Closed Bug 423475 Opened 12 years ago Closed 12 years ago

Paypal crashes loading main site [@ cert_pkixSetParam]

Categories

(Core :: Security: PSM, defect, P1, critical)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9beta5

People

(Reporter: jmjjeffery, Assigned: KaiE)

References

()

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

With today's build, www.paypal.com crashes as soon as the site is accessed. 

Suspect bug 406755 as the cause. 

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5pre) Gecko/2008031705 Minefield/3.0b5pre Firefox/3.0 Firefox/2.0.0.12 ID:2008031705
Vista HP

Was noted in the build forums today:
http://forums.mozillazine.org/viewtopic.php?p=3298643#3298643
Breakpad reports have been sent according to the forum, but I don't have the report numbers.
Keywords: regression
Flags: blocking-firefox3?
Keywords: crash
No crash: 20080316_0318_firefox-3.0b5pre.en-US.win32
Crash: 20080316_0720_firefox-3.0b5pre.en-US.win32

Checkins to module PhoenixTinderbox between 2008-03-16 03:18 and 2008-03-16 07:19 : 
http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=1205662680&maxdate=1205677199

bug 406755 or bug 420151.
JohnathanS on IRC has BP report: 
http://crash-stats.mozilla.com/report/index/6e19c123-f447-11dc-842d-001a4bd43ed6 
Points to NSS problem, so more likely 420151 

I think I found the bug.

Simple copy&paste bug. :-/
Code added with bug 406755:

    rev.leafTests.number_of_defined_methods = cert_revocation_method_ocsp +1;
    rev.leafTests.cert_rev_flags_per_method = methodFlags;
    rev.leafTests.number_of_preferred_methods = 1;
    rev.leafTests.preferred_methods = preferedRevMethods;
    rev.leafTests.cert_rev_method_independent_flags =
      revMethodIndependentFlags;

    rev.chainTests.number_of_defined_methods = cert_revocation_method_ocsp +1;
##  rev.leafTests.cert_rev_flags_per_method = methodFlags;
    rev.chainTests.number_of_preferred_methods = 1;
    rev.chainTests.preferred_methods = preferedRevMethods;
    rev.chainTests.cert_rev_method_independent_flags =
      revMethodIndependentFlags;

The line marked with ## sets leafTests, bug it should set chainTests, leaving this pointer uninitialized.

We crash because we access random memory.

Note that I didn't crash in debug builds, that's why I didn't notice this bug.

So, after I had applied my fix, I no longer crashed, however, I no longer got EV UI on paypal's site either.

The reason is, the revocation checking flags I'm using are too strict. We must drop CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO, which is currently being used for each attempted method. But we already have the method independent flag CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE, which is sufficient.

Attaching patch now.
Attached patch Patch v1Splinter Review
Attachment #310026 - Flags: review?(rrelyea)
Comment on attachment 310026 [details] [diff] [review]
Patch v1

r+  Those are the right bits.
Attachment #310026 - Flags: review?(rrelyea) → review+
Attachment #310026 - Flags: approval1.9?
Assignee: nobody → dveditz
Flags: blocking-firefox3?
Product: Firefox → Core
QA Contact: firefox → toolkit
Assignee: dveditz → kengert
Component: Security → Security: PSM
Flags: blocking1.9+
Priority: -- → P1
QA Contact: toolkit → psm
Comment on attachment 310026 [details] [diff] [review]
Patch v1

Blocker now, you're cleared to land.
Attachment #310026 - Flags: approval1.9?
Status: NEW → ASSIGNED
OS: Windows Vista → All
Hardware: PC → All
Target Milestone: --- → mozilla1.9beta5
fix checked in, thanks.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
paypal is still crashing, but now it makes the main page fine but crashes when you hit log in.

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5pre) Gecko/2008031710 Minefield/3.0b5pre
(In reply to comment #9)
> paypal is still crashing, but now it makes the main page fine but crashes when
> you hit log in.
> 
> Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5pre) Gecko/2008031710
> Minefield/3.0b5pre

WFM on Mac trunk - perhaps this is a different issue?  Is it the same crash stack?
Karl, I checked in at 2008-03-17 11:42

Your build ID says 2008031710, which sounds like today 10 o'clock?

Are you sure your build picked up my fix?
yeah, he's using a build w/o the patch
Oh god, I am so sorry. I downloaded the hourly from tinderbox, but I somehow seem to have picked up the wrong build :S Just tested with a fresh download and all is well. Apologies.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5pre) Gecko/2008031712 Minefield/3.0b5pre ID:2008031712

no crash on paypal or it's login page here
Duplicate of this bug: 423554
Please get a test in for this.  If our infrastructure doesn't support it, file bugs on whatever would need to happen so we could test this?
Flags: in-testsuite?
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b5pre) Gecko/2008031804 Minefield/3.0b5pre as well as the Windows XP nightly.

Status: RESOLVED → VERIFIED
Duplicate of this bug: 423684
Duplicate of this bug: 423693
Duplicate of this bug: 423645
Duplicate of this bug: 423483
(In reply to comment #16)
> Please get a test in for this.  If our infrastructure doesn't support it, file
> bugs on whatever would need to happen so we could test this?

Verifying that we can successfully load a secure EV page (like https://www.paypal.com/) would be a good test.
Summary: Paypal crashes loading main site → Paypal crashes loading main site [@ cert_pkixSetParam]
Crash Signature: [@ cert_pkixSetParam]
You need to log in before you can comment on or make changes to this bug.