Closed
Bug 1747959
Opened 2 years ago
Closed 2 years ago
Crash in [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects]
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: jesup, Assigned: jschanck)
References
(Blocks 1 open bug)
Details
(Keywords: crash, Whiteboard: [psm-assigned])
Crash Data
Attachments
(1 file)
Ongoing double-free crash in NSS, goes back to at least 78ESR
Crash report: https://crash-stats.mozilla.org/report/index/f0b92097-748c-44c0-ad10-36ef70211228
MOZ_CRASH Reason: MOZ_RELEASE_ASSERT((run->mRegionsMask[elm] & (1U << bit)) == 0) (Double-free?)
Top 10 frames of crashing thread:
0 mozglue.dll je_free memory/build/malloc_decls.h:54
1 nssckbi.dll nssCKFWObject_Destroy security/nss/lib/ckfw/object.c:276
2 nssckbi.dll NSSCKFWC_FindObjects security/nss/lib/ckfw/wrap.c:2576
3 nssckbi.dll builtinsC_FindObjects security/nss/lib/ckfw/nssck.api:706
4 nss3.dll pk11_FindObjectsByTemplate security/nss/lib/pk11wrap/pk11obj.c:1896
5 nss3.dll PK11_FindRawCertsWithSubject security/nss/lib/pk11wrap/pk11obj.c:1947
6 xul.dll mozilla::psm::NSSCertDBTrustDomain::FindIssuer security/certverifier/NSSCertDBTrustDomain.cpp:246
7 xul.dll mozilla::pkix::BuildForward security/nss/lib/mozpkix/lib/pkixbuild.cpp:365
8 xul.dll mozilla::pkix::PathBuildingStep::Check security/nss/lib/mozpkix/lib/pkixbuild.cpp:211
9 xul.dll mozilla::psm::CheckCandidates security/certverifier/NSSCertDBTrustDomain.cpp:185
Reporter | ||
Updated•2 years ago
|
Flags: needinfo?(dkeeler)
Assignee: nobody → nobody
Component: Security → Libraries
Flags: needinfo?(dkeeler)
Product: Core → NSS
Version: unspecified → other
Assignee | ||
Comment 1•2 years ago
|
||
Looks like this could be PSM actually. We're not taking the module list lock in FindRootsWithSubject
https://searchfox.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#114.
Assignee: nobody → jschanck
Assignee | ||
Comment 2•2 years ago
|
||
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5de493c03573 Take module list lock in FindRootsWithSubject. r=keeler
Comment 4•2 years ago
|
||
bugherder |
Component: Libraries → Security: PSM
Product: NSS → Core
Whiteboard: [psm-assigned]
Version: other → unspecified
See Also: → 1754294
Updated•2 years ago
|
status-firefox97:
--- → wontfix
status-firefox98:
--- → affected
status-firefox-esr91:
--- → affected
Updated•2 years ago
|
Crash Signature: [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects] → [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects]
[@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_ReadAttribute]
Updated•2 years ago
|
Crash Signature: [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects]
[@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_ReadAttribute] → [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects]
[@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_ReadAttribute]
[@ nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_Rea…
Assignee | ||
Updated•2 years ago
|
Crash Signature: [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects]
[@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_ReadAttribute]
[@ nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_Rea… → [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects]
[@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_ReadAttribute]
[@ nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_R…
Comment 7•2 years ago
|
||
The patch landed in nightly and beta is affected.
:jschanck, is this bug important enough to require an uplift?
If not please set status_beta
to wontfix
.
For more information, please visit auto_nag documentation.
Flags: needinfo?(jschanck)
Assignee | ||
Updated•2 years ago
|
Flags: needinfo?(jschanck)
Updated•2 years ago
|
Crash Signature: PK11_ReadAttribute]
[@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue ] → PK11_ReadAttribute]
[@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue ]
[@ nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue]
Updated•2 years ago
|
Crash Signature: [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects]
[@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_ReadAttribute]
[@ nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_R… → [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects]
[@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue ]
[@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSS…
You need to log in
before you can comment on or make changes to this bug.
Description
•