ThreadSanitizer: data race [@ NSC_GetTokenInfo] vs. [@ NSC_CloseSession]
Categories
(NSS :: Libraries, defect, P1)
Tracking
(firefox-esr68 wontfix, firefox-esr78 wontfix, firefox78 wontfix, firefox79 wontfix, firefox80 fixed)
People
(Reporter: tsmith, Assigned: jcj)
References
(Blocks 1 open bug)
Details
(Keywords: sec-low, Whiteboard: [adv-main80+r])
Attachments
(2 files)
The attached crash information was detected by ThreadSanitizer during normal web browsing on mozilla-central 20200708-34fb169ef962. Marking as s-s to be safe.
General information about TSan reports
Why fix races?
Data races are undefined behavior and can cause crashes as well as correctness issues. Compiler optimizations can cause racy code to have unpredictable and hard-to-reproduce behavior.
Rating
If you think this race can cause crashes or correctness issues, it would be great to rate the bug appropriately as P1/P2 and/or indicating this in the bug. This makes it a lot easier for us to assess the actual impact that these reports make and if they are helpful to you.
False Positives / Benign Races
Typically, races reported by TSan are not false positives [1], but it is possible that the race is benign. Even in this case it would be nice to come up with a fix if it is easily doable and does not regress performance. Every race that we cannot fix will have to remain on the suppression list and slows down the overall TSan performance. Also note that seemingly benign races can possibly be harmful (also depending on the compiler, optimizations and the architecture) [2][3].
[1] One major exception is the involvement of uninstrumented code from third-party libraries.
[2] http://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong
[3] How to miscompile programs with "benign" data races: https://www.usenix.org/legacy/events/hotpar11/tech/final_files/Boehm.pdf
Suppressing unfixable races
If the bug cannot be fixed, then a runtime suppression needs to be added in mozglue/build/TsanOptions.cpp. The suppressions match on the full stack, so it should be picked such that it is unique to this particular race. The bug number of this bug should also be included so we have some documentation on why this suppression was added.
|
||
Comment 1•4 years ago
|
||
I see "ImportCert" in one of the conflicting threads, but Tyson says this was during normal browsing in a single tab. Why would we be calling that?
Is this really NSS rather than PSM? I thought the threading here was set up in the browser.
|
Assignee | |
Comment 2•4 years ago
|
||
It's NSS.
The NSS needs the certificates imported into the DB for trust calculations.
Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before accessing slot after obtaining it, even though slotLock is defined as its lock.
|
|
Assignee | |
Comment 3•4 years ago
|
||
This is hot-path for connecting TLS, so it's going to be interesting seeing what happens to performance, adding this lock. Anyway, patch coming!
|
|
Assignee | |
Comment 4•4 years ago
|
||
I'm not sure this is actually exploitable. Marking sec-low as a stopgap, but probably we can just open this up.
|
|
Assignee | |
Comment 5•4 years ago
|
||
Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before accessing slot after obtaining it,
even though slotLock is defined as its lock. [0]
|
||
Comment 6•4 years ago
|
||
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
||
Updated•2 years ago
|
Description
•