Last Comment Bug 564584 - @mozilla.org/security/certoverride;1 overrides crashes the application [@ nsNSSComponent::LogoutAuthenticatedPK11]
: @mozilla.org/security/certoverride;1 overrides crashes the application [@ nsN...
Status: RESOLVED FIXED
[psm-fatal] [qa-examined-191] [qa-exa...
: crash
Product: Core
Classification: Components
Component: Security: UI (show other bugs)
: unspecified
: x86_64 Mac OS X
: -- critical (vote)
: mozilla2.0b8
Assigned To: timeless
:
Mentors:
Depends on:
Blocks: 460829
  Show dependency treegraph
 
Reported: 2010-05-08 01:59 PDT by Petko D. (pdp) Petkov
Modified: 2011-06-23 07:51 PDT (History)
7 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.14-fixed
.17-fixed


Attachments
replace static cast with magic number+message (2.56 KB, patch)
2010-05-08 22:41 PDT, timeless
no flags Details | Diff | Splinter Review
replace static cast with magic number+message (2.56 KB, patch)
2010-05-08 22:46 PDT, timeless
no flags Details | Diff | Splinter Review
replace static cast with magic number+message (2.56 KB, patch)
2010-05-08 22:48 PDT, timeless
kaie: review-
Details | Diff | Splinter Review
all: and proper chaining for port 0 (2.53 KB, patch)
2010-11-23 04:41 PST, timeless
timeless: review+
bugzilla: approval2.0+
dveditz: approval1.9.2.14+
dveditz: approval1.9.1.17+
Details | Diff | Splinter Review

Description Petko D. (pdp) Petkov 2010-05-08 01:59:48 PDT
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Version/4.0.5 Safari/531.22.7
Build Identifier: 1.9.2

If we override the default @mozilla.org/security/certoverride;1 service with out own in order to handle calls to hasMatchingOverride ourselves but pass the rest of the functions to the original service, a crash will occur when opening chrome://pippki/content/certManager.xul inside the LoadCerts function, lines:

serverTreeView = Components.classes[nsCertTree].createInstance(nsICertTree);
serverTreeView.loadCertsFromCache(certcache, nsIX509Cert.SERVER_CERT);

I have not investigated why it crashes, just patched the function at runtime to avoid the behaviour.

Reproducible: Always

Steps to Reproduce:
1. I think the best way to reproduce the bug is to check the source here: http://code.google.com/p/websecurify/source/browse/trunk/xul/distribution/bundles/basic%40websecurify.gnucitizen.org/components/WebsecurifyBasicCertOverrideService.js
2.
3.
Actual Results:  
The application crashes.

Expected Results:  
The application should not crash.

Although my code now patches the certManager.xul at runtime, if patch removed, you can reproduce the crash by running the following tool:http://code.google.com/p/websecurify/source/browse/#svn/trunk/xul
Comment 1 timeless 2010-05-08 15:56:29 PDT
2318 nsresult nsNSSComponent::LogoutAuthenticatedPK11()
2319 {
2320   nsCOMPtr<nsICertOverrideService> icos = 
2321     do_GetService("@mozilla.org/security/certoverride;1");
2322     
2323   nsCertOverrideService *cos = 
2324     reinterpret_cast<nsCertOverrideService*>(icos.get());

Thanks for the report, indeed this is totally bogus. very sorry.
Comment 2 timeless 2010-05-08 22:41:51 PDT
Created attachment 444292 [details] [diff] [review]
replace static cast with magic number+message
Comment 3 timeless 2010-05-08 22:46:39 PDT
Created attachment 444293 [details] [diff] [review]
 replace static cast with magic number+message
Comment 4 timeless 2010-05-08 22:48:30 PDT
Created attachment 444294 [details] [diff] [review]
replace static cast with magic number+message

sorry. reed noted an extraneous comma, and then i raced and hg qref and camino won which means i lost :(
Comment 5 Honza Bambas (:mayhemer) 2010-05-09 03:09:11 PDT
Shouldn't we rather publish RemoveAllTemporaryOverrides in IDL?  There is an API to add a temp override (RememberValidityOverride), so there should be an API to remove it/remove all.
Comment 6 timeless 2010-05-09 07:02:16 PDT
not for 1.9.1 or 1.9.2. If we want to do that for trunk, we can do that. but we can't go screwing branches like someone did the last time.
Comment 7 Honza Bambas (:mayhemer) 2010-05-09 07:21:27 PDT
(In reply to comment #6)
> not for 1.9.1 or 1.9.2. If we want to do that for trunk, we can do that. but we
> can't go screwing branches like someone did the last time.

nsICertOverrideService_1_9_1 and nsICertOverrideService_1_9_2 ?
Comment 8 Kai Engert (:kaie) 2010-06-06 11:57:34 PDT
Comment on attachment 444294 [details] [diff] [review]
replace static cast with magic number+message

>diff --git a/security/manager/ssl/src/nsCertOverrideService.cpp b/security/manager/ssl/src/nsCertOverrideService.cpp
>--- a/security/manager/ssl/src/nsCertOverrideService.cpp
>+++ b/security/manager/ssl/src/nsCertOverrideService.cpp
>@@ -696,6 +696,14 @@ nsCertOverrideService::AddEntryToList(co
> NS_IMETHODIMP
> nsCertOverrideService::ClearValidityOverride(const nsACString & aHostName, PRInt32 aPort)
> {
>+  if (aPort == 0) {
>+    if (aHostName.EqualsLiteral("all-temporary-certificates")) {
>+      RemoveAllTemporaryOverrides();
>+    } else {
>+      NS_ERROR("ClearValidityOverride called with unknown magic string"); 
>+    }
>+    return NS_OK;
>+  }


I'd prefer a magic string that is never a valid DNS name, please change 
  "all-temporary-certificates"
to
  "all:temporary:certificates"


I believe zero may be a valid port number, so you should "fall through" to the remainder of the function, if the hostname string doesn't matches the magic string, e.g.:

>+  if (aPort == 0 && aHostName.EqualsLiteral("all:temporary:certificates")) {
>+    RemoveAllTemporaryOverrides();
>+    return NS_OK;
>+  }


>diff --git a/security/manager/ssl/src/nsNSSComponent.cpp b/security/manager/ssl/src/nsNSSComponent.cpp
>--- a/security/manager/ssl/src/nsNSSComponent.cpp
>+++ b/security/manager/ssl/src/nsNSSComponent.cpp
>@@ -2319,12 +2319,10 @@ nsresult nsNSSComponent::LogoutAuthentic
> {
>   nsCOMPtr<nsICertOverrideService> icos = 
>     do_GetService("@mozilla.org/security/certoverride;1");
>-    
>-  nsCertOverrideService *cos = 
>-    reinterpret_cast<nsCertOverrideService*>(icos.get());
>-
>-  if (cos) {
>-    cos->RemoveAllTemporaryOverrides();
>+  if (icos) {
>+    icos->ClearValidityOverride(
>+            NS_LITERAL_CSTRING("all-temporary-certificates"),

adjust string to "all:temporary:certificates", too


r=kaie with the above changes, and thanks for the patch!
Comment 9 Kai Engert (:kaie) 2010-06-06 12:00:39 PDT
I agree we need a workaround like this patch for the stable branches.

I agree it would be better to add the new API on trunk.
Comment 10 Petko D. (pdp) Petkov 2010-11-23 03:11:03 PST
The patch works but it hasn't been applied to either to mozilla-central or any other branch. Any idea when this will get included? I know of at least two projects/extensions which crash firefox because of this bug.
Comment 11 timeless 2010-11-23 04:41:39 PST
Created attachment 492620 [details] [diff] [review]
all: and proper chaining for port 0

we need this to fix an api botch in 1.9.1, 1.9.2, and trunk.

At some later point we can investigate writing a better api.
Comment 13 Daniel Veditz [:dveditz] 2010-12-08 10:38:03 PST
Comment on attachment 492620 [details] [diff] [review]
all: and proper chaining for port 0

Approved for 1.9.2.14 and 1.9.1.17, a=dveditz for release-drivers
Comment 16 passfree 2011-06-23 01:03:43 PDT
Can we get this patch into the trunk please? As of now any extension which overrides this service will crash Firefox, including Selenium which makes firefox a bit unstable for development purposes.
Comment 17 passfree 2011-06-23 01:04:10 PDT
I am referring to moz2.0 and moz5.0
Comment 19 Boris Zbarsky [:bz] (TPAC) 2011-06-23 07:51:31 PDT
Actually, the patch didn't fix this bug as filed.  There were multiple places in PSM that had this issue, but the patch only fixed the first one hit by certManager.xul....  It's too bad no one answered Al's question from comment 15.  :(

Bug 666516 covers the remaining issues here.

Note You need to log in before you can comment on or make changes to this bug.