Closed Bug 1328217 Opened 7 years ago Closed 7 years ago

Allow calling SSL3_SendAlert() when already holding HS -> Xmit locks

Tracking

(Not tracked)

Status:

RESOLVED FIXED

Milestone:

3.29

People

(Reporter: ttaubert, Assigned: ttaubert)

References

(Blocks 1 open bug)

Details

Tim Taubert [:ttaubert] (inactive)

Assignee

Description

•

7 years ago

We currently assert:

Assertion failure: !ssl_HaveXmitBufLock(ss), at ../../lib/ssl/ssl3con.c:3121
==8711== ERROR: libFuzzer: deadly signal
    #0 0x4d7de0 in __sanitizer_print_stack_trace /home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_stack.cc:38:3
    #1 0x644314 in fuzzer::Fuzzer::CrashCallback() /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:251:5
    #2 0x6442d3 in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:240:6
    #3 0x65b4b8 in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerUtil.cpp:81:3
    #4 0x7ff44b1e23df  (/lib/x86_64-linux-gnu/libpthread.so.0+0x113df)
    #5 0x7ff44ac39427 in gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x35427)
    #6 0x7ff44ac3b029 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x37029)
    #7 0x7ff44a0f3239 in PR_Assert /home/worker/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c:553:5
    #8 0x5930c5 in SSL3_SendAlert /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:3121:5
    #9 0x5f890f in ssl3_SendECDHClientKeyExchange /home/worker/nss/out/Debug/../../lib/ssl/ssl3ecc.c:242:15
    #10 0x5f14ff in ssl3_SendClientKeyExchange /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:6308:18
    #11 0x5f0526 in ssl3_SendClientSecondRound /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:7734:10
    #12 0x5eafcb in ssl3_HandleServerHelloDone /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:7658:10
    #13 0x5cbf50 in ssl3_HandlePostHelloHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11882:18
    #14 0x5c6620 in ssl3_HandleHandshakeMessage /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11790:22
    #15 0x5d1983 in ssl3_HandleHandshake /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:11978:18
    #16 0x5cd51e in ssl3_HandleRecord /home/worker/nss/out/Debug/../../lib/ssl/ssl3con.c:12747:22
    #17 0x616caa in ssl3_GatherCompleteHandshake /home/worker/nss/out/Debug/../../lib/ssl/ssl3gthr.c:407:18
    #18 0x620f18 in ssl_GatherRecord1stHandshake /home/worker/nss/out/Debug/../../lib/ssl/sslcon.c:78:10
    #19 0x52a0b7 in ssl_Do1stHandshake /home/worker/nss/out/Debug/../../lib/ssl/sslsecur.c:65:14
    #20 0x52e682 in SSL_ForceHandshake /home/worker/nss/out/Debug/../../lib/ssl/sslsecur.c:414:14
    #21 0x4fd85b in client_fuzzing_target /home/worker/nss/out/Debug/../../fuzz/client_target.cc:347:7
    #22 0x6452ab in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:515:13
    #23 0x645457 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:469:3
    #24 0x644f00 in fuzzer::Fuzzer::RunOne(std::vector<unsigned char, std::allocator<unsigned char> > const&) /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerInternal.h:113:41
    #25 0x645b78 in fuzzer::Fuzzer::FindExtraUnits(std::vector<std::vector<unsigned char, std::allocator<unsigned char> >, std::allocator<std::vector<unsigned char, std::allocator<unsigned char> > > > const&, std::vector<std::vector<unsigned char, std::allocator<unsigned char> >, std::allocator<std::vector<unsigned char, std::allocator<unsigned char> > > > const&) /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:591:11
    #26 0x646031 in fuzzer::Fuzzer::Merge(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:630:14
    #27 0x63a17b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerDriver.cpp:498:8
    #28 0x51be68 in main /home/worker/nss/out/Debug/../../fuzz/nssfuzz.cc:147:10
    #29 0x7ff44ac2482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #30 0x42f398 in _start (/home/worker/dist/Debug/bin/nssfuzz+0x42f398)

Tim Taubert [:ttaubert] (inactive)

Assignee

Comment 1

•

7 years ago

https://nss-review.dev.mozaws.net/D136

Tim Taubert [:ttaubert] (inactive)

Assignee

Comment 2

•

7 years ago

https://hg.mozilla.org/projects/nss/rev/934973c88e68

Tim Taubert [:ttaubert] (inactive)

Assignee

Updated

•

7 years ago

Status: ASSIGNED → RESOLVED

Closed: 7 years ago

Resolution: --- → FIXED

Target Milestone: --- → 3.29

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Allow calling SSL3_SendAlert() when already holding HS -> Xmit locks

Categories

(NSS :: Libraries, defect)

Tracking

(Not tracked)

People

(Reporter: ttaubert, Assigned: ttaubert)

References

(Blocks 1 open bug)

Details

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2

Updated