Closed
Bug 1951394
Opened 11 months ago
Closed 11 months ago
ThreadSanitizer: data race /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/sdb.c:1667:29 in sdb_GetMetaData
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mdauer, Assigned: mdauer)
References
(Blocks 1 open bug)
Details
Attachments
(2 files)
This was found as part of Bug 1913677. To reproduce, perform the following steps:
- Apply the patch from D226460
- Build with
./build.sh -c --fuzz=tsan --disable-tests - Run
mkdir nsstsandb && certutil -N -d sql:nsstsandb --empty-password - Run
TSAN_OPTIONS="suppressions=/path/to/nss/fuzz/config/tsan.suppressions" /path/to/dist/Debug/bin/nsstsan-database replay /path/to/crash-1741008612/*
Note that this only seems to reliably reproduce without optimizations (-O0), so you may also need to apply the following before building in order to reproduce:
diff --git a/coreconf/config.gypi b/coreconf/config.gypi
--- a/coreconf/config.gypi
+++ b/coreconf/config.gypi
@@ -201,7 +201,7 @@
}],
[ 'fuzz==1', {
'variables': {
- 'debug_optimization_level%': '3',
+ 'debug_optimization_level%': '0',
},
}],
[ 'target_arch=="ia32" or target_arch=="x64"', {
diff --git a/fuzz/targets/targets.gyp b/fuzz/targets/targets.gyp
--- a/fuzz/targets/targets.gyp
+++ b/fuzz/targets/targets.gyp
@@ -7,7 +7,7 @@
],
'target_defaults': {
'variables': {
- 'debug_optimization_level': '3',
+ 'debug_optimization_level': '0',
},
'target_conditions': [
[ '_type=="executable"', {
Marking this security sensitive as a precaution.
|
Assignee | |
Comment 1•11 months ago
|
||
WARNING: ThreadSanitizer: data race (pid=291518)
Read of size 8 at 0x721800001e68 by thread T4 (mutexes: write M0, write M1):
#0 sdb_GetMetaData /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/sdb.c:1667:29 (nsstsan-database+0x292f5e) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#1 sftkdb_getRawAttributeSignature /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/sftkdb.c:294:11 (nsstsan-database+0x2636d3) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#2 sftkdb_GetAttributeSignature /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/sftkdb.c:304:12 (nsstsan-database+0x2635ea) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#3 sftkdb_fixupTemplateOut /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/sftkdb.c:463:25 (nsstsan-database+0x266f42) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#4 sftkdb_GetAttributeValue /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/sftkdb.c:1459:12 (nsstsan-database+0x266455) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#5 nsc_GetTokenAttributeValue /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/pkcs11.c:5004:11 (nsstsan-database+0x229316) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#6 NSC_GetAttributeValue /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/pkcs11.c:5057:15 (nsstsan-database+0x228e94) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#7 nssCKObject_GetAttributes /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/dev/ckhelper.c:112:12 (nsstsan-database+0x157fa6) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#8 nssCryptokiTrust_GetAttributes /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/dev/ckhelper.c:439:18 (nsstsan-database+0x159849) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#9 nssTrust_Create /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pki/certificate.c:948:18 (nsstsan-database+0x169242) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#10 nssTrustDomain_FindTrustForCertificate /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pki/trustdomain.c:1087:15 (nsstsan-database+0x17e26a) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#11 nssTrust_GetCERTCertTrustForCert /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pki/pki3hack.c:618:9 (nsstsan-database+0x16e1c9) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#12 STAN_ChangeCertTrust /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pki/pki3hack.c:1165:16 (nsstsan-database+0x16f8a9) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#13 CERT_ChangeCertTrust /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/certdb/stanpcertdb.c:236:11 (nsstsan-database+0x134c68) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#14 NSSCertificateDB_DeleteCertificate(unsigned char) /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/tsan_database.cc:236:9 (nsstsan-database+0x102595) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#15 TSanThread::SingleRun() /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/tsan_database.cc:309:3 (nsstsan-database+0x1019f4) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#16 TSanThread::Replay(std::experimental::filesystem::v1::__cxx11::path) /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/lib/tsan/thread.cc:85:9 (nsstsan-database+0x113996) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#17 void std::__invoke_impl<void, void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>(std::__invoke_memfun_deref, void (TSanThread::*&&)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*&&, std::experimental::filesystem::v1::__cxx11::path&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:74:14 (nsstsan-database+0x116511) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#18 std::__invoke_result<void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>::type std::__invoke<void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>(void (TSanThread::*&&)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*&&, std::experimental::filesystem::v1::__cxx11::path&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:96:14 (nsstsan-database+0x116315) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#19 void std::thread::_Invoker<std::tuple<void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>>::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:292:13 (nsstsan-database+0x1162a3) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#20 std::thread::_Invoker<std::tuple<void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>>::operator()() /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:299:11 (nsstsan-database+0x116225) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#21 std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>>>::_M_run() /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:244:13 (nsstsan-database+0x115c79) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#22 execute_native_thread_routine /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/src/c++11/../../../../../src/libstdc++-v3/src/c++11/thread.cc:104:18 (libstdc++.so.6+0xecdb3) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
Previous write of size 8 at 0x721800001e68 by thread T6:
#0 sdb_Begin /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/sdb.c:1553:26 (nsstsan-database+0x2927eb) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#1 sftk_signTemplate /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/sftkdb.c:578:15 (nsstsan-database+0x26acea) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#2 sftkdb_setAttributeValue /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/sftkdb.c:1212:11 (nsstsan-database+0x26577a) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#3 sftkdb_write /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/sftkdb.c:1310:15 (nsstsan-database+0x2647dc) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#4 sftk_handleTrustObject /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/pkcs11.c:937:15 (nsstsan-database+0x21e69a) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#5 sftk_handleObject /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/pkcs11.c:1829:19 (nsstsan-database+0x21e08f) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#6 NSC_CreateObject /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/pkcs11.c:4880:11 (nsstsan-database+0x22844c) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#7 import_object /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/dev/devtoken.c:188:12 (nsstsan-database+0x15e0f4) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#8 nssToken_ImportTrust /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/dev/devtoken.c:1021:14 (nsstsan-database+0x160cc7) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#9 STAN_ChangeCertTrust /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pki/pki3hack.c:1266:23 (nsstsan-database+0x17006d) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#10 CERT_ChangeCertTrust /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/certdb/stanpcertdb.c:236:11 (nsstsan-database+0x134c68) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#11 NSSCertificateDB_DeleteCertificate(unsigned char) /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/tsan_database.cc:236:9 (nsstsan-database+0x102595) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#12 TSanThread::SingleRun() /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/tsan_database.cc:309:3 (nsstsan-database+0x1019f4) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#13 TSanThread::Replay(std::experimental::filesystem::v1::__cxx11::path) /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/lib/tsan/thread.cc:85:9 (nsstsan-database+0x113996) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#14 void std::__invoke_impl<void, void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>(std::__invoke_memfun_deref, void (TSanThread::*&&)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*&&, std::experimental::filesystem::v1::__cxx11::path&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:74:14 (nsstsan-database+0x116511) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#15 std::__invoke_result<void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>::type std::__invoke<void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>(void (TSanThread::*&&)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*&&, std::experimental::filesystem::v1::__cxx11::path&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:96:14 (nsstsan-database+0x116315) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#16 void std::thread::_Invoker<std::tuple<void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>>::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:292:13 (nsstsan-database+0x1162a3) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#17 std::thread::_Invoker<std::tuple<void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>>::operator()() /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:299:11 (nsstsan-database+0x116225) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#18 std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>>>::_M_run() /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:244:13 (nsstsan-database+0x115c79) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#19 execute_native_thread_routine /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/src/c++11/../../../../../src/libstdc++-v3/src/c++11/thread.cc:104:18 (libstdc++.so.6+0xecdb3) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
Location is heap block of size 88 at 0x721800001e60 allocated by main thread:
#0 malloc <null> (nsstsan-database+0x7ee10) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#1 sdb_init /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/sdb.c:2215:27 (nsstsan-database+0x294807) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#2 s_open /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/sdb.c:2430:17 (nsstsan-database+0x295c4e) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#3 sftk_DBInit /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/sftkdb.c:2906:19 (nsstsan-database+0x269fe9) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#4 SFTK_SlotReInit /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/pkcs11.c:2886:15 (nsstsan-database+0x221d1b) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#5 SFTK_SlotInit /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/pkcs11.c:3007:11 (nsstsan-database+0x222aed) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#6 nsc_CommonInitialize /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/pkcs11.c:3563:15 (nsstsan-database+0x224067) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#7 NSC_Initialize /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/pkcs11.c:3629:11 (nsstsan-database+0x22479d) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#8 secmod_ModuleInit /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pk11wrap/pk11load.c:245:11 (nsstsan-database+0x1d85fb) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#9 secmod_InitializeModuleAndGetSlotInfo /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pk11wrap/pk11load.c:569:10 (nsstsan-database+0x1d99dd) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#10 secmod_LoadPKCS11Module /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pk11wrap/pk11load.c:678:10 (nsstsan-database+0x1da336) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#11 SECMOD_LoadModule /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pk11wrap/pk11pars.c:2143:10 (nsstsan-database+0x1f4e7e) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#12 SECMOD_LoadModule /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pk11wrap/pk11pars.c:2179:29 (nsstsan-database+0x1f4ffb) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#13 nss_InitModules /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/nss/nssinit.c:464:18 (nsstsan-database+0x1a7981) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#14 nss_Init /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/nss/nssinit.c:689:18 (nsstsan-database+0x1a543e) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#15 NSS_Initialize /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/nss/nssinit.c:889:12 (nsstsan-database+0x1a5b0a) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#16 NSSDatabase::NSSDatabase(char const*) /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/lib/base/database.h:16:5 (nsstsan-database+0x101e25) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#17 main /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/tsan_database.cc:318:20 (nsstsan-database+0x101aef) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
Mutex M0 (0x722c00040060) created at:
#0 pthread_mutex_init <null> (nsstsan-database+0x81fe3) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#1 PR_NewLock /home/mdauer/mercurial/nss-nspr/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c:131:10 (nsstsan-database+0x6b5f1f) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#2 nssPKIObject_NewLock /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pki/pkibase.c:56:33 (nsstsan-database+0x171f15) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#3 nssPKIObject_Create /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pki/pkibase.c:108:23 (nsstsan-database+0x1721f2) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#4 nssTrustDomain_FindTrustForCertificate /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pki/trustdomain.c:1074:28 (nsstsan-database+0x17e1e9) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#5 nssTrust_GetCERTCertTrustForCert /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pki/pki3hack.c:618:9 (nsstsan-database+0x16e1c9) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#6 STAN_ChangeCertTrust /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pki/pki3hack.c:1165:16 (nsstsan-database+0x16f8a9) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#7 CERT_ChangeCertTrust /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/certdb/stanpcertdb.c:236:11 (nsstsan-database+0x134c68) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#8 NSSCertificateDB_DeleteCertificate(unsigned char) /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/tsan_database.cc:236:9 (nsstsan-database+0x102595) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#9 TSanThread::SingleRun() /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/tsan_database.cc:309:3 (nsstsan-database+0x1019f4) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#10 TSanThread::Replay(std::experimental::filesystem::v1::__cxx11::path) /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/lib/tsan/thread.cc:85:9 (nsstsan-database+0x113996) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#11 void std::__invoke_impl<void, void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>(std::__invoke_memfun_deref, void (TSanThread::*&&)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*&&, std::experimental::filesystem::v1::__cxx11::path&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:74:14 (nsstsan-database+0x116511) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#12 std::__invoke_result<void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>::type std::__invoke<void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>(void (TSanThread::*&&)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*&&, std::experimental::filesystem::v1::__cxx11::path&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:96:14 (nsstsan-database+0x116315) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#13 void std::thread::_Invoker<std::tuple<void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>>::_M_invoke<0ul, 1ul, 2ul>(std::_Index_tuple<0ul, 1ul, 2ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:292:13 (nsstsan-database+0x1162a3) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#14 std::thread::_Invoker<std::tuple<void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>>::operator()() /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:299:11 (nsstsan-database+0x116225) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#15 std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (TSanThread::*)(std::experimental::filesystem::v1::__cxx11::path), TSanThread*, std::experimental::filesystem::v1::__cxx11::path>>>::_M_run() /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:244:13 (nsstsan-database+0x115c79) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#16 execute_native_thread_routine /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/src/c++11/../../../../../src/libstdc++-v3/src/c++11/thread.cc:104:18 (libstdc++.so.6+0xecdb3) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
Mutex M1 (0x722c0002fa70) created at:
#0 pthread_mutex_init <null> (nsstsan-database+0x81fe3) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#1 PR_NewLock /home/mdauer/mercurial/nss-nspr/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c:131:10 (nsstsan-database+0x6b5f1f) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#2 PK11_NewSlotInfo /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pk11wrap/pk11slot.c:379:45 (nsstsan-database+0x20f54b) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#3 secmod_InitializeModuleAndGetSlotInfo /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pk11wrap/pk11load.c:628:29 (nsstsan-database+0x1d9dd0) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#4 secmod_LoadPKCS11Module /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pk11wrap/pk11load.c:678:10 (nsstsan-database+0x1da336) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#5 SECMOD_LoadModule /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pk11wrap/pk11pars.c:2143:10 (nsstsan-database+0x1f4e7e) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#6 SECMOD_LoadModule /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pk11wrap/pk11pars.c:2179:29 (nsstsan-database+0x1f4ffb) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#7 nss_InitModules /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/nss/nssinit.c:464:18 (nsstsan-database+0x1a7981) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#8 nss_Init /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/nss/nssinit.c:689:18 (nsstsan-database+0x1a543e) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#9 NSS_Initialize /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/nss/nssinit.c:889:12 (nsstsan-database+0x1a5b0a) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#10 NSSDatabase::NSSDatabase(char const*) /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/lib/base/database.h:16:5 (nsstsan-database+0x101e25) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#11 main /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/tsan_database.cc:318:20 (nsstsan-database+0x101aef) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
Thread T4 (tid=291523, running) created by main thread at:
#0 pthread_create <null> (nsstsan-database+0x807bf) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#1 __gthread_create /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/include/x86_64-linux-gnu/bits/gthr-default.h:676:35 (libstdc++.so.6+0xeceb0) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
#2 std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State>>, void (*)()) /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/src/c++11/../../../../../src/libstdc++-v3/src/c++11/thread.cc:172:37 (libstdc++.so.6+0xeceb0)
#3 TSanThread::TSanThread(std::experimental::filesystem::v1::__cxx11::path) /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/lib/tsan/thread.cc:42:13 (nsstsan-database+0x113865) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#4 TSanFramework::Replay(char**, unsigned long) /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/lib/tsan/framework.cc:54:48 (nsstsan-database+0x1103c6) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#5 main /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/tsan_database.cc:327:19 (nsstsan-database+0x101c29) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
Thread T6 (tid=291525, running) created by main thread at:
#0 pthread_create <null> (nsstsan-database+0x807bf) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#1 __gthread_create /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/include/x86_64-linux-gnu/bits/gthr-default.h:676:35 (libstdc++.so.6+0xeceb0) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
#2 std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State>>, void (*)()) /build/gcc-14-ig5ci0/gcc-14-14.2.0/build/x86_64-linux-gnu/libstdc++-v3/src/c++11/../../../../../src/libstdc++-v3/src/c++11/thread.cc:172:37 (libstdc++.so.6+0xeceb0)
#3 TSanThread::TSanThread(std::experimental::filesystem::v1::__cxx11::path) /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/lib/tsan/thread.cc:42:13 (nsstsan-database+0x113865) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#4 TSanFramework::Replay(char**, unsigned long) /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/lib/tsan/framework.cc:54:48 (nsstsan-database+0x1103c6) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
#5 main /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/tsan_database.cc:327:19 (nsstsan-database+0x101c29) (BuildId: 837d12aefc54fb2403409d5e527ceb5b85477145)
SUMMARY: ThreadSanitizer: data race /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/softoken/sdb.c:1667:29 in sdb_GetMetaData
|
||
Updated•11 months ago
|
Keywords: csectype-race,
sec-moderate
|
|
Assignee | |
Comment 2•11 months ago
|
||
The race occurs in sdb_GetMetadata here:
sqlite3 *sqlDB = sdb_p->sqlXactDB;
and in sdb_Begin here:
sdb_p->sqlXactDB = sqlDB;
We can fix this by moving LOCK_SQLITE() to the beginning of the file. There seem to be a bunch of other places where we read from sdb_p without owning a lock (yet), so we would have to make sure to do this at all of them.
John, does this seem like the right approach to you? If so, I would work on getting a patch ready.
Flags: needinfo?(jschanck)
|
||
Comment 3•11 months ago
|
||
I don't think we compile with SQLITE_UNSAFE_THREADS, so LOCK_SQLITE() is a no-op.
The comment on the declaration of sdb_p->sqlXactDB says that it is protected by sdb_p->dbMon. IIRC, PR_Monitors are re-entrant, so we can enter the monitor before we take a reference to sdb_p->sqlXactDB and hold it through sdb_openDBLocal.
Flags: needinfo?(jschanck)
|
|
Assignee | |
Comment 4•11 months ago
|
||
I see, I didn't know about monitors. After taking a closer look again though, why do we assign sqlDb the value of sdb_p->sqlXactDB if it is overwritten by sdb_openDBLocal right afterwards anyway? That's likely also the reason why it's only hit without optimizations.
I don't see a security impact here, so we can remove the restrictions.
|
|
Assignee | |
Updated•11 months ago
|
Assignee: nobody → mdauer
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 5•11 months ago
|
||
|
|
||
Comment 6•11 months ago
|
||
Oh, even better. Clearing the flags and security marker since the raced-on value was never used.
Group: crypto-core-security
Keywords: csectype-race,
sec-moderate
|
|
||
Comment 7•11 months ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
|
||
Updated•10 months ago
|
Blocks: nss-fuzzing-bugs
You need to log in
before you can comment on or make changes to this bug.
Description
•