Closed Bug 157730 Opened 23 years ago Closed 23 years ago

NSS crashes whenever it access certs on smartcard

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Platform:
PowerPC
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Bill.Burns, Assigned: rrelyea)

Details

Attachments

(2 files)

Fix crash if we have a certdecoder, but no decoded cert.
1.42 KB, patch
wtc
: review+
Details | Diff | Splinter Review
log details from the PKCS11 driver
66.67 KB, text/plain
Details
this works in Mozilla 1.0 RTM but reproducably fails in Mozilla 1.1a or 1.1b. I can add the security module to the security device manager but going to a site that uses cert-auth causes NSS to crash. I'm attaching the kernel dump.
Date/Time: 2002-07-16 08:43:33 -0700 OS Version: 10.1.5 (Build 5S66) Host: <snip> Command: Mozilla PID: 16844 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000184 Thread 0 Crashed: #0 0x03c5d580 in nssDecodedPKIXCertificate_Destroy #1 0x03c5aeb0 in nssDecodedCert_Destroy #2 0x03c5b08c in nssCertificate_Destroy #3 0x03c5fe88 in cert_createObject #4 0x03c5fc30 in nssPKIObjectCollection_AddInstanceAsObject #5 0x03c6421c in collector #6 0x03c5900c in nssToken_TraverseCertificates #7 0x03c6434c in NSSTrustDomain_TraverseCertificates #8 0x03c6e270 in PK11_TraverseSlotCerts #9 0x03c64fe0 in CERT_GetCertNicknames #10 0x03c64a18 in CERT_FindUserCertsByUsage #11 0x03bf94c8 in 0x3bf94c8 #12 0x03cd1d30 in ssl3_HandleCertificateRequest #13 0x03cd591c in ssl3_HandleHandshakeMessage #14 0x03cd5bb4 in ssl3_HandleHandshake #15 0x03cd60ec in ssl3_HandleRecord #16 0x03cd6fa8 in ssl3_GatherCompleteHandshake #17 0x03cd8fe8 in ssl_GatherRecord1stHandshake #18 0x03cdd958 in ssl_Do1stHandshake #19 0x03cdee10 in ssl_SecureRecv #20 0x03cdeea4 in ssl_SecureRead #21 0x03ce1750 in ssl_Read #22 0x03bf7f90 in nsSSLIOLayerRead(PRFileDesc *, void *, int) #23 0x00503b18 in PR_Read #24 0x01e59dc4 in nsSocketIS::Read(char *, unsigned int, unsigned int *) #25 0x005d2a78 in nsReadFromInputStream(nsIOutputStream *, void *, char *, unsigned int, unsigned int, unsigned int *) #26 0x005d24dc in WriteSegments__Q26nsPipe18nsPipeOutputStreamFPFP15nsIOutputStr #27 0x005d2b10 in nsPipe::nsPipeOutputStream::WriteFrom( (nsIInputStream *, unsigned int, unsigned *)) #28 0x01eaac00 in OnDataAvailable__21nsStreamListenerProxyFP10nsIRequestP11nsISu #29 0x01e5b644 in nsSocketReadRequest::OnRead(void) #30 0x01e55314 in nsSocketTransport::doReadWrite(short) #31 0x01e54194 in nsSocketTransport::Process(short) #32 0x01e5cc54 in nsSocketTransportService::Run(void) #33 0x005b58e8 in nsThread::Main(void *) #34 0x00507998 in PR_UserRunThread Thread 1: #0 0x7000497c in syscall #1 0x70557600 in BSD_waitevent #2 0x70554b80 in CarbonSelectThreadFunc #3 0x7002054c in _pthread_body Thread 2: #0 0x7003f4c8 in semaphore_wait_signal_trap #1 0x7003f2c8 in _pthread_cond_wait #2 0x705593ec in CarbonOperationThreadFunc #3 0x7002054c in _pthread_body Thread 3: #0 0x70044cf8 in semaphore_timedwait_signal_trap #1 0x70044cd8 in semaphore_timedwait_signal #2 0x70283e9c in TSWaitOnConditionTimedRelative #3 0x7027d740 in TSWaitOnSemaphoreCommon #4 0x702c2078 in TimerThread #5 0x7002054c in _pthread_body Thread 4: #0 0x7003f4c8 in semaphore_wait_signal_trap #1 0x7003f2c8 in _pthread_cond_wait #2 0x70250aa8 in TSWaitOnCondition #3 0x7027d728 in TSWaitOnSemaphoreCommon #4 0x70243d0c in AsyncFileThread #5 0x7002054c in _pthread_body Thread 5: #0 0x7003f4c8 in semaphore_wait_signal_trap #1 0x7003f2c8 in _pthread_cond_wait #2 0x7055b884 in CarbonInetOperThreadFunc #3 0x7002054c in _pthread_body Thread 6: #0 0x70000978 in mach_msg_overwrite_trap #1 0x70005a04 in mach_msg #2 0x70026a2c in _pthread_become_available #3 0x70026724 in pthread_exit #4 0x70020550 in _pthread_body PPC Thread State: srr0: 0x03c5d580 srr1: 0x0000f030 vrsave: 0x00000000 xer: 0x20000020 lr: 0x03c5aeb0 ctr: 0x0054cf30 mq: 0x00000000 r0: 0x03c5aeb0 r1: 0x0219bd60 r2: 0x02f89000 r3: 0x00000000 r4: 0x00000000 r5: 0x00000188 r6: 0x00000042 r7: 0x0409f2ec r8: 0x00000003 r9: 0x80240e10 r10: 0x00000024 r11: 0x80003710 r12: 0x000ea8b0 r13: 0x03c33cc8 r14: 0x049b0660 r15: 0x0219c628 r16: 0x04964b20 r17: 0x0000f000 r18: 0x01f8f890 r19: 0x00000000 r20: 0x03bd5288 r21: 0x049715c8 r22: 0x049715c8 r23: 0x04a113e8 r24: 0x04b003b8 r25: 0x00000002 r26: 0x00000002 r27: 0x039e0178 r28: 0x040b8d68 r29: 0x04979378 r30: 0x04979378 r31: 0x040b8d68 **********
To translate the Mozilla versions to NSS versions: Mozilla 1.0 RTM is using a snapshot between NSS 3.4 and NSS 3.4.1. Mozilla 1.1a or 1.1b is using NSS 3.5 + possibly the fix for bug 154212. Bob, could you take a look at this crash?
Assignee: wtc → relyea
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Target Milestone: --- → 3.6
Version: unspecified → 3.5
How is 1.1a and 1.1b different from Netscape 7? I'm running build 2002062408 right now and having no problem getting using SSL client auth from my CAC card. bob
I loaded that build on my Mac OS X box and as soon as I tried to view the certs on the card, I get a crash which looks very similar to the previous reported dump. Date/Time: 2002-07-16 09:32:32 -0700 OS Version: 10.1.5 (Build 5S66) Host: h-10-169-42-186.nscp.aoltw.net Command: Netscape PID: 16919 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000184 Thread 0 Crashed: #0 0x04112520 in nssDecodedPKIXCertificate_Destroy #1 0x0410fe50 in nssDecodedCert_Destroy #2 0x0411002c in nssCertificate_Destroy #3 0x04114e28 in cert_createObject #4 0x04114bd0 in nssPKIObjectCollection_AddInstanceAsObject #5 0x041191bc in collector #6 0x0410dfac in nssToken_TraverseCertificates #7 0x041192ec in NSSTrustDomain_TraverseCertificates #8 0x041266a8 in PK11_ListCerts #9 0x0402f36c in GetCertsByType__18nsNSSCertificateDBFUiPFP11nsIX509CertP11nsIX #10 0x04039bbc in nsCertTree::LoadCerts(unsigned int) #11 0x005bc06c in XPTC_InvokeByIndex #12 0x005bbf60 in XPTC_InvokeByIndex #13 0x0200c4e4 in 0x200c4e4 #14 0x0201297c in XPC_WN_CallMethod(JSContext *, JSObject *, unsigned int, long *, long *) #15 0x01f1fd8c in js_Invoke #16 0x01f27e34 in 0x1f27e34 #17 0x01f1fde4 in js_Invoke #18 0x01f20030 in js_InternalInvoke #19 0x01f00eac in JS_CallFunctionValue #20 0x0246d34c in nsJSContext::CallEventHandler(void *, void *, unsigned int, void *, int *, int) #21 0x0248d074 in nsJSEventListener::HandleEvent(nsIDOMEvent *) #22 0x0258f6a4 in HandleEventSubType__22nsEventListenerManagerFP16nsListenerStru #23 0x0259120c in 0x259120c #24 0x024724ac in GlobalWindowImpl::HandleDOMEvent(nsIPresContext *, nsEvent *, *) #25 0x026d27a0 in DocumentViewerImpl::LoadComplete(unsigned int) #26 0x0241b0ec in nsDocShell::EndPageLoad(nsIWebProgress *, nsIChannel *, unsigned int) #27 0x02432148 in 0x2432148 #28 0x0241a840 in nsDocShell::OnStateChange(nsIWebProgress *, nsIRequest *, unsigned int, unsigned int) #29 0x0244f8fc in FireOnStateChange__15nsDocLoaderImplFP14nsIWebProgressP10nsIRe #30 0x0244e720 in nsDocLoaderImpl::doStopDocumentLoad(nsIRequest *, unsigned int) #31 0x0244e4b4 in nsDocLoaderImpl::DocLoaderIsEmpty(void) #32 0x0244e1c4 in nsDocLoaderImpl::OnStopRequest(nsIRequest *, nsISupports *, unsigned int) #33 0x020a8b14 in nsLoadGroup::RemoveRequest(nsIRequest *, nsISupports *, unsigned int) #34 0x02a455b0 in imgRequestProxy::OnStopRequest(nsIRequest *, nsISupports *, unsigned int) #35 0x02a43738 in imgRequest::OnStopRequest(nsIRequest *, nsISupports *, unsigned int) #36 0x02a40014 in ProxyListener::OnStopRequest(nsIRequest *, nsISupports *, unsigned int) #37 0x020e5244 in nsJARChannel::OnStopRequest(nsIRequest *, nsISupports *, unsigned int) #38 0x020ff17c in nsOnStopRequestEvent::HandleEvent(void) #39 0x020fe590 in nsARequestObserverEvent::HandlePLEvent(PLEvent *) #40 0x005f1440 in PL_HandleEvent #41 0x005f12ac in PL_ProcessPendingEvents #42 0x0059811c in nsEventQueueImpl::ProcessPendingEvents(void) #43 0x022c1bac in nsMacNSPREventQueueHandler::ProcessPLEventQueue(void) #44 0x022c1a50 in nsMacNSPREventQueueHandler::RepeatAction(EventRecord const &) #45 0x0088db14 in Repeater::DoRepeaters(EventRecord const &) #46 0x022d80f8 in nsMacMessagePump::DispatchEvent(int, EventRecord *) #47 0x022d7e20 in nsMacMessagePump::DoMessagePump(void) #48 0x022d779c in nsAppShell::Run(void) #49 0x01fa2b3c in nsAppShellService::Run(void) #50 0x004c9f1c in main1(int, char **, nsISupports *) #51 0x004ca95c in main Thread 1: #0 0x7000497c in syscall #1 0x70557600 in BSD_waitevent #2 0x70554b80 in CarbonSelectThreadFunc #3 0x7002054c in _pthread_body Thread 2: #0 0x7003f4c8 in semaphore_wait_signal_trap #1 0x7003f2c8 in _pthread_cond_wait #2 0x705593ec in CarbonOperationThreadFunc #3 0x7002054c in _pthread_body Thread 3: #0 0x70044cf8 in semaphore_timedwait_signal_trap #1 0x70044cd8 in semaphore_timedwait_signal #2 0x70283e9c in TSWaitOnConditionTimedRelative #3 0x7027d740 in TSWaitOnSemaphoreCommon #4 0x702c2078 in TimerThread #5 0x7002054c in _pthread_body Thread 4: #0 0x7003f4c8 in semaphore_wait_signal_trap #1 0x7003f2c8 in _pthread_cond_wait #2 0x70250aa8 in TSWaitOnCondition #3 0x7027d728 in TSWaitOnSemaphoreCommon #4 0x70243d0c in AsyncFileThread #5 0x7002054c in _pthread_body Thread 5: #0 0x7003f4c8 in semaphore_wait_signal_trap #1 0x7003f2c8 in _pthread_cond_wait #2 0x7055b884 in CarbonInetOperThreadFunc #3 0x7002054c in _pthread_body Thread 6: #0 0x70000978 in mach_msg_overwrite_trap #1 0x70005a04 in mach_msg #2 0x70026a2c in _pthread_become_available #3 0x70026724 in pthread_exit #4 0x70020550 in _pthread_body PPC Thread State: srr0: 0x04112520 srr1: 0x0000f030 vrsave: 0x00000000 xer: 0x20000010 lr: 0x0410fe50 ctr: 0x0054cf30 mq: 0x00000000 r0: 0x0410fe50 r1: 0xbfffd2b0 r2: 0x03f7c000 r3: 0x00000000 r4: 0x00000000 r5: 0x00000188 r6: 0x00000020 r7: 0x05084fac r8: 0x00000003 r9: 0x80240e10 r10: 0x00000024 r11: 0x80003710 r12: 0x000ea8b0 r13: 0x050bd590 r14: 0x050bd410 r15: 0x00000022 r16: 0x02049970 r17: 0x00000000 r18: 0x00000001 r19: 0x00000001 r20: 0xbfffd9f8 r21: 0x0508e378 r22: 0x0508e378 r23: 0x050b2a08 r24: 0x0549c0b8 r25: 0x00000002 r26: 0x00000002 r27: 0x03d02298 r28: 0x04076828 r29: 0x04f0b608 r30: 0x04f0b608 r31: 0x04076828 **********
Netscape 7 PR1 is using the same NSS as Mozilla 1.0 RTM. Netscape 7 RTM will be using NSS 3.5. So the only difference between the NSS in Netscape 7 and the NSS in Mozilla 1.1a and 1.1b is either none or the fix for bug 154212.
2002062408 is definately not PR1. It should be running with 3.5. The difference between shadow's setup and mine is I'm running on Windows and he's running on MacOS X. I may have to debug this on OS X. bob
verified the same crash behavior using Netscape 7 build 20020712. steps to reproduce: 1) start Netscape or mozilla 2) log into the card manually using the PSM device manager 3) try to view certs or log into a website that does cert-auth 4) crash Date/Time: 2002-07-16 09:32:32 -0700 OS Version: 10.1.5 (Build 5S66) Host: <snip> Command: Netscape PID: 16919 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000184 Thread 0 Crashed: #0 0x04112520 in nssDecodedPKIXCertificate_Destroy #1 0x0410fe50 in nssDecodedCert_Destroy #2 0x0411002c in nssCertificate_Destroy #3 0x04114e28 in cert_createObject #4 0x04114bd0 in nssPKIObjectCollection_AddInstanceAsObject #5 0x041191bc in collector #6 0x0410dfac in nssToken_TraverseCertificates #7 0x041192ec in NSSTrustDomain_TraverseCertificates #8 0x041266a8 in PK11_ListCerts #9 0x0402f36c in GetCertsByType__18nsNSSCertificateDBFUiPFP11nsIX509CertP11nsIX #10 0x04039bbc in nsCertTree::LoadCerts(unsigned int) #11 0x005bc06c in XPTC_InvokeByIndex #12 0x005bbf60 in XPTC_InvokeByIndex #13 0x0200c4e4 in 0x200c4e4 #14 0x0201297c in XPC_WN_CallMethod(JSContext *, JSObject *, unsigned int, long *, long *) #15 0x01f1fd8c in js_Invoke #16 0x01f27e34 in 0x1f27e34 #17 0x01f1fde4 in js_Invoke #18 0x01f20030 in js_InternalInvoke #19 0x01f00eac in JS_CallFunctionValue #20 0x0246d34c in nsJSContext::CallEventHandler(void *, void *, unsigned int, void *, int *, int) #21 0x0248d074 in nsJSEventListener::HandleEvent(nsIDOMEvent *) #22 0x0258f6a4 in HandleEventSubType__22nsEventListenerManagerFP16nsListenerStru #23 0x0259120c in 0x259120c #24 0x024724ac in GlobalWindowImpl::HandleDOMEvent(nsIPresContext *, nsEvent *, *) #25 0x026d27a0 in DocumentViewerImpl::LoadComplete(unsigned int) #26 0x0241b0ec in nsDocShell::EndPageLoad(nsIWebProgress *, nsIChannel *, unsigned int) #27 0x02432148 in 0x2432148 #28 0x0241a840 in nsDocShell::OnStateChange(nsIWebProgress *, nsIRequest *, unsigned int, unsigned int) #29 0x0244f8fc in FireOnStateChange__15nsDocLoaderImplFP14nsIWebProgressP10nsIRe #30 0x0244e720 in nsDocLoaderImpl::doStopDocumentLoad(nsIRequest *, unsigned int) #31 0x0244e4b4 in nsDocLoaderImpl::DocLoaderIsEmpty(void) #32 0x0244e1c4 in nsDocLoaderImpl::OnStopRequest(nsIRequest *, nsISupports *, unsigned int) #33 0x020a8b14 in nsLoadGroup::RemoveRequest(nsIRequest *, nsISupports *, unsigned int) #34 0x02a455b0 in imgRequestProxy::OnStopRequest(nsIRequest *, nsISupports *, unsigned int) #35 0x02a43738 in imgRequest::OnStopRequest(nsIRequest *, nsISupports *, unsigned int) #36 0x02a40014 in ProxyListener::OnStopRequest(nsIRequest *, nsISupports *, unsigned int) #37 0x020e5244 in nsJARChannel::OnStopRequest(nsIRequest *, nsISupports *, unsigned int) #38 0x020ff17c in nsOnStopRequestEvent::HandleEvent(void) #39 0x020fe590 in nsARequestObserverEvent::HandlePLEvent(PLEvent *) #40 0x005f1440 in PL_HandleEvent #41 0x005f12ac in PL_ProcessPendingEvents #42 0x0059811c in nsEventQueueImpl::ProcessPendingEvents(void) #43 0x022c1bac in nsMacNSPREventQueueHandler::ProcessPLEventQueue(void) #44 0x022c1a50 in nsMacNSPREventQueueHandler::RepeatAction(EventRecord const &) #45 0x0088db14 in Repeater::DoRepeaters(EventRecord const &) #46 0x022d80f8 in nsMacMessagePump::DispatchEvent(int, EventRecord *) #47 0x022d7e20 in nsMacMessagePump::DoMessagePump(void) #48 0x022d779c in nsAppShell::Run(void) #49 0x01fa2b3c in nsAppShellService::Run(void) #50 0x004c9f1c in main1(int, char **, nsISupports *) #51 0x004ca95c in main Thread 1: #0 0x7000497c in syscall #1 0x70557600 in BSD_waitevent #2 0x70554b80 in CarbonSelectThreadFunc #3 0x7002054c in _pthread_body Thread 2: #0 0x7003f4c8 in semaphore_wait_signal_trap #1 0x7003f2c8 in _pthread_cond_wait #2 0x705593ec in CarbonOperationThreadFunc #3 0x7002054c in _pthread_body Thread 3: #0 0x70044cf8 in semaphore_timedwait_signal_trap #1 0x70044cd8 in semaphore_timedwait_signal #2 0x70283e9c in TSWaitOnConditionTimedRelative #3 0x7027d740 in TSWaitOnSemaphoreCommon #4 0x702c2078 in TimerThread #5 0x7002054c in _pthread_body Thread 4: #0 0x7003f4c8 in semaphore_wait_signal_trap #1 0x7003f2c8 in _pthread_cond_wait #2 0x70250aa8 in TSWaitOnCondition #3 0x7027d728 in TSWaitOnSemaphoreCommon #4 0x70243d0c in AsyncFileThread #5 0x7002054c in _pthread_body Thread 5: #0 0x7003f4c8 in semaphore_wait_signal_trap #1 0x7003f2c8 in _pthread_cond_wait #2 0x7055b884 in CarbonInetOperThreadFunc #3 0x7002054c in _pthread_body Thread 6: #0 0x70000978 in mach_msg_overwrite_trap #1 0x70005a04 in mach_msg #2 0x70026a2c in _pthread_become_available #3 0x70026724 in pthread_exit #4 0x70020550 in _pthread_body PPC Thread State: srr0: 0x04112520 srr1: 0x0000f030 vrsave: 0x00000000 xer: 0x20000010 lr: 0x0410fe50 ctr: 0x0054cf30 mq: 0x00000000 r0: 0x0410fe50 r1: 0xbfffd2b0 r2: 0x03f7c000 r3: 0x00000000 r4: 0x00000000 r5: 0x00000188 r6: 0x00000020 r7: 0x05084fac r8: 0x00000003 r9: 0x80240e10 r10: 0x00000024 r11: 0x80003710 r12: 0x000ea8b0 r13: 0x050bd590 r14: 0x050bd410 r15: 0x00000022 r16: 0x02049970 r17: 0x00000000 r18: 0x00000001 r19: 0x00000001 r20: 0xbfffd9f8 r21: 0x0508e378 r22: 0x0508e378 r23: 0x050b2a08 r24: 0x0549c0b8 r25: 0x00000002 r26: 0x00000002 r27: 0x03d02298 r28: 0x04076828 r29: 0x04f0b608 r30: 0x04f0b608 r31: 0x04076828 ********** Date/Time: 2002-07-16 11:12:16 -0700 OS Version: 10.1.5 (Build 5S66) Host: h-10-169-42-186.nscp.aoltw.net Command: Netscape PID: 17176 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000184 Thread 0 Crashed: #0 0x03788520 in nssDecodedPKIXCertificate_Destroy #1 0x03785e50 in nssDecodedCert_Destroy #2 0x0378602c in nssCertificate_Destroy #3 0x0378ae28 in cert_createObject #4 0x0378abd0 in nssPKIObjectCollection_AddInstanceAsObject #5 0x0378f1bc in collector #6 0x03783fac in nssToken_TraverseCertificates #7 0x0378f2ec in NSSTrustDomain_TraverseCertificates #8 0x03799210 in PK11_TraverseSlotCerts #9 0x0378ff80 in CERT_GetCertNicknames #10 0x0378f9b8 in CERT_FindUserCertsByUsage #11 0x037243e8 in 0x37243e8 #12 0x037fcd30 in ssl3_HandleCertificateRequest #13 0x0380091c in ssl3_HandleHandshakeMessage #14 0x03800bb4 in ssl3_HandleHandshake #15 0x038010ec in ssl3_HandleRecord #16 0x03801fa8 in ssl3_GatherCompleteHandshake #17 0x03802074 in ssl3_GatherAppDataRecord #18 0x03809194 in DoRecv #19 0x03809e54 in ssl_SecureRecv #20 0x03809ea4 in ssl_SecureRead #21 0x0380c750 in ssl_Read #22 0x03722eb0 in nsSSLIOLayerRead(PRFileDesc *, void *, int) #23 0x00503b58 in PR_Read #24 0x035207e4 in nsSocketIS::Read(char *, unsigned int, unsigned int *) #25 0x035a3b9c in nsHttpTransaction::Read(char *, unsigned int, unsigned int *) #26 0x005d0a28 in nsReadFromInputStream(nsIOutputStream *, void *, char *, unsigned int, unsigned int, unsigned int *) #27 0x005d048c in WriteSegments__Q26nsPipe18nsPipeOutputStreamFPFP15nsIOutputStr #28 0x005d0ac0 in nsPipe::nsPipeOutputStream::WriteFrom( (nsIInputStream *, unsigned int, unsigned *)) #29 0x03570800 in OnDataAvailable__21nsStreamListenerProxyFP10nsIRequestP11nsISu #30 0x035a1e60 in nsHttpTransaction::OnDataReadable(nsIInputStream *) #31 0x03592c1c in OnDataAvailable__16nsHttpConnectionFP10nsIRequestP11nsISupport #32 0x03522064 in nsSocketReadRequest::OnRead(void) #33 0x0351bd94 in nsSocketTransport::doReadWrite(short) #34 0x0351ac18 in nsSocketTransport::Process(short) #35 0x03523654 in nsSocketTransportService::Run(void) #36 0x005b3b18 in nsThread::Main(void *) #37 0x005079d8 in PR_UserRunThread Thread 1: #0 0x7000497c in syscall #1 0x70557600 in BSD_waitevent #2 0x70554b80 in CarbonSelectThreadFunc #3 0x7002054c in _pthread_body Thread 2: #0 0x7003f4c8 in semaphore_wait_signal_trap #1 0x7003f2c8 in _pthread_cond_wait #2 0x705593ec in CarbonOperationThreadFunc #3 0x7002054c in _pthread_body Thread 3: #0 0x70044cf8 in semaphore_timedwait_signal_trap #1 0x70044cd8 in semaphore_timedwait_signal #2 0x70283e9c in TSWaitOnConditionTimedRelative #3 0x7027d740 in TSWaitOnSemaphoreCommon #4 0x702c2078 in TimerThread #5 0x7002054c in _pthread_body Thread 4: #0 0x7003f4c8 in semaphore_wait_signal_trap #1 0x7003f2c8 in _pthread_cond_wait #2 0x70250aa8 in TSWaitOnCondition #3 0x7027d728 in TSWaitOnSemaphoreCommon #4 0x70243d0c in AsyncFileThread #5 0x7002054c in _pthread_body Thread 5: #0 0x7003f4c8 in semaphore_wait_signal_trap #1 0x7003f2c8 in _pthread_cond_wait #2 0x7055b884 in CarbonInetOperThreadFunc #3 0x7002054c in _pthread_body Thread 6: #0 0x70000978 in mach_msg_overwrite_trap #1 0x70005a04 in mach_msg #2 0x70026a2c in _pthread_become_available #3 0x70026724 in pthread_exit #4 0x70020550 in _pthread_body PPC Thread State: srr0: 0x03788520 srr1: 0x0000f030 vrsave: 0x00000000 xer: 0x20000010 lr: 0x03785e50 ctr: 0x0054cb80 mq: 0x00000000 r0: 0x03785e50 r1: 0x04062c60 r2: 0x022d3000 r3: 0x00000000 r4: 0x00000000 r5: 0x00000188 r6: 0x0000004e r7: 0x0551f1ac r8: 0x00000003 r9: 0x80240e10 r10: 0x00000024 r11: 0x80003710 r12: 0x000e98b0 r13: 0x0375eb58 r14: 0x0564f980 r15: 0x04063528 r16: 0x04c428e0 r17: 0x0000f000 r18: 0x0401cdd0 r19: 0x00000000 r20: 0x053da5f8 r21: 0x05641028 r22: 0x05641028 r23: 0x04bc4878 r24: 0x04bcc618 r25: 0x00000002 r26: 0x00000002 r27: 0x059e0a38 r28: 0x0554d638 r29: 0x056511e8 r30: 0x056511e8 r31: 0x0554d638 **********
for what it's worth, I'm seeing the same behaviour as far back as Mozilla-2002-06-03-08-trunk. Tried with new profile, same result. (but mozilla 1.0 rtm still works correctly.) If I have time I'll download older clients to see when it started failing.
I've confirmed that I'm getting the exact same crash dump in the 2002-07-19 build (Mozilla 1.1a) on the mac. Tried creating a new profile, restarting the smartcard deamon (pcscd), reinserting the card...no joy.
shadow: I will ask Javi to build a debug Mozilla client off the MOZILLA_1_0_BRANCH for you. With the debug build, you should be able to give us more debug information such as line numbers and the values of variables.
according to the debugger it's breaking in pki3hack.c at the PRBool line with an address fault exception. NSS_IMPLEMENT PRStatus nssDecodedPKIXCertificate_Destroy ( nssDecodedCert *dc ) { CERTCertificate *cert = (CERTCertificate *)dc->data; --> PRBool freeSlot = cert->ownSlot; PK11SlotInfo *slot = cert->slot; PRArenaPool *arena = cert->arena; /* zero cert before freeing. Any stale references to this cert * after this point will probably cause an exception. */ PORT_Memset(cert, 0, sizeof *cert); /* free the arena that contains the cert. */ PORT_FreeArena(arena, PR_FALSE); nss_ZFreeIf(dc); if (slot && freeSlot) {
OK, I went over and talked with Bill. This appears to be a problem with Bill's CAC card specifically, not necessarily an OSX problem. Bills card has a bogus certificate entry on it that confuses NSS. I have a patch which will prevent the crash (since NSS should crash in this case anyway).
Comment on attachment 92246 [details] [diff] [review] Fix crash if we have a certdecoder, but no decoded cert. r=wtc. It would seem like a good idea to move if (slot && freeSlot) { PK11_FreeSlot(slot); } to the inside of the new if (cert) {...} statement as well.
Attachment #92246 - Flags: review+
Attached the log file from the PKCS11 driver showing how it is relaying invalid certificate types from the card presumably.
I've confirmed that this bug also impacts the Linux builds as well (so presumably it will affect all NSS builds, not just Mac OS as I originally reported). the root cause is that a certificate is being reported by the smartcard driver (mucsle) but when NSS asks for the particulars of that cert it reports a NULL. Please let me know when a build of NSS has this fix installed.
The patch is checked into the NSS tip, I'm not sure the process we need to move this forward to the mozilla tree, and what release it winds up in. bob
Fix checked in
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment on attachment 92246 [details] [diff] [review] Fix crash if we have a certdecoder, but no decoded cert. Why not move freeSlot, slot, and arena into that then-block, too? No need to default-initialize freeSlot to false, or to test after the if-then as wtc says. /be
a=asa (on behalf of drivers) for checkin to 1.1 with a response to brendan's suggestion.
I made the change that Brendan suggested in comment #19. The fix has been checked into NSS_3_5_BRANCH and NSS_CLIENT_TAG. It will be in mozilla 1.1 and NSS 3.5.1 (the next patch release off NSS_3_5_BRANCH).
Target Milestone: 3.6 → 3.5.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: