Closed Bug 1747959 Opened 2 years ago Closed 2 years ago

Crash in [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects]

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox97 --- wontfix
firefox98 --- wontfix
firefox99 --- fixed

People

(Reporter: jesup, Assigned: jschanck)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [psm-assigned])

Crash Data

Attachments

(1 file)

Bug 1747959 - Take module list lock in FindRootsWithSubject. r=keeler
48 bytes, text/x-phabricator-request
Details | Review

Ongoing double-free crash in NSS, goes back to at least 78ESR

Crash report: https://crash-stats.mozilla.org/report/index/f0b92097-748c-44c0-ad10-36ef70211228

MOZ_CRASH Reason: MOZ_RELEASE_ASSERT((run->mRegionsMask[elm] & (1U << bit)) == 0) (Double-free?)

Top 10 frames of crashing thread:

0 mozglue.dll je_free memory/build/malloc_decls.h:54
1 nssckbi.dll nssCKFWObject_Destroy security/nss/lib/ckfw/object.c:276
2 nssckbi.dll NSSCKFWC_FindObjects security/nss/lib/ckfw/wrap.c:2576
3 nssckbi.dll builtinsC_FindObjects security/nss/lib/ckfw/nssck.api:706
4 nss3.dll pk11_FindObjectsByTemplate security/nss/lib/pk11wrap/pk11obj.c:1896
5 nss3.dll PK11_FindRawCertsWithSubject security/nss/lib/pk11wrap/pk11obj.c:1947
6 xul.dll mozilla::psm::NSSCertDBTrustDomain::FindIssuer security/certverifier/NSSCertDBTrustDomain.cpp:246
7 xul.dll mozilla::pkix::BuildForward security/nss/lib/mozpkix/lib/pkixbuild.cpp:365
8 xul.dll mozilla::pkix::PathBuildingStep::Check security/nss/lib/mozpkix/lib/pkixbuild.cpp:211
9 xul.dll mozilla::psm::CheckCandidates security/certverifier/NSSCertDBTrustDomain.cpp:185
Flags: needinfo?(dkeeler)
Assignee: nobody → nobody
Component: Security → Libraries
Flags: needinfo?(dkeeler)
Product: Core → NSS
Version: unspecified → other

Looks like this could be PSM actually. We're not taking the module list lock in FindRootsWithSubject https://searchfox.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#114.

Assignee: nobody → jschanck
Pushed by jschanck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5de493c03573
Take module list lock in FindRootsWithSubject. r=keeler

https://hg.mozilla.org/mozilla-central/rev/5de493c03573

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox99: --- → fixed
Resolution: --- → FIXED
Component: Libraries → Security: PSM
Product: NSS → Core
Whiteboard: [psm-assigned]
Version: other → unspecified
Crash Signature: [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects] → [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects] [@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_ReadAttribute]
Crash Signature: [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects] [@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_ReadAttribute] → [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects] [@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_ReadAttribute] [@ nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_Rea…
Crash Signature: [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects] [@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_ReadAttribute] [@ nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_Rea… → [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects] [@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_ReadAttribute] [@ nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_R…

The patch landed in nightly and beta is affected.
:jschanck, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(jschanck)
status-firefox98: affectedwontfix
status-firefox-esr91: affectedwontfix
Flags: needinfo?(jschanck)
Crash Signature: PK11_ReadAttribute] [@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue ] → PK11_ReadAttribute] [@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue ] [@ nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue]
Crash Signature: [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects] [@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_ReadAttribute] [@ nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | PK11_R… → [@ je_free | nssCKFWObject_Destroy | NSSCKFWC_FindObjects | builtinsC_FindObjects] [@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSSCKFWC_GetAttributeValue | builtinsC_GetAttributeValue ] [@ nssCKFWMutex_Unlock | nssCKFWObject_GetAttribute | NSS…
Blocks: 1763237
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: