Closed Bug 1642584 Opened 5 years ago Closed 5 years ago

socket process is killed because it's trying to load libsoftokn3.so

Categories

(Core :: Networking, task, P3)

task

Tracking

()

RESOLVED INVALID

People

(Reporter: kershaw, Unassigned)

Details

(Whiteboard: [necko-triaged])

Stack trace:

Thread 1 "Socket Process" received signal SIGSYS, Bad system call.
__GI___open64_nocancel (file=file@entry=0x7f161f550f00 "/home/kershaw/mozilla-central/objdir/dist/bin/libsoftokn3.so", oflag=oflag@entry=524288)
    at ../sysdeps/unix/sysv/linux/open64_nocancel.c:45
45	../sysdeps/unix/sysv/linux/open64_nocancel.c: No such file or directory.
(gdb) bt
#0  __GI___open64_nocancel (file=file@entry=0x7f161f550f00 "/home/kershaw/mozilla-central/objdir/dist/bin/libsoftokn3.so", oflag=oflag@entry=524288)
    at ../sysdeps/unix/sysv/linux/open64_nocancel.c:45
#1  0x00007f1631be20b6 in open_verify
    (name=0x7f161f550f00 "/home/kershaw/mozilla-central/objdir/dist/bin/libsoftokn3.so", fbp=fbp@entry=0x7ffe47172980, loader=<optimized out>, whatcode=whatcode@entry=0, mode=mode@entry=-1879048190, found_other_class=found_other_class@entry=0x7ffe4717296f, free_name=true, fd=-1) at dl-load.c:1520
#2  0x00007f1631be3acb in _dl_map_object
    (loader=loader@entry=0x7f1631825510, name=name@entry=0x7f161f550ec0 "/home/kershaw/mozilla-central/objdir/dist/bin/libsoftokn3.so", type=type@entry=2, trace_mode=trace_mode@entry=0, mode=mode@entry=-1879048190, nsid=<optimized out>) at dl-load.c:2177
#3  0x00007f1631bedf3b in dl_open_worker (a=a@entry=0x7ffe47172ed0) at dl-open.c:228
#4  0x00007f1631798eb1 in __GI__dl_catch_exception (exception=exception@entry=0x7ffe47172eb0, operate=operate@entry=0x7f1631bedeb0 <dl_open_worker>, args=args@entry=0x7ffe47172ed0)
    at dl-error-skeleton.c:196
#5  0x00007f1631bedb2a in _dl_open
    (file=0x7f161f550ec0 "/home/kershaw/mozilla-central/objdir/dist/bin/libsoftokn3.so", mode=-2147483646, caller_dlopen=0x7f16316434a2 <PR_LoadLibraryWithFlags+161>, nsid=-2, argc=13, argv=<optimized out>, env=0x7f163142bc00) at dl-open.c:603
#6  0x00007f1631b54258 in dlopen_doit (a=a@entry=0x7ffe471730f0) at dlopen.c:66
#7  0x00007f1631798eb1 in __GI__dl_catch_exception (exception=exception@entry=0x7ffe47173090, operate=operate@entry=0x7f1631b54200 <dlopen_doit>, args=args@entry=0x7ffe471730f0)
    at dl-error-skeleton.c:196
#8  0x00007f1631798f4f in __GI__dl_catch_error
    (objname=objname@entry=0x7f1631434310, errstring=errstring@entry=0x7f1631434318, mallocedp=mallocedp@entry=0x7f1631434308, operate=operate@entry=0x7f1631b54200 <dlopen_doit>, args=args@entry=0x7ffe471730f0) at dl-error-skeleton.c:215
#9  0x00007f1631b54995 in _dlerror_run (operate=operate@entry=0x7f1631b54200 <dlopen_doit>, args=args@entry=0x7ffe471730f0) at dlerror.c:170
#10 0x00007f1631b542e6 in __dlopen (file=<optimized out>, mode=<optimized out>) at dlopen.c:87
#11 0x00007f16316434a2 in pr_LoadLibraryByPathname (name=0x7f161f550ec0 "/home/kershaw/mozilla-central/objdir/dist/bin/libsoftokn3.so", flags=<optimized out>)
    at /home/kershaw/mozilla-central/nsprpub/pr/src/linking/prlink.c:801
#12 PR_LoadLibraryWithFlags (libSpec=..., flags=<optimized out>) at /home/kershaw/mozilla-central/nsprpub/pr/src/linking/prlink.c:404
#13 0x00007f1630b6ff14 in loader_LoadLibInReferenceDir (referencePath=0x7f161f550900 "/home/kershaw/mozilla-central/objdir/dist/bin/libnss3.so", name=0x7f1630ac86c4 "libsoftokn3.so")
    at /home/kershaw/mozilla-central/security/nss/lib/util/secload.c:85
#14 0x00007f1630b6fcbe in PORT_LoadLibraryFromOrigin (existingShLibName=<optimized out>, staticShLibFunc=<optimized out>, newShLibName=0x7f1630ac86c4 "libsoftokn3.so")
    at /home/kershaw/mozilla-central/security/nss/lib/util/secload.c:151
#15 0x00007f1630b2ae4c in softoken_LoadDSO () at /home/kershaw/mozilla-central/security/nss/lib/pk11wrap/pk11load.c:373
#16 0x00007f1631647123 in PR_CallOnce (once=0x7f1630b4b680 <loadSoftokenOnce>, func=0x7f1630b2ae2e <softoken_LoadDSO>) at /home/kershaw/mozilla-central/nsprpub/pr/src/misc/prinit.c:776
#17 0x00007f1630b2a9df in secmod_LoadPKCS11Module (mod=0x7f16314a4c20, oldModule=0x7ffe47173380) at /home/kershaw/mozilla-central/security/nss/lib/pk11wrap/pk11load.c:422
#18 0x00007f1630b35f9d in SECMOD_LoadModule
    (modulespec=0x7f163141c5e0 "name=\"NSS Internal Module\" parameters=\"configdir='' certPrefix='' keyPrefix='' secmod='' flags=readOnly,noCertDB,noModDB,forceOpen,optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' upd"..., parent=0x0, recurse=1) at /home/kershaw/mozilla-central/security/nss/lib/pk11wrap/pk11pars.c:1840
#19 0x00007f1630b0669a in nss_InitModules
    (configdir=0x7f1630acab6d "", certPrefix=<optimized out>, keyPrefix=0x7f161f5523f8 "\345\345\345\345\345\345\345\345", secmodName=0x7f1630acab6d "", updateDir=0x7f161f552440 '\345' <repeats 16 times>, "\063", updCertPrefix=0x7f161f552448 "\345\345\345\345\345\345\345\345\063", updKeyPrefix=<optimized out>, updateID=<optimized out>, updateName=<optimized out>, configName=<--Type <RET> for more, q to quit, c to continue without paging--
optimized out>, configStrings=<optimized out>, pwRequired=<optimized out>, readOnly=<optimized out>, noCertDB=<optimized out>, noModDB=<optimized out>, forceOpen=<optimized out>, optimizeSpace=<optimized out>, isContextInit=<optimized out>) at /home/kershaw/mozilla-central/security/nss/lib/nss/nssinit.c:464
#20 nss_Init
    (configdir=0x7f1630acab6d "", certPrefix=<optimized out>, keyPrefix=0x7f161f5523f8 "\345\345\345\345\345\345\345\345", secmodName=<optimized out>, updateDir=0x7f161f552440 '\345' <repeats 16 times>, "\063", updCertPrefix=<optimized out>, updKeyPrefix=0x7f1630acab6d "", updateID=0x7f1630acab6d "", updateName=0x7f1630acab6d "", initContextPtr=0x0, initParams=0x0, readOnly=1, noCertDB=1, noModDB=1, forceOpen=1, noRootInit=1, optimizeSpace=1, noSingleThreadedModules=0, allowAlreadyInitializedModules=0, dontFinalizeModules=0)
    at /home/kershaw/mozilla-central/security/nss/lib/nss/nssinit.c:689
#21 0x00007f1630b06b25 in NSS_NoDB_Init (configdir=<optimized out>) at /home/kershaw/mozilla-central/security/nss/lib/nss/nssinit.c:950

Apparently, socket process is not allowed to load a so file due to sandboxing, but it seems that NSS needs some so files to work normally.
I am not sure if we can adjust sandobxing rules or make NSS work without loading some libraries.

Dana,
What do you think? Is libsoftokn3.so (could be more .so files) really necessary for NSS in socket process? Is it possible to make NSS work without those .so files?
Thanks.

Flags: needinfo?(dkeeler)

libsoftokn3.so is the software implementation of a PKCS#11 token that NSS uses to do cryptography, so NSS does need to load it to work.

Flags: needinfo?(dkeeler)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #2)

libsoftokn3.so is the software implementation of a PKCS#11 token that NSS uses to do cryptography, so NSS does need to load it to work.

Thanks for the reply, Dana. I guess we can only add this file to the sandboxing white list.

:gcp, is this something that the sandboxing team can help?
Thanks.

Flags: needinfo?(gpascutto)

You'll have to whitelist the dir where the files live. But it's weird that you get this error, as we already include the Firefox binaries dir: https://searchfox.org/mozilla-central/source/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp#709

Running with MOZ_SANDBOX_LOGGING=1 may reveal if there's a mismatch.

Flags: needinfo?(gpascutto)
Component: Security: PSM → Networking
Severity: -- → N/A
Priority: -- → P3
Whiteboard: [necko-triaged]

(In reply to Gian-Carlo Pascutto [:gcp] from comment #4)

You'll have to whitelist the dir where the files live. But it's weird that you get this error, as we already include the Firefox binaries dir: https://searchfox.org/mozilla-central/source/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp#709

Running with MOZ_SANDBOX_LOGGING=1 may reveal if there's a mismatch.

Actually, I was trying to debug the issue in bug 1640612 and I attached gdb to socket process and saw the crash in comment #0.
Without gdb, this crash disappears, so maybe this is caused by gdb or something else.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.