Open Bug 1535826 Opened 5 years ago Updated 5 months ago

Crash in [@ scalar_base_mult]

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Version:
3.40
Platform:
x86
Windows 7
Type:
defect

Tracking

(firefox-esr60 unaffected, firefox65 wontfix, firefox66 wontfix, firefox67 wontfix, firefox68 wontfix, firefox69 wontfix, firefox70 wontfix)

Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix

People

(Reporter: calixte, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, regression)

Crash Data

This bug is for crash report bp-edbd0bbf-40c6-47f8-935e-75ecd0190316.

Top 10 frames of crashing thread:

0 freebl3.dll static void scalar_base_mult security/nss/lib/freebl/ecl/ecp_256_32.c:1162
1 freebl3.dll int ec_GFp_nistp256_points_mul_vartime security/nss/lib/freebl/ecl/ecp_256_32.c:1480
2 freebl3.dll ECPoints_mul security/nss/lib/freebl/ecl/ecl_mult.c:296
3 freebl3.dll static _SECStatus ec_points_mul security/nss/lib/freebl/ec.c
4 freebl3.dll static _SECStatus ec_NewKey security/nss/lib/freebl/ec.c:290
5 freebl3.dll EC_NewKey security/nss/lib/freebl/ec.c:404
6 softokn3.dll NSC_GenerateKeyPair security/nss/lib/softoken/pkcs11c.c:5113
7 nss3.dll PK11_GenerateKeyPairWithOpFlags security/nss/lib/pk11wrap/pk11akey.c:1530
8 nss3.dll SECKEY_CreateECPrivateKey security/nss/lib/cryptohi/seckey.c:219
9 nss3.dll ssl_CreateECDHEphemeralKeyPair security/nss/lib/ssl/ssl3ecc.c:448

There are 3 crashes (from 1 installation) in nightly 67 with buildid 20190315215543. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1523175.

[1] https://hg.mozilla.org/mozilla-central/rev?node=71aaa0c1b7d8

Flags: needinfo?(jjones)

Thanks, Calixte. Digging through the changelog and code changes, I don't think it was the patches in NSS_3_43_BETA2 that regressed, more likely something earlier in the 3.43 cycle that's just rare.

MT: Can you confirm my thoughts here?

Assignee: nobody → nobody
Component: Security: PSM → Libraries
Flags: needinfo?(jjones) → needinfo?(martin.thomson)
Priority: -- → P1
Product: Core → NSS
QA Contact: jjones
Version: Trunk → 3.43

If the same signature appears in Release 64, then it will be in an even earlier release than 3.43. This particular code hasn't been touched in a long time. I see a few x25519 changes in late 2017, but the last changes are coverity-related changes.

This is keygen, so crashes will be random, absent things like memory corruption. It is possible that there is a value that we don't properly handle, and the one installation has a busted PRNG. What seems even more likely is that this is like the myriad other low-frequency crashes: bad memory. This is a fairly simple memory access pattern.

Flags: needinfo?(martin.thomson)

Thanks for taking a few to look through it, Martin.

Unblocking 3.43, marking against 3.40, lowering priority/criticality.

No longer blocks: 1523175
Severity: critical → major
status-firefox65: unaffectedwontfix
status-firefox66: unaffectedwontfix
status-firefox67: affectedwontfix
Priority: P1 → P3
Version: 3.43 → 3.40

Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Severity: major → S3
You need to log in before you can comment on or make changes to this bug.