Leaks in JAR_cert_attribute (security/nss/lib/jar/jarver.c)

RESOLVED FIXED

Status

P3
normal
RESOLVED FIXED
13 years ago
8 years ago

People

(Reporter: kherron+mozilla, Assigned: nelson)

Tracking

({coverity, memory-leak})

coverity, memory-leak

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment, 4 obsolete attachments)

(Reporter)

Description

13 years ago
Please refer to the sample URL. The functions |CERT_GetCommonName|, |CERT_GetCertEmailAddress|, |CERT_GetOrgName|, and |CERT_GetCountryName| all return pointers to allocated memory. There is a group of calls to these functions at lines 1135-1141 which is leaked by the return at line 1166, and another group at 1184-1190 which is leaked at 1215.
(Reporter)

Updated

13 years ago
Whiteboard: [good first bug]
(Assignee)

Comment 1

13 years ago
This large duplicated block of code should be put into a function and
called from two places.

There is a crash in this block of code, if the PORT_ZAlloc call returns NULL.
That should be fixed too.
(Reporter)

Comment 2

13 years ago
This is arguably a separate bug, but it's another leak a few lines later in the same function. See <http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/jar/jarver.c&rev=1.11&mark=1230-1233,1253,1256#1230>. This is coverity CID 553.

At line 1232, |jar_choose_nickname| returns either NULL or a pointer to allocated memory containing a string. At line 1253 the string returned by |jar_choose_nickname| is copied and the copy is returned to the caller. The original string returned by |jar_choose_nickname| is never freed.
(Assignee)

Updated

13 years ago
Target Milestone: --- → 3.11.2
(Assignee)

Updated

13 years ago
Priority: -- → P2
(Reporter)

Comment 3

13 years ago
Coverity CID 551 is a variant of CID 553. See <http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/jar/jarver.c&rev=1.11&mark=1222,1232,1244,1253,1256#1220>
The calls to |CERT_Hexify| at lines 1222 and 1244 also return allocated memory, which is copied and leaked when the function returns.

Updated

13 years ago
Assignee: nobody → alexei.volkov.bugs
(Assignee)

Comment 4

13 years ago
This bug now represents all these different coverity CIDs:
549 551 553 558 907 908 909

We should be sure we've addressed all those CIDs before marking it fixed.
Taking.
Assignee: alexei.volkov.bugs → nelson
Version: unspecified → 3.0
(Assignee)

Comment 5

13 years ago
*** Bug 334913 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 6

13 years ago
By FAR, the one file of code in NSS with which coverity is MOST unhappy 
is in lib/jar, and specifically lib/jar/jarver.c.  
This is 8+ year old code that people have been afraid to touch for years
for fear it would stick to them.  Well, I'm gonna touch it.  

I'm gonna consolidate all the jar memory leak bugs into this one.
The patch is gonna be HUGE, and probably will take several passes before
coverity blesses it as being truly free of leaks.  
Whiteboard: [good first bug]
(Assignee)

Comment 7

13 years ago
Created attachment 223264 [details] [diff] [review]
cleanup memory mgmt in libjar, v1

This patch does these things:
a) changes macro ADDITEM to take another argument, which is the statement it 
should execute if it fails.  Previously that statement was hardcoded as 
return err;  Perhaps I should just get rid of this macro alltogether?

b) gets rid of lots of dead code, both #if 0 and #ifdef WIN16
eliminates some old macros that were only used with WIN16 (xp_HUGExxx)

c) tries to get cert ref counting right.  Previous code seemed to treat 
certs as uncounted objects.

d) factors out a large block of duplicated code from two cases in 
JAR_cert_attribute, and puts one copy of that code into a new function 
named jar_compose_name_string.  Plugs leaks in that one copy.

e) factors out a large body of code from inside a loop that walks down a 
list, processing (destroying) the members.  that inner code knows all about
the private details of the members, including what hidden inner components
need to be freed.  Now it's in a new function named jar_destroy_list_item_data, which can be called from various places that need to free one of those things.

f) plug LOTS of leaks.
Attachment #223264 - Flags: superreview?(rrelyea)
Attachment #223264 - Flags: review?(alexei.volkov.bugs)
(Assignee)

Comment 8

13 years ago
Next I need to figure out what, if any, libjar test tools we have ...

Comment 9

13 years ago
Comment on attachment 223264 [details] [diff] [review]
cleanup memory mgmt in libjar, v1

Here are the things I've found within the files you've touched in this patch. Functions marked with !are needed to be fixed:


function JAR_stash_cert:
  In case when JAR_open_database() fails, we return without freeing cert.
  In case "newcert && newcert->isperm" (10 lines lower) nickename should be freed as well if it is not null.

function jar_inflate_memory leaks outbuf.

function jar_physical_inflate leaks inbuf, outbuf upon  errors.

function  *jar_choose_nickname:
cert_o and cert_cn_o are leaked

! function JAR_cert_html:
   leaks cert

! function JAR_fetch_cert leaks cert.
Attachment #223264 - Flags: review?(alexei.volkov.bugs) → review-
(Assignee)

Comment 10

13 years ago
Alexei, your review findings are all correct.  
You found problems in two functions I had modified, and 
problems in 4 more functions I had not yet modified.

But, I am reducing the priority on this bug to P3, maybe it should be even 
lower.  Although lib/jar is part of nss/lib, it really belongs in nss/cmd.
It is not used in NSS anywhere except in modutil and signtool.  
It does not appear to be used by PSM at all (or so lxr suggests).
I suspect much of it is dead code.

So, I don't want to spend any more time on it until we've got the coverity 
bugs out of the shared library code we actually SHIP.
Priority: P2 → P3
(Assignee)

Updated

13 years ago
Whiteboard: [CIDs 549 551 553 558 753 907 908 909]

Comment 11

12 years ago
If mozilla doesn't call it. I'm all for moving it to command.

bob

Comment 12

12 years ago
psm does not call JAR_cert_attribute

Comment 13

12 years ago
does psm call and libjar functions kai?

Comment 14

12 years ago
(In reply to comment #13)
> does psm call and libjar functions kai?

I do not see any occurrences of JAR_ in Psm code, does that answer your question?

Comment 15

12 years ago
Retargetting all P2s to 3.11.3 .
Target Milestone: 3.11.2 → 3.11.3
(Assignee)

Updated

12 years ago
Component: Libraries → Tools
QA Contact: libraries → tools

Updated

12 years ago
Attachment #223264 - Flags: superreview?(rrelyea)
(Assignee)

Comment 16

12 years ago
Created attachment 240057 [details] [diff] [review]
patch v2

This patch addresses the previous review comments except:
> ! function JAR_fetch_cert leaks cert.
I found that it doesn't leak the cert, but returns it.

This patch is quite different from the previous one because of the 
many other checkins to cleanup libjar recently contributed and 
committed.  I had to manually re-apply parts of the old patch to the 
tree.  It builds and runs (or, it did for me), but our QA testing 
is not very thorough, so it needs to be reviewed carefully.
Attachment #223264 - Attachment is obsolete: true
Attachment #240057 - Flags: review?(alexei.volkov.bugs)
(Assignee)

Comment 17

12 years ago
remove target milestone, since the target was missed.
Target Milestone: 3.11.3 → ---
(Assignee)

Updated

11 years ago
Keywords: mlk
(Assignee)

Comment 18

11 years ago
Comment on attachment 240057 [details] [diff] [review]
patch v2

This review request is over a year old.  I'll ask someone else to review it.
Julien?
Attachment #240057 - Flags: review?(alexei.volkov.bugs) → review?(julien.pierre.boogz)

Comment 19

11 years ago
Comment on attachment 240057 [details] [diff] [review]
patch v2

This patch is bit-rotten and no longer applies to the trunk for jarver.c, which is the biggest chunk of it.
Attachment #240057 - Flags: review?(julien.pierre.boogz) → review-
Flags: blocking1.9?
(Assignee)

Comment 20

11 years ago
Definitely not blocking any mozilla client, since no mozilla client uses it.
Flags: blocking1.9?
(Assignee)

Comment 21

10 years ago
Coverity now reports 5 issues in lib/jar in Firefox run 278.

CID 1355 - leaks in JAR_cert_attribute

Allocated value stored in variable "ret" at
1199 	    case jarCertSerial:
1201 	      ret = CERT_Hexify (&cert->serialNumber, 1);
Is not freed.

Likewise, in 
1214 	    case jarCertFinger:
the value allocated in this call
1223 	        ret = CERT_Hexify (&hexme, 1);
is not freed.

====================================================================
CID 1356 - another leak

Likewise in 
1209 	    case jarCertNickname:
the value allocate in this call
1211 	      ret = jar_choose_nickname (cert);
is not freed. 

======================================================================
CID 1381 - NULL check after pointer dereference

In function JAR_stash_cert, pointer "nickname" is dereferenced without 
checking it for NULL first, and then is checked for NULL later.

1406 	  nickname = jar_choose_nickname (cert);
1408 	  newcert = CERT_FindCertByNickname (certdb, nickname);

1424 	  if (nickname != NULL)
(Assignee)

Comment 22

10 years ago
CID 1357 - memory leak

In function JAR_JAR_list_certs, Coverity claims that the block allocated
for "ugly_list"

120  	  ugly_list = (char*)PORT_ZAlloc (16);

is leaked in some cases.
Whiteboard: [CIDs 549 551 553 558 753 907 908 909]
In the year 2009, well after this Coverity test was run, NSS's libJAR was
seriously overhauled to fix MANY bugs.  Consequently, it is possible that
some of these Coverity CIDs are no longer valid, and that other new ones 
may now exist.  For example, function JAR_JAR_list_certs, mentioned in 
comment 22, no longer exists (according to MXR), and function JAR_stash_certs
is dead code (has no callers, according to MXR).

Timeless, could you get us a current list of Coverity's complaints for libJAR?

Comment 24

9 years ago
yeah. i'm running through coverity _now_.

Comment 25

9 years ago
This is the list of 'uninspected' items, anything else in my database _should_ have been filed by me.

 	CID 	Checker	Classification	Owner	Severity	Action	Function	File	Final Event	Final Event Description	Line
	28591	nsJAREnumerator::nsJAREnumerator(nsZipFind *)	20100302-1.9.3-xr26_0m6/modules/libjar/nsJAR.h
uninit_member	Non-static class member mNameLen not initialized in this constructor or any functions called by it	202
	10903	nsZipWriter::nsZipWriter()	20100302-1.9.3-xr26_0m6/modules/libjar/zipwriter/src/nsZipWriter.cpp
uninit_member	Non-static class member mCDSOffset not initialized in this constructor or any functions called by it	84
	10902	nsJARInputStream::nsJARInputStream()	20100302-1.9.3-xr26_0m6/modules/libjar/nsJARInputStream.h
uninit_member	Non-static class member mNameLen not initialized in this constructor or any functions called by it	60
	10768	nsZipArchive::nsZipArchive()	20100302-1.9.3-xr26_0m6/modules/libjar/nsZipArchive.cpp
uninit_member	Non-static class member field mArena.mask not initialized in this constructor or any functions called by it	796
	10572	nsDeflateConverter::nsDeflateConverter()	20100302-1.9.3-xr26_0m6/modules/libjar/zipwriter/src/nsDeflateConverter.h
uninit_member	Non-static class member mWriteBuffer not initialized in this constructor or any functions called by it	66
	10571	nsDeflateConverter::nsDeflateConverter(int)	20100302-1.9.3-xr26_0m6/modules/libjar/zipwriter/src/nsDeflateConverter.h
uninit_member	Non-static class member mWriteBuffer not initialized in this constructor or any functions called by it	71

Comment 26

9 years ago
Sorry, wrong "lib jar"
 	CID 	Checker		Function	File	Final Event	Final Event Description	Line
	9950	REVERSE_INULL	JAR_stash_cert	20100302-1.9.3-xr26_0m6/security/nss/lib/jar/jarver.c	deref_ptr_in_call
Dereferences pointer "nickname"	1242
	9740	RESOURCE_LEAK	JAR_cert_attribute	20100302-1.9.3-xr26_0m6/security/nss/lib/jar/jarver.c	noescape
Variable "ret" not freed or pointed-to in function "strlen"	1116
	9740	RESOURCE_LEAK	JAR_cert_attribute	20100302-1.9.3-xr26_0m6/security/nss/lib/jar/jarver.c	noescape
Variable "ret" not freed or pointed-to in function "strlen"	1116
	9740	RESOURCE_LEAK	JAR_cert_attribute	20100302-1.9.3-xr26_0m6/security/nss/lib/jar/jarver.c	noescape
Variable "ret" not freed or pointed-to in function "strlen"	1116
	9740	RESOURCE_LEAK	JAR_cert_attribute	20100302-1.9.3-xr26_0m6/security/nss/lib/jar/jarver.c	noescape
Variable "ret" not freed or pointed-to in function "strlen"	1116
	9739	RESOURCE_LEAK	JAR_cert_attribute	20100302-1.9.3-xr26_0m6/security/nss/lib/jar/jarver.c	noescape
Variable "cer_o" not freed or pointed-to in function "strlen"	1047
	9739	RESOURCE_LEAK	JAR_cert_attribute	20100302-1.9.3-xr26_0m6/security/nss/lib/jar/jarver.c	noescape
Variable "cer_o" not freed or pointed-to in function "strlen"	976
	9738	RESOURCE_LEAK	JAR_cert_attribute	20100302-1.9.3-xr26_0m6/security/nss/lib/jar/jarver.c	noescape
Variable "cer_l" not freed or pointed-to in function "strlen"	1049
	9738	RESOURCE_LEAK	JAR_cert_attribute	20100302-1.9.3-xr26_0m6/security/nss/lib/jar/jarver.c	noescape
Variable "cer_l" not freed or pointed-to in function "strlen"	978
	9737	RESOURCE_LEAK	JAR_cert_attribute	20100302-1.9.3-xr26_0m6/security/nss/lib/jar/jarver.c	noescape
Variable "cer_cn" not freed or pointed-to in function "strlen"	1037
	9737	RESOURCE_LEAK	JAR_cert_attribute	20100302-1.9.3-xr26_0m6/security/nss/lib/jar/jarver.c	noescape
Variable "cer_cn" not freed or pointed-to in function "strlen"	966
	9736	RESOURCE_LEAK	JAR_cert_attribute	20100302-1.9.3-xr26_0m6/security/nss/lib/jar/jarver.c	noescape
Variable "cer_e" not freed or pointed-to in function "strlen"	1039
	9736	RESOURCE_LEAK	JAR_cert_attribute	20100302-1.9.3-xr26_0m6/security/nss/lib/jar/jarver.c	noescape
Variable "cer_e" not freed or pointed-to in function "strlen"	968
	9200	NO_EFFECT	jar_listzip	20100302-1.9.3-xr26_0m6/security/nss/lib/jar/jarfile.c	unsigned_compare
Comparing unsigned greater than or equal zero is always true. "compression >= 0U"	750
	8910	FORWARD_NULL	JAR_find_next	20100302-1.9.3-xr26_0m6/security/nss/lib/jar/jar.c	var_deref_op
Variable "signer" tracked as NULL was dereferenced.	393
	8909	FORWARD_NULL	JAR_find_next	20100302-1.9.3-xr26_0m6/security/nss/lib/jar/jar.c	var_deref_op
Variable "ctx->next" tracked as NULL was dereferenced.	447

Note that the datestamp here may or may not be meaningful, i can't make any promises.

The CIDs are of course only meaningful to me (and barely at that).
Created attachment 441330 [details] [diff] [review]
Patch v3 - for review

I believe this patch addresses all the latest issues reported in libjar
by Coverity.  I also factored out a large block of duplicated code into 
a new function so I only had to fix it once, not twice.  

Timeless, please review.
Attachment #240057 - Attachment is obsolete: true
Attachment #441330 - Flags: review?(timeless)

Comment 28

9 years ago
Comment on attachment 441330 [details] [diff] [review]
Patch v3 - for review

I'm pretty sure you don't want to use SEPLEN the way you do (but you're just moving code). I'd suggest:

 #define SEP " <br> "
+#define CALC_SEPLEN() int seplen = PORT_Strlen(SEP);
+#define SEPLEN seplen

 /* This is pretty ugly looking but only used
  *   here for this one purpose. */
 static char *
 jar_cert_name_string(CERTName * name)
 {
+    CALC_SEPLEN();

+    if (retlen <= 1)
+        goto FAIL;
     ret = (char *) PORT_ZAlloc(1 + retlen);
...
+fail:
     PORT_Free(cer_cn);
Attachment #441330 - Flags: review?(timeless) → review+
Created attachment 441341 [details] [diff] [review]
patch v4 - for review

Thanks for the suggestion.  I implemented it. 
I also found a nasty bug in my previous patch.  This patch fixes it.
When I fixed it, I found another bug in the original code.  This patch 
fixes that too, I believe.  It's all just string process stuff, no heavy
duty crypto stuff.  I'm consistently amazed at how we get the hard stuff
right and the easy stuff wrong. :-/ 

Please review again, sorry.
Attachment #441330 - Attachment is obsolete: true
Attachment #441341 - Flags: review?(timeless)
Comment on attachment 441341 [details] [diff] [review]
patch v4 - for review

Wait a minute.
In comment 23, I observed that function JAR_stash_cert is dead code, 
having NO callers anywhere in NSS or all of Mozilla for that matter.  
According to MXR, that is still true.

So why is Coverity reporting deref_ptr_in_call ?  
Shouldn't it be reporting "Dead code" ?

Likewise, it appears that function JAR_cert_attribute, which I just 
spent HOURS cleaning up, is dead code.  What a waste of time!

I'm canceling this review request.

In a while, I will submit a completely different patch for review, 
one that expunges lots of dead code.
Attachment #441341 - Attachment is obsolete: true
Attachment #441341 - Flags: review?(timeless)

Comment 31

9 years ago
Given that this is Linux, that I doubt you're doing symbol hiding, and that I suspect Coverity isn't very aware of Linux symbol hiding anyway... I suspect Coverity doesn't have a way to know that your function can't be used by a third party. With FOO_naming, I'd assume they're exports anyway :).
Created attachment 441342 [details] [diff] [review]
Patch v5 - for review

This patch fixes a few real Coverity issues, and removes LOTS of dead code.
Attachment #441342 - Flags: review?(timeless)

Updated

9 years ago
Attachment #441342 - Flags: review?(timeless) → review+
Bug 337354: Fix various errors in lib/jar reported by Coverity.
Also remove much dead code.  r=Timeless.

Checking in jar.c;     new revision: 1.7; previous revision: 1.6
Checking in jarfile.c; new revision: 1.13; previous revision: 1.12
Checking in jarver.c;  new revision: 1.19; previous revision: 1.18

Thanks, Timeless
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Comment 34

9 years ago
thanks nelson, the more dead code we can get our of libjar the better...

bob

Updated

8 years ago
Blocks: 587393
You need to log in before you can comment on or make changes to this bug.