From 57bef0265cc074d339f0e97ec20d75f5132eb9e7 Mon Sep 17 00:00:00 2001
From: John Schanck <jschanck@mozilla.com>
Date: Sun, 24 May 2026 15:07:24 +0200
Subject: [PATCH] Bug 2029771 - Heap use-after-free in [@ token_destructor]
 reading tok->pk11slot after nssToken_Destroy frees the token arena.

---
 security/nss/lib/pki/trustdomain.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c
index 151b888750..51bcc48f3b 100644
--- a/security/nss/lib/pki/trustdomain.c
+++ b/security/nss/lib/pki/trustdomain.c
@@ -61,11 +61,15 @@ static void
 token_destructor(void *t)
 {
     NSSToken *tok = (NSSToken *)t;
-    /* The token holds the first/last reference to the slot.
-     * When the token is actually destroyed (ref count == 0),
-     * the slot will also be destroyed.
-     */
-    nssToken_Destroy(tok);
+
+    /* Signal that the slot should not give out any more references to the
+     * token. Do this first, while |tok| (and its reference to the slot) is
+     * still alive: the list may hold the last reference, in which case
+     * nssToken_Destroy() below frees the arena that contains |tok|. */
+    PK11Slot_SetNSSToken(tok->pk11slot, NULL);
+
+    /* Remove the token list's reference to the token */
+    (void)nssToken_Destroy(tok);
 }
 
 NSS_IMPLEMENT PRStatus