Closed Bug 1597799 Opened 2 months ago Closed 2 months ago

Crash in [@ nssCKFWObject_GetAttributeSize | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue]

Categories

(NSS :: Libraries, defect)

Unspecified
Windows 10
defect
Not set

Tracking

(firefox-esr68 unaffected, firefox71 unaffected, firefox72 fixed)

RESOLVED FIXED
Tracking Status
firefox-esr68 --- unaffected
firefox71 --- unaffected
firefox72 --- fixed

People

(Reporter: marcia, Assigned: jcj)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

This bug is for crash report bp-eb9022ae-df2c-4e05-9af1-0fbbf0191115.

Seen while looking at nightly crash stats: https://bit.ly/2XyeHOm. 13 crashes/16 installs so far. Crashes started in 20191115095319.

Possible regression range based on build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a4ef4d6cdff03e76ed4471faea08e1071b1bf05c&tochange=bbbe694dbff25ce304833a9c2f6520ba9f61fb32

There are several NSS related changes in there - not sure if one of them is involved here.

Top 10 frames of crashing thread:

0 nssckbi.dll nssCKFWObject_GetAttributeSize security/nss/lib/ckfw/object.c:507
1 nssckbi.dll NSSCKFWC_GetAttributeValue security/nss/lib/ckfw/wrap.c:2244
2 nssckbi.dll static unsigned long builtinsC_GetAttributeValue security/nss/lib/ckfw/nssck.api:630
3 nss3.dll PK11_ReadAttribute security/nss/lib/pk11wrap/pk11obj.c:105
4 nss3.dll PK11_FindRawCertsWithSubject security/nss/lib/pk11wrap/pk11obj.c:1970
5 xul.dll mozilla::pkix::Result mozilla::psm::NSSCertDBTrustDomain::FindIssuer security/certverifier/NSSCertDBTrustDomain.cpp:256
6 xul.dll static mozilla::pkix::Result mozilla::pkix::BuildForward security/nss/lib/mozpkix/lib/pkixbuild.cpp:364
7 xul.dll mozilla::pkix::Result mozilla::pkix::PathBuildingStep::Check security/nss/lib/mozpkix/lib/pkixbuild.cpp:211
8 xul.dll static mozilla::pkix::Result mozilla::psm::CheckCandidates security/certverifier/NSSCertDBTrustDomain.cpp:189
9 xul.dll mozilla::pkix::Result mozilla::psm::NSSCertDBTrustDomain::FindIssuer security/certverifier/NSSCertDBTrustDomain.cpp:344

Assignee: nobody → nobody
Component: Security: PSM → Libraries
Product: Core → NSS
QA Contact: jjones
Version: Trunk → other
Flags: needinfo?(jjones)

There are no smoking guns from the uplift that would cause this. Rather, I think a PSM change is the cause.

However, this code has no defenses against NSSCKMDObject being invalid, nor against NSSCKFWObject being invalid.

I've audited all places where NSSCKMDObject could be provided to nssCKFWObject_Create as a null pointer, and while there's a pair of suspicious places, I don't have a precise target.

Both of these nssCKFWObject_Create calls are effectively unguarded. It's up to the implementation of the Cryptoki framework whether the object is returned valid or not: https://searchfox.org/nss/rev/c8d77c45a7e4f168d934b8d2a8b5bca384b97e16/lib/ckfw/mechanism.c#886

I'm going to attach a small patch to cause a clean error return here and check it against try while we look further.

Assignee: nobody → jjones
Status: NEW → ASSIGNED
Flags: needinfo?(jjones)
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 3.48
Blocks: 1600667
Duplicate of this bug: 1600692
Crash Signature: [@ nssCKFWObject_GetAttributeSize | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue] → [@ nssCKFWObject_GetAttributeSize | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue] [@ NSSCKFWC_GetAttributeValue | PK11_ReadAttribute]
Crash Signature: [@ nssCKFWObject_GetAttributeSize | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue] [@ NSSCKFWC_GetAttributeValue | PK11_ReadAttribute] → [@ nssCKFWObject_GetAttributeSize | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue] [@ NSSCKFWC_GetAttributeValue | PK11_ReadAttribute]
You need to log in before you can comment on or make changes to this bug.