Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs

Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before accessing slot after obtaining it,
even though slotLock is defined as its lock. [0]

[0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8a9fbde/lib/softoken/pkcs11i.h#320-321

Differential Revision: https://phabricator.services.mozilla.com/D82955

1 files changed, 4 insertions, 2 deletions

diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c
index 950e764d9..958ae27fd 100644
--- a/lib/softoken/pkcs11.c
+++ b/lib/softoken/pkcs11.c
@@ -3661,10 +3661,12 @@ NSC_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
     PORT_Memcpy(pInfo->model, "NSS 3           ", 16);
     PORT_Memcpy(pInfo->serialNumber, "0000000000000000", 16);
     PORT_Memcpy(pInfo->utcTime, "0000000000000000", 16);
-    pInfo->ulMaxSessionCount = 0; /* arbitrarily large */
-    pInfo->ulSessionCount = slot->sessionCount;
+    pInfo->ulMaxSessionCount = 0;   /* arbitrarily large */
     pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */
+    PZ_Lock(slot->slotLock);        /* Protect sessionCount / rwSessioncount */
+    pInfo->ulSessionCount = slot->sessionCount;
     pInfo->ulRwSessionCount = slot->rwSessionCount;
+    PZ_Unlock(slot->slotLock); /* Unlock before sftk_getKeyDB */
     pInfo->firmwareVersion.major = 0;
     pInfo->firmwareVersion.minor = 0;
     PORT_Memcpy(pInfo->label, slot->tokDescription, sizeof(pInfo->label));