premature unloading of softoken crashes libcurl

RESOLVED FIXED in 3.13.2

Status

P1
normal
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: elio.maldonado.batiz, Assigned: elio.maldonado.batiz)

Tracking

3.13.1
3.13.2

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Assignee)

Description

7 years ago
Created attachment 586219 [details]
a test case

As reported downstream on RHEL 6.2 by Kamil Dudka:

Kamil Dudka 2012-01-05 14:57:25 EST

Description of problem:
The increment of softokenLoadCount is not in par with its decrement.


Version-Release number of selected component (if applicable):
nss-3.12.10-17.1.el6


How reproducible:
100 %


Steps to Reproduce:
1. run the attached test-case


Actual results:
(gdb) break pk11load.c:600
Breakpoint 1 at 0x3d59c4992c: file pk11load.c, line 600.

(gdb) run
Breakpoint 1, SECMOD_UnloadModule (mod=0x67dae0) at pk11load.c:600
600             if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
(gdb) display softokenLoadCount
(gdb) continue

Breakpoint 1, SECMOD_UnloadModule (mod=0x612dc0) at pk11load.c:600
600             if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
1: softokenLoadCount = 3
(gdb)

Breakpoint 1, SECMOD_UnloadModule (mod=0x67b9e0) at pk11load.c:600
600             if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
1: softokenLoadCount = 2

(gdb) print mod->moduleDBFunc
$1 = (void *) 0x330a40ddc0

(gdb) info symbol mod->moduleDBFunc
NSC_ModuleDBFunc in section .text of /usr/lib64/libsoftokn3.so

(gdb) continue
Breakpoint 1, SECMOD_UnloadModule (mod=0x612080) at pk11load.c:600
600             if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
1: softokenLoadCount = 1
(gdb)

Breakpoint 1, SECMOD_UnloadModule (mod=0x610ba0) at pk11load.c:600
600             if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
1: softokenLoadCount = 0
(gdb)
test_instance() succeeded 0/16

Breakpoint 1, SECMOD_UnloadModule (mod=0x6732c0) at pk11load.c:600
600             if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
1: softokenLoadCount = 3
(gdb)

Breakpoint 1, SECMOD_UnloadModule (mod=0x67b9e0) at pk11load.c:600
600             if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
1: softokenLoadCount = 2
(gdb)

Breakpoint 1, SECMOD_UnloadModule (mod=0x612dc0) at pk11load.c:600
600             if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
1: softokenLoadCount = 1
(gdb)

Breakpoint 1, SECMOD_UnloadModule (mod=0x612080) at pk11load.c:600
600             if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
1: softokenLoadCount = 0
(gdb)

Breakpoint 1, SECMOD_UnloadModule (mod=0x610ba0) at pk11load.c:600
600             if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
1: softokenLoadCount = -1
(gdb)
test_instance() succeeded 1/16

Breakpoint 1, SECMOD_UnloadModule (mod=0x6716b0) at pk11load.c:600
600             if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
1: softokenLoadCount = 2
(gdb)

Breakpoint 1, SECMOD_UnloadModule (mod=0x612dc0) at pk11load.c:600
600             if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
1: softokenLoadCount = 1
(gdb)

Breakpoint 1, SECMOD_UnloadModule (mod=0x63c580) at pk11load.c:600
600             if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
1: softokenLoadCount = 0
(gdb)

Breakpoint 1, SECMOD_UnloadModule (mod=0x612080) at pk11load.c:600
600             if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
1: softokenLoadCount = -1
(gdb)

Breakpoint 1, SECMOD_UnloadModule (mod=0x610ba0) at pk11load.c:600
600             if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
1: softokenLoadCount = -2
(gdb)
test_instance() succeeded 2/16

Breakpoint 1, SECMOD_UnloadModule (mod=0x6e8de0) at pk11load.c:600
600             if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
1: softokenLoadCount = 1
(gdb)

Program received signal SIGSEGV, Segmentation fault.
0x000000330a40ddc0 in ?? ()

(gdb) up
#1  0x0000003d59c589be in SECMOD_FreeModuleSpecList (module=0x610ba0,
moduleSpecList=0x60d110) at pk11pars.c:1077
1077            retString = (*func)(SECMOD_MODULE_DB_FUNCTION_RELEASE,

(gdb) print func
$2 = (SECMODModuleDBFunc) 0x330a40ddc0

(gdb) info symbol func
No symbol matches func.

[reply] [-]
Private
Comment 1 Kamil Dudka 2012-01-05 15:02:43 EST

Created attachment 551005 [details] [diff] [review]
a test-case

[reply] [-]
Private
Comment 2 Kamil Dudka 2012-01-05 15:03:28 EST

Created attachment 551006 [details] [diff] [review]
a proposed fix

[reply] [-]
Private
Comment 3 Bob Relyea 2012-01-05 16:36:08 EST

Comment on attachment 551006 [details] [diff] [review]
a proposed fix

r+ rrelyea

good catch Kamil.

elio same drill with upstreaming this patch.

bob
(Assignee)

Comment 1

7 years ago
Created attachment 586220 [details] [diff] [review]
Kamil's proposed fix

This patch was reviewed downstream by Bob.
Attachment #586220 - Flags: review?(rrelyea)
(Assignee)

Updated

7 years ago
Assignee: nobody → emaldona

Comment 2

7 years ago
Comment on attachment 586220 [details] [diff] [review]
Kamil's proposed fix

r+ rrelyea
Attachment #586220 - Flags: review?(rrelyea) → review+
(Assignee)

Updated

7 years ago
Summary: premature unloading of softoken crashes libcur → premature unloading of softoken crashes libcurl
(Assignee)

Comment 3

7 years ago
Checked in to trunk:
cvs commit -m "Bug 715666 - premature unloading of softoken crashes libcurl, contributed by Kamil Dudka, r=rrelyea" ./mozilla/security/nss/lib/pk11wrap/pk11load.c
Checking in ./mozilla/security/nss/lib/pk11wrap/pk11load.c;
/cvsroot/mozilla/security/nss/lib/pk11wrap/pk11load.c,v  <--  pk11load.c
new revision: 1.34; previous revision: 1.33
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED

Updated

7 years ago
OS: Linux → All
Priority: -- → P1
Hardware: x86_64 → All
Target Milestone: --- → 3.13.2
You need to log in before you can comment on or make changes to this bug.