Closed Bug 1668593 Opened 4 years ago Closed 4 years ago

Crash in [@ DERDecodeSeqContentInit]

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: sefeng, Unassigned)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/6b9ccdfc-8d61-477b-8e75-845710200930

Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS

Top 10 frames of crashing thread:

0 Security DERDecodeSeqContentInit 
1 Security parseX501NameContent 
2 Security SecCertificateCopySubjectSummary 
3 keychain-pkcs11.dylib keychain-pkcs11.dylib@0x5e92 
4 libnss3.dylib PK11_InitToken security/nss/lib/pk11wrap/pk11slot.c:1267
5 libnss3.dylib nssSlot_Refresh security/nss/lib/pk11wrap/dev3hack.c:238
6 libnss3.dylib nssSlot_IsTokenPresent security/nss/lib/dev/devslot.c:243
7 libnss3.dylib pk11_IsPresentCertLoad.llvm.17085532109926444036 security/nss/lib/pk11wrap/pk11slot.c:1603
8 XUL mozilla::psm::IsCertBuiltInRoot security/certverifier/CertVerifier.cpp:207
9 XUL nsNSSCertificate::GetIsBuiltInRoot security/manager/ssl/nsNSSCertificate.cpp:167

The crash is happening in a third party library, however, I am seeing various crashes with a similar call stack. Such as this and this.

Hi! I'm the author of Keychain-PKCS11, and Dana was kind enough to let me know about this bug.

I have a few questions I am hoping Mozilla people can help me with.

I just wanted to make sure that the crashes are coming from my latest release (there have been two releases so far; 0.9.1 and 0.9.5). I see the "debug identifier" for the version of keychain-pkcs11 being used is 38FF608A11793C96A636230D444BC7070, but ... how is that generated? Can I map that to a particular release?

Is it possible to get the complete stack frame? I am particular interested in the arguments to SecCertificateCopySubjectSummary().

I don't suppose it's possible to communicate with the people who had this crash, is it? I suspect the crash report is anonymized, but I figured I would at least ask.

Hi Ken, the debug identifier can be extracted from an object file using our dump_syms tool. Calling the tool on an executable or shared library will print out the debug identifier in the first line of output. If you tell me what platform you're on I can provide you with a link to an executable or alternatively you can build it yourself from source, its only requirement is a recent rust compiler & cargo.

One of the users left his e-mail address in the crash report. I'll contact him and ask if he's willing to help out and put him in touch with you if he is.

As for the argument to SecCertificateCopySubjectSummary() it is possible to extract it from the crash report but it's extremely difficult, I'll have a look on Monday.

So Gabriele was kind enough to put me in contact with a user who gave their email in a bug report and I corresponded with him. He indicated he had 0.9.1 of keychain-pkcs11 and was going to upgrade to 0.9.5.

I compiled dump_syms (it took 245 packages to compile it, yikes?) and I verified that the debug identifier for the 0.9.1 release of keychain-pkcs11 is 38FF608A11793C96A636230D444BC7070. All of the crashes referenced here use the same debug identifier, so I think this is a problem that is fixed in the latest release of keychain-pkcs11 (0.9.5).

And, as a note to myself ... the debug identifier on MacOS X is the UUID in the LC_UUID load command and you can read it using "dwarfdump -u"

Thanks for investigating. I'm going to wontfix this for now since affected users should update to the latest version of keychain-pkcs11 (or use osclientcerts). If it becomes a problem we can consider blocking the shared library (assuming we have that capability on macos?)

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.