M17beta topcrash in [@ secmod_DecodeData]

RESOLVED FIXED in 3.9.1

Status

NSS
Libraries
--
critical
RESOLVED FIXED
14 years ago
14 years ago

People

(Reporter: chris hofmann, Assigned: Robert Relyea)

Tracking

({crash, fixed1.7, topcrash})

unspecified
3.9.1
x86
Windows XP
crash, fixed1.7, topcrash
Bug Flags:
blocking1.7 +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(3 attachments, 5 obsolete attachments)

(Reporter)

Description

14 years ago
Not a lot to go on but this data has shown up in talback reports over the last
few days.

     Count   Offset    Real Signature
[ 27   secmod_DecodeData 2d23143d - secmod_DecodeData ]
 
     Crash date range: 23-MAR-04 to 27-MAR-04
     Min/Max Seconds since last crash: 1 - 29925
     Min/Max Runtime: 38 - 45590
 
     Count   Platform List 
     24   [Windows NT 5.1 build 2600]   
     3   [Windows NT 5.0 build 2195]   
 
     Count   Build Id List 
     27   2004031615
 
     No of Unique Users         4
 
 Stack trace(Frame) 

	 secmod_DecodeData
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/security/nss/lib/softoken/pk11db.c
 line 619] 
	 secmod_ReadPermDB
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/security/nss/lib/softoken/pk11db.c
 line 779] 
	 NSC_ModuleDBFunc
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/security/nss/lib/softoken/pkcs11.c
 line 2672] 
	 SECMOD_GetModuleSpecList
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/security/nss/lib/pk11wrap/pk11pars.c
 line 228] 
	 SECMOD_LoadModule
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/security/nss/lib/pk11wrap/pk11pars.c
 line 326] 
	 nss_Init
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/security/nss/lib/nss/nssinit.c
 line 457] 
	 NSS_InitReadWrite
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/security/nss/lib/nss/nssinit.c
 line 501] 
	 nsNSSComponent::InitializeNSS
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/security/manager/ssl/src/nsNSSComponent.cpp
 line 1118]  
 
     (5692)	URL: www.yahoo.com
     (5666)	URL: www.yahoo.com
     (5633)	URL: www.yahoo.com
     (5217)	URL: www.yahoo.com
     (5073)	URL: www.yahoo.com
     (4818)	URL: www.yahoo.com
     (4818)	Comments: just surfing. mozilla 1.6 and 1.7b really are crashing
very frequently  for me. www.msnbc.com crashes   www.mtv.com/mtvradio crashes. I
dont have the video card that everyone else is having a problem with. Dont know
whats up with this thing
(Reporter)

Updated

14 years ago
No longer blocks: 238446

Comment 1

14 years ago
Bob, could you take a look at this?
Assignee: wchang0222 → rrelyea0264
(Assignee)

Comment 2

14 years ago
Just looking at the stack traceback, it looks like a corrupted database of some
kind. I'll take a look at secmod_DecodeData and see if it needs to be more
defensive.

bob
(Assignee)

Comment 3

14 years ago
It looks like the slotCount is thrashed in the secmod.db. The forthcoming patch
will be more agressive in protecting itself against invalid databases. Code
changes were made based on code inspection. Testing of the patch was limited to
running all.sh (doesn't seem to break anything new).

I suggest the patch get a couple of reviews, then some testing in the wild
before release into the wild.

The code in question is pretty stable, having been changed only once in the last
year.
(Assignee)

Comment 4

14 years ago
Created attachment 145061 [details] [diff] [review]
Be more paranoid about data we've fetched from the database.
(Assignee)

Comment 5

14 years ago
Besides protecting against bad database data, the patch also fixes a memory
leak, and handles some out of memory cases it wasn't handling before.

bob
(Reporter)

Comment 6

14 years ago
Comment on attachment 145061 [details] [diff] [review]
Be more paranoid about data we've fetched from the database.

bob, do you think this one is ready to get checked in?	let me know.  it seems
like  a good one to get in for the next mozilla 1.7 release candidate build
that we want to do in a week or so.
Attachment #145061 - Flags: approval1.7?
(Assignee)

Comment 7

14 years ago
Comment on attachment 145061 [details] [diff] [review]
Be more paranoid about data we've fetched from the database.

chris,

Let's get a couple of more eyeballs on it. I've added Nelson & wtc to the
review list.

Most of the changes were made based on my review, and though there are no
regressions in all.sh, it would be good to verify that there are no 'off by one
errors'.

Wan-Teh and Nelson, the changes should be easy to review, even if you are
unfamiliar with the database code. The change basically makes sure we are not
going to read beyond the end of datablock returned to us from the DB code. 


BTW this patch can be applied to NSS  3.8, 3.9 or the tip.
Attachment #145061 - Flags: superreview?(wchang0222)
Attachment #145061 - Flags: review?(MisterSSL)

Comment 8

14 years ago
Comment on attachment 145061 [details] [diff] [review]
Be more paranoid about data we've fetched from the database.

r=wtc.	I think this patch is correct.

Some comments.

>+    /* data needs to be at least as long as the old header format */
>+    if (data->size < (int)(((secmodData *)0)->trustOrder)) {

You may be able to use the offsetof macro here:
   offsetof(secmodData, trustOrder[0]).

I suggest that you use the (unsigned int) typecast on both
sides of the comparison to be consistent with how you handle
this compiler warning in the rest of this function.

>-    slotStrings = (char **)PORT_ArenaAlloc(arena, slotCount * sizeof(char *));
>+    slotStrings = (char **)PORT_ArenaZAlloc(arena, slotCount * sizeof(char *));

This change is not necessary.

Global comment: we should verify that there is no integer
overflow.  I am most worried about 'namesStart', which is
unsigned short and gets added with 'len' (also unsigned
short) several times.  Perhaps we should declare 'namesStart'
as unsigned long?  (Isn't that why 'slotCount' is declared
unsigned long even though it is stored as short in the db?)
Attachment #145061 - Flags: superreview?(wchang0222) → superreview+

Comment 9

14 years ago
Comment on attachment 145061 [details] [diff] [review]
Be more paranoid about data we've fetched from the database.

Bob, another suggestion:

>     /*  slotCount; */
>-    slotStrings = (char **)PORT_ArenaAlloc(arena, slotCount * sizeof(char *));
>+    slotStrings = (char **)PORT_ArenaZAlloc(arena, slotCount * sizeof(char *));

We should handle the allocation failure here.
Comment on attachment 145061 [details] [diff] [review]
Be more paranoid about data we've fetched from the database.

I will send review comments to Bob by private email.
Attachment #145061 - Flags: review?(MisterSSL) → review-
Created attachment 145245 [details] [diff] [review]
My alternative patch, unified diff
Created attachment 145246 [details] [diff] [review]
ny alternaive patch - context diff

This is the same patch as the previous attachment, but in context diff form.
Since this is practically a rewrite of the function, it's easier for a 
reviewer to review the correctness of the function using the second part
of this patch, than with a unified diff, IMO.  

I wish I could test this with a secmod.db file that is known to have one
or more of the problems that were the cause of this bug.
Comment on attachment 145246 [details] [diff] [review]
ny alternaive patch - context diff

Please review this patch (or the equivalent patch in the previous attachment).  
Also, Please TEST this patch.  (I did, but my tree isn't completely clean of
other changes.)
Attachment #145246 - Flags: superreview?(wchang0222)
Attachment #145246 - Flags: review?(rrelyea0264)
(Reporter)

Updated

14 years ago
Blocks: 238446
(Assignee)

Comment 14

14 years ago
Comment on attachment 145246 [details] [diff] [review]
ny alternaive patch - context diff

For the most part the patch is fine. There is only one stylistic thing I have a
problem with (doesn't warrant a r-), which is moving the intialization of the
internal paramters away from the point we initialize parmeters for other
tokens.

The part that does need to be fixed is the overlap check. For future
compatibility, the code should be agnostic about where the slot blocks and the
name blocks live in respect to each other).

I suggest either removing the check or reworking the check to handle the case
where the slot block comes before the name block.

I'll attach a patch which is a diff against nelson's patch (the majority of
which is fine) to accomplish this.

bob
Attachment #145246 - Flags: review?(rrelyea0264) → review-
(Assignee)

Comment 15

14 years ago
Created attachment 145278 [details] [diff] [review]
This is a context diff between my proposed code and nelson's patch
(Assignee)

Comment 16

14 years ago
Created attachment 145279 [details] [diff] [review]
Complete diff including nelson's patch & my changes to it
(Assignee)

Comment 17

14 years ago
Comment on attachment 145279 [details] [diff] [review]
Complete diff including nelson's patch & my changes to it

This patch is basically nelson's patch 145246 with a delta. If you've already
reviewed nelson's patch, you can use the mozilla feature to display the
differences between 2 patches.

patch #145278 was an attemmpt to post just the diffs, but mozilla's diff
feature does not display it corrrectly.
Attachment #145279 - Flags: superreview?(wchang0222)
Attachment #145279 - Flags: review?(MisterSSL)
After I submitted the two patches above, I had these additional ideas on 
how to improve the checks:

1. Check that both the names offset and the slots offset do not overlap the
header part of the data buffer.
2. Check that both the names block and the slots blocks do not overlap,
regardless of order.  Since the length of the names block cannot be known 
until after that block is parsed, this check cannot be made until after the 
names block has been parsed, and the length of the slots block has been 
obtained (which is the same place where I placed the existing check).

IMO, the code should incorporate those improvements.
I will shortly review Bob's diffs.  
Comment on attachment 145279 [details] [diff] [review]
Complete diff including nelson's patch & my changes to it

Bob,  I agree with all of your latest patch except this part:

>+    /* 
>+     * Consistancy check: Part2. We now have the slot block length, we can 
>+     * check the case where the slotblock procedes the name block.
>+     */
>+    if (slotOffset < namesOffset) { /* slot block starts before name block */
>+	if (namesOffset > 
>+	       slotOffset + slotCount + 2 + slotCount*sizeof(secmodSlotData)) {
>+	    goto db_loser;
>+	}
>+    }

I think the sense of that inner comparison is backwards, and there seems to be 
an extra slotCount in the sum.	I think the proper test would be:

>+    if (slotOffset < namesOffset &&  /* slot block starts before name block */
>+	  slotOffset + 2 + slotCount*sizeof(secmodSlotData) > namesOffset) {
>+	    goto db_loser;
>+    }

Updated

14 years ago
Keywords: crash, topcrash
(Assignee)

Comment 20

14 years ago
Chris,

I've checked in the my final patch with nelson's changes to the NSS trunk. 
Where do you need the change to make the 1.7 release?

bob
I think this fix wants to go into the 3.9 branch, too, no?
(Reporter)

Comment 22

14 years ago
it is where ever we pick up NSS from... 
I think it is the 3.9 branch. 
wtc will know for sure

1.7 release has not branched yet it is still on the trunk.
Chris, This bug is not marked as blocking 1.7 final.  Does it?

The patches that fix this bug have been checked in on the NSS trunk, 
but not on any NSS branch.  For the actual checked-in diffs, see
http://bonsai.mozilla.org/cvsview2.cgi?command=DIFF&subdir=mozilla%2Fsecurity%2Fnss%2Flib%2Fsoftoken&file=pk11db.c&rev1=1.26&rev2=1.28&whitespace_mode=show&diff_mode=context

Unless the diffs are also applied to the NSS 3.9 branch, these changes 
will not go into NSS 3.9.1, and hence not into moz 1.7 final
(which intends to use NSS 3.9.1 RTM, as I understand it).  
(Reporter)

Comment 24

14 years ago
yes, we would very, very, much like to get this in 1.7...   can someone do the
dead...  marked as blocking and approved...
Flags: blocking1.7+
(Reporter)

Comment 25

14 years ago
Comment on attachment 145279 [details] [diff] [review]
Complete diff including nelson's patch & my changes to it

a=chofmann for 1.7
Attachment #145279 - Flags: approval1.7+

Updated

14 years ago
Attachment #145061 - Flags: approval1.7?

Updated

14 years ago
Severity: normal → critical
Created attachment 145773 [details] [diff] [review]
patch for NSS 3.9 branch for moz 1.7

This patch is what Bob finally checked in on the NSS trunk to resolve this
bug for NSS 3.10.  But moz 1.7 will use NSS 3.9.1, which (IINM) is coming
from the NSS 3.9 branch.  

There is some question about whether this has had enough testing to go into 
moz 1.7 final.	It might be very helpful if some of the CC list readers of 
this bug would be willing to test moz 1.7 with a build of NSS shared libraries 

that include this fix.	Interested parties should email me directly.

Bob and Wan-Teh, are you ok with checking this into the NSS 3.9 branch for 
NSS 3.9.1 ?
Attachment #145061 - Attachment is obsolete: true
Attachment #145245 - Attachment is obsolete: true
Attachment #145246 - Attachment is obsolete: true
Attachment #145278 - Attachment is obsolete: true
Attachment #145279 - Attachment is obsolete: true
Comment on attachment 145246 [details] [diff] [review]
ny alternaive patch - context diff

cancelling review request for obsolete patch.
Attachment #145246 - Flags: superreview?(wchang0222)
Comment on attachment 145279 [details] [diff] [review]
Complete diff including nelson's patch & my changes to it

cancelling review request for obsolete patch.
Attachment #145279 - Flags: superreview?(wchang0222)
Attachment #145279 - Flags: review?(MisterSSL)
Comment on attachment 145773 [details] [diff] [review]
patch for NSS 3.9 branch for moz 1.7

requesting second review for NSS 3.9.1 for moz 1.7 final.
Attachment #145773 - Flags: superreview?(wchang0222)
Attachment #145773 - Flags: review+
Attachment #145773 - Flags: approval1.7?

Comment 30

14 years ago
Comment on attachment 145773 [details] [diff] [review]
patch for NSS 3.9 branch for moz 1.7

I've checked in this patch on the NSS_3_9_BRANCH
(NSS 3.9.1) and into NSS_CLIENT_TAG (Mozilla 1.7
final).

Checking in pk11db.c;
/cvsroot/mozilla/security/nss/lib/softoken/pk11db.c,v  <--  pk11db.c
new revision: 1.26.16.1; previous revision: 1.26
done

Updated

14 years ago
Target Milestone: --- → 3.9.1

Comment 31

14 years ago
Comment on attachment 145773 [details] [diff] [review]
patch for NSS 3.9 branch for moz 1.7

a=asa (on behalf of drivers) for checkin to 1.7
Attachment #145773 - Flags: approval1.7? → approval1.7+

Comment 32

14 years ago
Wan-Teh, Nelson:
I'm not familiar with the NSS branches, but this is now fixed on NSS_3_9_BRANCH,
NSS_CLIENT_TAG and trunk.
Are there any other relevant branches waiting or can this bug be resolved?

The fix seems also to be in what Mozilla 1.7 will use, so maybe the "fixed1.7"
keyword might be used to avoid drivers confusion with a open blocking1.7 bug.

Comment 33

14 years ago
Marked the bug fixed.

This bug was fixed on the Mozilla trunk before the
Mozilla 1.7 branch was created, so the fix is also
in the Mozilla 1.7 branch.
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED

Updated

14 years ago
Keywords: fixed1.7

Comment 34

14 years ago
Comment on attachment 145773 [details] [diff] [review]
patch for NSS 3.9 branch for moz 1.7

I don't claim to understand the whole of this patch. That said, I think the
following changes should be made :

1) in secmod_decodeData, check the value of the "data" argument for NULL first
thing after the variable declarations and return if NULL .

2) in the new code that reads
parameters = PORT_ArenaStrdup(arena, defParams);

Check for defParams to be non-NULL before .

3) In the new function secmod_FreeSlotStrings, check for slotStrings == NULL
upon entry, and add slotStrings[i] = NULL after PR_smprintf_free inside the
loop  to avoid possible double-frees

4) initialize all new and existig variables in their declarations. Even arena
which is initialized on the first line of code currenntly. Code can easily
change in the future without careful attention to the initialization value, and
bugs could be easily introduced if these variables remain uninitialized.
Attachment #145773 - Flags: review+ → review-
Created attachment 146648 [details] [diff] [review]
The actual checkin

This patch shows what actually got checked in on the trunk, and the 3.9 branch.
Attachment #145773 - Attachment is obsolete: true
Comment on attachment 145773 [details] [diff] [review]
patch for NSS 3.9 branch for moz 1.7

Sorry.	The last two attachments to this bug are identical.  I must be tired.
:(
Attachment #145773 - Attachment is obsolete: false
I disagree with some of the suggestions in comment 34.  
But I think that the right place to discuss this (more null pointer checking)
is in bug 240546 so I will add comments there.

Comment 38

14 years ago
Julien, thank you for the code review (comment 34).

None of the problems you pointed out are critical
or were introduced by Bob and Nelson's patch, so
we don't need to address them on the NSS 3.9 branch.

Your suggestions #1 and #2 and the first suggestion
in #3 are all about testing for NULL function arguments.
I can imagine people will disagree with some of these
suggestions.  So we should discuss them in bug 240546.

Your second suggestion in #3 and suggestion #4 are
good defensive programming practices and we can do
those on the trunk.

Comment 39

14 years ago
Comment on attachment 145773 [details] [diff] [review]
patch for NSS 3.9 branch for moz 1.7

Bob, Nelson,

After 2 hours of staring at this patch, I finally
understood it.	I think this patch is correct.
The only change I suggest is to declare the
variable namesRunningOffset as 'unsigned long'
instead of 'unsigned short' so that it doesn't
overflow after we add len+2 to it (len is 'unsigned
short').

One thing I found suspicious is the 'hasRootTrust'
local variable, which is initialized to PR_FALSE
and never modified.  I am wondering why we don't
just use the constant PR_FALSE.  If Bob can look
into this, I'd appreciate it.

One comment about style: I see an inconsistency.
'slots' is a running pointer, where as 'names' is
a fixed pointer used in conjunction with the running
offset namesRunningOffset.  Just a nit.
Attachment #145773 - Flags: superreview?(wchang0222) → superreview+

Updated

14 years ago
Summary: 1.7beta topcrash in [@ secmod_DecodeData] → M17beta topcrash in [@ secmod_DecodeData]
(Assignee)

Comment 40

14 years ago
Now that we've had 3 reveiwers and numerous authors, I've ran into a regression 
in this patch. Line 743 has:

if (nss == NULL) 
 	goto loser;

which I introduced in the original patch. Unfortunately nss=NULL is a valid 
value for tokens which don't have any NSS specific flags turned on (which 
usually applies to most *other* tokens besides the internal and rootcert tokens.

This line should change to:

   /* it's permissible (and normal) for nss to be NULL. it simply means
    * there are no NSS specific parameters in the database */

So much for agressive NULL checks. This change breaks smart cards.

Question: should we reopen this bug, or should we open a new one (since this is 
a regression, not an original problem...


bob


 
(Reporter)

Comment 41

14 years ago
either way... attach the new patch to this bug or open a new one, but lets get
it in soon.   Trying for another 1.7 Release candidate is next week.

Comment 42

14 years ago
Created attachment 147359 [details] [diff] [review]
Patch to fix regressions

This patch fixes the following bugs.

1. set slotStrings[i] to NULL after freeing it. (Julien's
   suggestion)
2. Fix spelling errors in comments.
3. Declare namesRunningOffset as unsigned long to
   avoid overflow.
4. Handle the allocation failure of slotStrings.
5. Remove the incorrect test of nss == NULL.  (Bob's fix)

Updated

14 years ago
Attachment #147359 - Flags: superreview?(MisterSSL)
Attachment #147359 - Flags: review?(rrelyea0264)
Attachment #147359 - Flags: superreview?(MisterSSL) → superreview+
(Assignee)

Updated

14 years ago
Attachment #147359 - Flags: review?(rrelyea0264) → review+

Comment 43

14 years ago
Comment on attachment 147359 [details] [diff] [review]
Patch to fix regressions

Requesting mozilla 1.7 approval.

Fixed two regressions. Added one defensive programming
change.  Fixed spelling errors in comments.

The risk of this patch is low.
Attachment #147359 - Flags: approval1.7?

Comment 44

14 years ago
Comment on attachment 147359 [details] [diff] [review]
Patch to fix regressions

Patch checked into the NSS tip (NSS 3.10),
NSS_3_9_BRANCH (NSS 3.9.1) and NSS_CLIENT_TAG
(Mozilla 1.8 alpha).
(Reporter)

Comment 45

14 years ago
Comment on attachment 147359 [details] [diff] [review]
Patch to fix regressions

a=chofmann for 1.7
Attachment #147359 - Flags: approval1.7? → approval1.7+

Comment 46

14 years ago
Comment on attachment 147359 [details] [diff] [review]
Patch to fix regressions

Patch checked in on the MOZILLA_1_7_BRANCH
for Mozilla 1.7 final.
Crash Signature: [@ secmod_DecodeData]
You need to log in before you can comment on or make changes to this bug.