) != SECSuccess) {
- return PR_FAILURE;
- }
- if (doit) {
- nssTrustDomain_UpdateCachedTokenCerts(slot->token->trustDomain,
- slot->token);
- }
- return nssToken_Refresh(slot->token);
-}
-
NSS_IMPLEMENT PRStatus
nssToken_GetTrustOrder(NSSToken *tok)
{
diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h
index d0c907bd0a29e..bcc3948584c91 100644
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -17,10 +17,10 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define SOFTOKEN_VERSION "3.76" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.76.1" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 76
-#define SOFTOKEN_VPATCH 0
+#define SOFTOKEN_VPATCH 1
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE
diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h
index 7cdb319881970..d73435270257b 100644
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -19,10 +19,10 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
-#define NSSUTIL_VERSION "3.76"
+#define NSSUTIL_VERSION "3.76.1"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 76
-#define NSSUTIL_VPATCH 0
+#define NSSUTIL_VPATCH 1
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the tbb-commits
mailing list