diff options
author | J.C. Jones <jjones@mozilla.com> | 2020-07-09 18:03:00 +0000 |
---|---|---|
committer | J.C. Jones <jjones@mozilla.com> | 2020-07-09 18:03:00 +0000 |
commit | 75ac3e8bed07fa0b9eb9c4a651a776577f00b6b6 (patch) | |
tree | ff2dda30fb7b2af47632ffeea13c90e83281102b | |
parent | 181d8146204ee0f972d792e11a88762d777094b3 (diff) | |
download | nss-hg-75ac3e8bed07fa0b9eb9c4a651a776577f00b6b6.tar.gz |
Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs
Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before accessing slot after obtaining it,
even though slotLock is defined as its lock. [0]
[0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8a9fbde/lib/softoken/pkcs11i.h#320-321
Differential Revision: https://phabricator.services.mozilla.com/D82955
-rw-r--r-- | lib/softoken/pkcs11.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c index 950e764d9..958ae27fd 100644 --- a/lib/softoken/pkcs11.c +++ b/lib/softoken/pkcs11.c @@ -3661,10 +3661,12 @@ NSC_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) PORT_Memcpy(pInfo->model, "NSS 3 ", 16); PORT_Memcpy(pInfo->serialNumber, "0000000000000000", 16); PORT_Memcpy(pInfo->utcTime, "0000000000000000", 16); - pInfo->ulMaxSessionCount = 0; /* arbitrarily large */ - pInfo->ulSessionCount = slot->sessionCount; + pInfo->ulMaxSessionCount = 0; /* arbitrarily large */ pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */ + PZ_Lock(slot->slotLock); /* Protect sessionCount / rwSessioncount */ + pInfo->ulSessionCount = slot->sessionCount; pInfo->ulRwSessionCount = slot->rwSessionCount; + PZ_Unlock(slot->slotLock); /* Unlock before sftk_getKeyDB */ pInfo->firmwareVersion.major = 0; pInfo->firmwareVersion.minor = 0; PORT_Memcpy(pInfo->label, slot->tokDescription, sizeof(pInfo->label)); |