1496660 - Crash in s_mpv_mul_add_vec64

Status: RESOLVED WORKSFORME

(NSS :: Libraries, defect, P3)

Description

[Calixte Denizet (:calixte)]

This bug was filed from the Socorro interface and is
report bp-13bad940-8b90-450c-9a2c-e90eb0181004.
=============================================================

Top 10 frames of crashing thread:

0 freebl3.dll s_mpv_mul_add_vec64 security/nss/lib/freebl/mpi/mpi_amd64_masm.asm:231
1 freebl3.dll s_mp_redc security/nss/lib/freebl/mpi/mpmontg.c:43
2 freebl3.dll mp_exptmod security/nss/lib/freebl/mpi/mpmontg.c:1130
3 freebl3.dll RSA_PublicKeyOp security/nss/lib/freebl/rsa.c:958
4 freebl3.dll RSA_CheckSignRecover security/nss/lib/freebl/rsapkcs.c:1413
5 softokn3.dll NSC_VerifyRecover security/nss/lib/softoken/pkcs11c.c:3596
6 nss3.dll PK11_VerifyRecover security/nss/lib/pk11wrap/pk11obj.c:674
7 nss3.dll static _SECStatus recoverPKCS1DigestInfo security/nss/lib/cryptohi/secvfy.c:66
8 nss3.dll struct VFYContextStr* vfy_CreateContext security/nss/lib/cryptohi/secvfy.c:463
9 nss3.dll _SECStatus vfy_VerifyDigest security/nss/lib/cryptohi/secvfy.c:749

=============================================================

There is 1 crash in nightly 64 with buildid 20181004100222. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1488622.

[1] https://hg.mozilla.org/mozilla-central/rev?node=7f966968076c

Comment 1

[J.C. Jones [:jcj] (he/they)]

Dipen, can you take a look at this today and see if you find a smoking gun?

Comment 2

[Dipen Patel [:dipen]]

Yes I will investigate.

Comment 3

[Dipen Patel [:dipen]]

:calixte, It may be a long shot but are we able to retrieve the URL that was being accessed?  Any maybe the associated certificate?

Comment 4

[Dipen Patel [:dipen]]

There appear to be two types of crashes associated with s_mpv_mul_add_vec64.

5 occurrences of EXCEPTION_BREAKPOINT since April 2018 which is not reported by this bug. This is a shutdown crash going as far back as version Firefox 60.0b13.  This seems to be associated with ECDSA digest verification.
(https://crash-stats.mozilla.com/signature/?signature=shutdownhang%20%7C%20s_mpv_mul_add_vec64&date=%3E%3D2018-03-31T20%3A00%3A00.000Z&date=%3C2018-10-08T20%3A00%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#reports)

24 occurrences of crashes similar to the one reported by this bug.  They seem to vary as to the HW exception but all appear to be related to signature verification.  The crashes seem to start around April 15, 2018 and go as far back as Firefox release 50.

(https://crash-stats.mozilla.com/signature/?signature=s_mpv_mul_add_vec64&date=%3E%3D2017-12-31T16%3A00%3A00.000Z&date=%3C2018-10-08T16%3A00%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1)

It is definitely localized to Windows platforms (varying versions and processors).

Comment 5

[J.C. Jones [:jcj] (he/they)]

Thanks, Dipen. I don't know that there's much else to do here.

Dana, Franziskus: Any thoughts what next steps should be? It seems rare enough to just mark this low-ish priority and move on.

Comment 6

[Franziskus Kiefer [:franziskus]]

I don't see anything obviously wrong in the code here and it's next to impossible to reproduce this (this function is being fuzzed 24/7 for a while now and we didn't run into this) and the number of crashes is super low. I'd move on unless this spikes.

Comment 7

[J.C. Jones [:jcj] (he/they)]

Still unknown; won't be fixing for 70 yet.

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

Closing because no crashes reported for 12 weeks.