Closed
Bug 210660
Opened 21 years ago
Closed 21 years ago
New PK11Context's adoption of the PK11SymKey's session is not thread-safe
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
3.9
People
(Reporter: wtc, Assigned: wtc)
Details
(Whiteboard: [3.8.2][3.7.8])
Attachments
(1 file)
3.27 KB,
patch
|
jamie-bugzilla
:
review+
nelson
:
superreview+
|
Details | Diff | Splinter Review |
This bug was introduced in NSS 3.6 by the fix for bug 145322. In pk11skey.c, when we create a new PK11Context in pk11_CreateNewContextInSlot, we have: context->key = symKey ? PK11_ReferenceSymKey(symKey) : NULL; context->slot = PK11_ReferenceSlot(slot); if (symKey && symKey->sessionOwner) { /* The symkey owns a session. Adopt that session. */ context->session = symKey->session; context->ownSession = symKey->sessionOwner; symKey->sessionOwner = PR_FALSE; } else { context->session = pk11_GetNewSession(slot, &context->ownSession); } The testing and setting of symKey->sessionOwner is not thread-safe. If two threads execute this code at the same time, both of them may adopt that session, which is incorrect. Similarly, in PK11_DestroyContext, we have: if (context->ownSession && context->key && /* context owns session & key */ context->key->session == context->session && /* sharing session */ !context->key->sessionOwner) /* sanity check */ { /* session still valid, let the key free it as necessary */ rv = PK11_Finalize(context); /* end any ongoing activity */ if (rv == SECSuccess) { context->key->sessionOwner = PR_TRUE; } /* else couldn't finalize the session, close it */ } The testing and setting of context->key->sessionOwner is not thread-safe.
Assignee | ||
Comment 1•21 years ago
|
||
The easiest way to make PK11SymKey thread-safe is to back out Ian's change (in bug 145322) that caused a new context to adopt a sym key's session. With this patch applied, a sym key's sessionOwner field will never change throughout its lifetime, except when PK11_SetWrapKey is called. I added comments to warn that PK11_SetWrapKey is not thread-safe and verified that we are only calling PK11_SetWrapKey when only one thread has a reference to the sym key. Unfortunately this patch will undo some of Ian's saving of sessions, but the code must be correct. I haven't been able to come up with a better patch that preserves Ian's saving of sessions. One idea I have requires adding a new function: a function that creates a sym key for single-threaded use. Then a new context can adopt the session of a single-threaded session safely.
Assignee | ||
Comment 2•21 years ago
|
||
Comment on attachment 126489 [details] [diff] [review] Proposed patch: back out Ian's change Code reviewers please verify the following points: 1. Use LXR to verify that all the direct access to the sessionOwner field of PK11SymKey is in pk11skey.c. Then you only need to look at pk11skey.c. 2. With the patch applied, we are only setting sessionOwner in two functions: - pk11_getKeyFromList - PK11_SetWrapKey In the other functions we are only reading sessionOwner. 3. Both of those functions are only called when only one thread has a reference to the sym key. (Use LXR to verify this.) With the above, we can conclude that sessionOwner doesn't change throughout the lifetime of a sym key (with the exception of PK11_SetWrapKey).
Attachment #126489 -
Flags: superreview?(nelsonb)
Attachment #126489 -
Flags: review?(nicolson)
Comment 3•21 years ago
|
||
Comment on attachment 126489 [details] [diff] [review] Proposed patch: back out Ian's change Looks good to me.
Attachment #126489 -
Flags: review?(nicolson) → review+
Comment 4•21 years ago
|
||
Comment on attachment 126489 [details] [diff] [review] Proposed patch: back out Ian's change The assertions in comment 2 above seem correct.
Attachment #126489 -
Flags: superreview?(nelsonb) → superreview+
Comment 5•21 years ago
|
||
I think the reason this worked with SSL is that the SSL code itself provides a synchronization of context destruction and closure of the symkey's session. I probably made this mistake by only considering the implications on SSL. This will take a hit on performance, as it was the most interesting part of the session reuse changes. I'll try to think of something else, and open an RFE if I do.
Assignee | ||
Comment 6•21 years ago
|
||
Patch checked into the NSS tip (3.9), NSS_3_8_BRANCH (3.8.2), and NSS_3_7_BRANCH (3.7.8).
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Whiteboard: [3.8.2][3.7.8]
Target Milestone: --- → 3.9
You need to log in
before you can comment on or make changes to this bug.
Description
•