Closed Bug 231698 Opened 21 years ago Closed 21 years ago

crash after typing master password

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: ajschult784, Assigned: rrelyea)

Details

(4 keywords)

Attachments

(3 files, 4 obsolete files)

stacktrace with more symbols
4.77 KB, text/plain
Details
Patch that actually compiles...
6.40 KB, patch
Details | Diff | Splinter Review
second patch for review
6.40 KB, patch
nelson
: review+
wtc
: superreview+
Details | Diff | Splinter Review
this crash occurs with Mozilla linux trunk build 2004012008 and also 1.6 release after upgrading from 1.5 to 1.6, I attempted to check my mail. Mozilla asked me for my master password, but after I typed that in, Mozilla crashed. If I go back to 1.5, Mozilla still works ok. I'll attach a stacktrace and some debugging info. I can collect more as needed.
Attached file stacktrace (obsolete) —
this is Mozilla1.6 source. the line numbers on pkcs11c.c are a bit off: 0xb5c20562 in pk11_InitGeneric (session=0x8bfe848, contextPtr=0x0, ctype=PK11_DECRYPT, keyPtr=0xbfffadb8, hKey=3087007744, keyTypePtr=0xbfffadbc, pubKeyType=0, operation=261) at pkcs11c.c:369 369 if (att->attrib.ulValueLen < size) { (gdb) p att $1 = (PK11Attribute *) 0x0 (gdb) p key $2 = (PK11Object *) 0x8b434b8 (gdb) p *key $3 = {next = 0x0, prev = 0x0, objclass = 4, handle = 3087007744, refCount = 1, refLock = 0x8b45d30, slot = 0x8b2a700, objectInfo = 0x8bd27b0, infoFree = 0xb5c0f5a7 <nsslowkey_DestroyPrivateKey>} from my brief look into the code and printing a few things out, it looks like key->handle=3087007744 is "bad".
this regressed on the Mozilla trunk between nightly builds 2003111707 and 2003111807. http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=11%2F17%2F2003+06%3A00%3A00&maxdate=11%2F18%2F2003+07%3A00%3A00&cvsroot=%2Fcvsroot I don't see anything there that seems related to this bug. Is it possible the NSS client branch tag changed in that window?
Assigned the bug to Bob. I landed NSS 3.9 Beta on the Mozilla trunk on 2003-11-17. The upgrade was from NSS 3.8.3. There were a lot of changes between NSS 3.8.3 and NSS 3.9 Beta. (Bonsai does not track the changes to NSS_CLIENT_TAG.) Could you confirm this by running the following command on libnss3.so in nightly builds 2003111707 and 2003111807? % ident libnss3.so | grep NSS The crash occurs here: /* get the key type */ att = pk11_FindAttribute(key,CKA_KEY_TYPE); PORT_Assert(att != NULL); size = sizeof(CK_KEY_TYPE); if (att->attrib.ulValueLen < size) { So the first thing we need to do is to replace the assertion by proper error handling.
Assignee: wchang0222 → rrelyea0264
Priority: -- → P1
Version: unspecified → 3.9
Comment on attachment 139554 [details] stacktrace Do you know why only stack frames #0, #1, and #2 (all in libsoftokn3.so) have debug info? #3-#6 are functions in another NSS shared library (libnss3.so), but they don't have debug info.
> There were a lot of changes between NSS 3.8.3 and NSS 3.9 Beta. Is there any way to query what was different between those branches at that time? > % ident libnss3.so | grep NSS I don't have an ident command, but "nm -D libnss3.so | grep NSS_3" gives me 3.2 to 3.8 with 2003111707 and 3.2 to 3.9 with 2003111807 > Do you know why only stack frames #0, #1, and #2 (all in libsoftokn3.so) have > debug info? I was starting from a build without symbol info and rebuilding the top of the stack with symbols. I'll attach another stack with more symbols.
Attached file stacktrace with more symbols (obsolete) —
Attachment #139554 - Attachment is obsolete: true
oops. *this* is the the stack wth more symbols.
Attachment #139713 - Attachment is obsolete: true
You can try cvs diff -kk -u -r NSS_3_8_BRANCH -r NSS_3_9_BETA1 mozilla/security/nss/lib
I cvs-pulled NSS HEAD by date within my Mozilla 1.6 release build (NSS HEAD in early november became the NSS_CLIENT branch for 1.6 after Nov 15, right?), and narrowed the regression down to this checkin: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=mozilla%2Fsecurity%2Fnss%2Flib&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=11%2F13%2F2003+9%3A00&maxdate=11%2F14%2F2003+12%3A00&cvsroot=%2Fcvsroot
> became the NSS_CLIENT branch for 1.6 after Nov 15 Nov 17, not 15
OK, I see a couple of issues here: 1) we went from 'could never return NULL' for the get of KEY_TYPE, to 'it's possible to return null on bad database data. That will fix the crash. You still won't be able to read mail, however, since your SDR key would still have some problems. I have no idea why linux would have different storage for the SDR key than Windows (since they have the same 'endianness'. Could you set a breakpoint at line 742 of pkcs11u.c (that would be insice the function pk11_FindSecretKeyAttribute(), the line is: if ((keyTypeLen != sizeof(keyType)) && (keyTypeLen != 1)) { and print out the following: keyTypeLen keyString[0] keyString[1] keyString[2] keyString[3] Thanks, bob
Is the problem endianness? Or is it perhaps alignment?
Target Milestone: --- → 3.9.1
> You still won't be able to read mail, however, since your SDR key would still > have some problems. Note that without the checkin mentioned in comment 9, Mozilla not only did not crash, but successfully decrypted my passwords -- I was able to check my mail. Breakpoint 1, pk11_FindSecretKeyAttribute (object=0x8, type=256) at pkcs11u.c:741 741 if ((keyTypeLen != sizeof(keyType)) && (keyTypeLen != 1)) { (gdb) p keyTypeLen $1 = 8 (gdb) p keyString[0] $2 = 21 '\025' (gdb) p keyString[1] $3 = 0 '\0' (gdb) p keyString[2] $4 = 0 '\0' (gdb) p keyString[3] $5 = 0 '\0'
OK, it looks like your SDR key was originally created on a 64 bit platform. Yes, there *was* an endian problem in the original pkcs11 module. This looks like a 64-bit issue. I should be able to come up with a fix from this information (thanks Andrew). bob
> OK, it looks like your SDR key was originally created on a 64 bit platform. Yes. I created the key on an Alpha. I guess that's why I'm the only one running into this problem...
Keywords: 64bit
This patch does the following: 1) fix our storage put the same bytes in the database independed of platform size (32 bit or 64 bit). 2) remove redundant endian specific code which only handled Generic_init case anyway. 3) fix generic_init code to handle the case if we can't get the keyType. 4) fix FindSecretKeyAttribute to correctly return the keyType 1) on 64 bit platforms, and 2) with data written by 64 bit plaforms.
Andrew, can you check this against your database? Nelson could you review? Thanks, bob
Attachment #139772 - Flags: review?(MisterSSL)
Comment on attachment 139772 [details] [diff] [review] Fix both Crash symptoms and underlying problem the patch works great except that these lines >+ // on 64 bit platforms, we still want to store 32 bits of keyType (This is >+ // safe since the PKCS #11 defines for all types are 32 bits or less). won't compile. :) need to use /* */ thanks!!!
Comment on attachment 139772 [details] [diff] [review] Fix both Crash symptoms and underlying problem >+ /* >+ * this key was written on a 64 bit platform with a using NSS 3.9 >+ * or earlier. Reduce the 64 bit possibilities above. We were are >+ * through, we will only have: >+ * >+ * Big Endian, pre-3.9, 32 & 64 bits: 1 (kt) >+ * Little Endian, pre-3.9 all lengths: 4 (kt) 0 0 0 >+ * All platforms 3.9 all lengths: 4 0 0 0 (kt) >+ * All platforms > 3.9.1 all lengths: 4 (a) k1 k2 k3 */ <========= need to also close this comment block
Review comments: This code depends on key->u.rsa.coefficient.data and att->attrib.pValue being properly aligned to be cast to (CK_KEY_TYPE *). I guess it happens to be true now, but it's not clear that it will necessarily always be true. The patch relies on this property, as does the unpatched code, so the patch is no worse in this respect. I'd like to see an assertion that att->attrib.ulValueLen == sizeof(CK_KEY_TYPE) just after the pk11_FindAttribute call in pkcs11c.c, just to catch us if we ever blow it. Having said that, I believe this code is correct, or will be once the problems with comments are fixed. In addition to the comment issues Andrew noted above, there are some others. I think it's quite important that the comments accurately describe the facts. So, here are some items. 1) There is a large block comment in the source, at line 737 in pkcs11u.c, just above the beginning of the patch, that says: * 0x1f and bytes[1]-bytes[3] equal to '0' (little endian). All other * values are assumed to be from the new database, which is always 4 * bytes in host order */ The new database is always in NETWORK byte order, not host. The code is right, but the comment is exactly backwards. 2) The new comments in the patch consistently use the expression "> 3.9.1" where you seem to mean "beginning in 3.9.1". The expression seems to say that releases AFTER 3.9.1 are this way, but 3.9.1 is not. Perhaps they should read " > 3.9.0 " or " >= 3.9.1 " or something else unambiguous. 3) You lined up the right side of the comments as a nice table. Why not make a table out of the left side too? IMO ! * length data ! * Big Endian, pre-3.9 all lengths: 1 (kt) ! * Little Endian, pre-3.9 32 bits: 4 (kt) 0 0 0 ! * Little Endian, pre-3.9 64 bits: 8 (kt) 0 0 0 0 0 0 0 ! * All platforms 3.9 32 bits: 4 0 0 0 (kt) ! * Big Endian 3.9 64 bits: 8 0 0 0 (kt) 0 0 0 0 ! * Little Endian 3.9 64 bits: 8 0 0 0 0 0 0 0 (kt) ! * All platforms >= 3.9.1 all lengths: 4 (a) k1 k2 k3 is easier to read and follow than ! * length data ! * Big Endian, pre-3.9, all lengths: 1 (kt) ! * Little Endian, pre-3.9 32 bits: 4 (kt) 0 0 0 ! * Little Endian, pre-3.9 64 bits: 8 (kt) 0 0 0 0 0 0 0 ! * All platforms 3.9 32 bits: 4 0 0 0 (kt) ! * Big Endian 3.9 64 bits: 8 0 0 0 (kt) 0 0 0 0 ! * Little Endian 3.9 64 bits: 8 0 0 0 0 0 0 0 (kt) ! * All platforms > 3.9.1 all lengths: 4 (a) k1 k2 k3 Please make another patch to address all these issues.
Comment on attachment 139772 [details] [diff] [review] Fix both Crash symptoms and underlying problem r-, see comments above.
Attachment #139772 - Flags: review?(MisterSSL) → review-
Thanks Nelson & Andrew. RE: alignment problem. This should be trivial to fix in the next patch. I'll just use a PORT_Memcpy into the target variable, rather than the dereferenced casted pointer. RE: assert. PKCS #11 defines an error code for this case, I believe (CKR_ATTRIBUTE_LENGTH_INVALID), which I will return after the assert. I'll also adjust the comment (an wrong comment is worse than no comment), and fix the c++ ism. I'll get a new patch out monday when I get back to work. bob
Flags: blocking1.7a?
Flags: blocking1.4.2?
Attached patch Incorporate review comments. (obsolete) — Splinter Review
Attachment #139772 - Attachment is obsolete: true
Attachment #139921 - Attachment is obsolete: true
Attachment #139922 - Flags: review?(MisterSSL)
Comment on attachment 139922 [details] [diff] [review] Patch that actually compiles... This patch is flawed... I'll get a new one...
Attachment #139922 - Flags: review?(MisterSSL)
Attachment #139923 - Flags: review?(MisterSSL)
Comment on attachment 139923 [details] [diff] [review] second patch for review Looks right to me.
Attachment #139923 - Attachment description: keyTypePtr is already a pointer... → second patch for review
Attachment #139923 - Flags: superreview?(wchang0222)
Attachment #139923 - Flags: review?(MisterSSL)
Attachment #139923 - Flags: review+
Tip checkin log. /cvsroot/mozilla/security/nss/lib/softoken/pkcs11.c,v <-- pkcs11.c new revision: 1.89; previous revision: 1.88 done Checking in pkcs11c.c; /cvsroot/mozilla/security/nss/lib/softoken/pkcs11c.c,v <-- pkcs11c.c new revision: 1.57; previous revision: 1.56 done Checking in pkcs11u.c; /cvsroot/mozilla/security/nss/lib/softoken/pkcs11u.c,v <-- pkcs11u.c new revision: 1.55; previous revision: 1.54 done
Comment on attachment 139923 [details] [diff] [review] second patch for review sr=wtc. There are some minor problems that I'm not sure if it is worth the time to fix them. 1. PORT_Memcpy vs. dereferenced casted pointer: dereferenced casted pointers are used in many other places (just search for "*(CK_KEY_TYPE" in an editor). So either they are safe or we need to change them all to PORT_Memcpy. This comment applies to the >+ PORT_Memcpy(keyTypePtr, att->attrib.pValue, sizeof(CK_KEY_TYPE)); in pkcs11c.c. In pkcs11u.c, we are using both dereferenced casted pointer and PORT_Memcpy on keyString within the same function: + keyTypeStorage = *(PRUint32 *) keyString + PORT_Memcpy(&keyTypeStorage, keyString, sizeof(keyTypeStorage)); 2. Spelling errors in pkcs11u.c: "lengths The Database" => "lengths the database" "We were are" => "When we are"? 3. In pkcs11c.c, >+ /* >+ * Now Handle: >+ * >+ * All platforms, 3.9, all lengths: 4 0 0 0 (kt) >+ * All platforms, => 3.9.1, all lengths: 4 (a) k1 k2 k3 >+ * >+ * NOTE: if kt == 0 or ak1k2k3 == 0, the test fails and >+ * we handle it as: >+ * >+ * Little Endian, pre-3.9, all lengths: 4 (kt) 0 0 0 >+ */ >+ if (keyTypeLen == sizeof(keyTypeStorage) && >+ (((keyString[0] & 0x80) == 0x80) || >+ !((keyString[1] == 0) && (keyString[2] == 0) >+ && (keyString[3] == 0))) ) { I think it is easier to understand if the last test is ((keyString[0] == 0) && (keyString[1] == 0) && (keyString[2] == 0)) which matches the comment.
Attachment #139923 - Flags: superreview?(wchang0222) → superreview+
Comment on attachment 139923 [details] [diff] [review] second patch for review Another comment: in pkcs11u.c, in the final else block: > } else { >+ /* >+ * Now Handle: >+ * >+ * Big Endian, pre-3.9, all lengths: 1 (kt) >+ * Little Endian, pre-3.9, all lengths: 4 (kt) 0 0 0 >+ * -- KeyType == 0 all other cases ---: 4 0 0 0 0 >+ */ >+ keyType = (CK_KEY_TYPE) keyString[0] ; >+ } Would be nice to move the original key length test here: - /* only length of 1 or 4 are valid */ - if ((keyTypeLen != 4) && (keyTypeLen != 1)) { - PORT_SetError(SEC_ERROR_eyTypeBAD_DATABASE); - return NULL;
"/tmp/cvsAAA6faywr" 13 lines, 441 characters Checking in lib/softoken/pkcs11.c; /cvsroot/mozilla/security/nss/lib/softoken/pkcs11.c,v <-- pkcs11.c new revision: 1.88.4.1; previous revision: 1.88 done Checking in lib/softoken/pkcs11c.c; /cvsroot/mozilla/security/nss/lib/softoken/pkcs11c.c,v <-- pkcs11c.c new revision: 1.56.14.1; previous revision: 1.56 done Checking in lib/softoken/pkcs11u.c; /cvsroot/mozilla/security/nss/lib/softoken/pkcs11u.c,v <-- pkcs11u.c new revision: 1.54.2.1; previous revision: 1.54 done Branch checkin log... This checking includes fixed spellings identified by wan-teh.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
I checked Bob's fix into the NSS_CLIENT_TAG (Mozilla 1.7a). Andrew, please verify this bug with tomorrow's (2004-01-28) Mozilla nightly build.
verified fixed in linux trunk 2004012808. Mozilla did not crash and successfully retrieved my encrypted passwords. thanks all!
Status: RESOLVED → VERIFIED
Flags: blocking1.7a?
Flags: blocking1.4.2?
Keywords: fixed1.4.2
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: