Closed Bug 757064 Opened 12 years ago Closed 6 years ago

Thunderbird crashes in NSS_CMSContentInfo_GetContentTypeTag

Categories

(NSS :: Libraries, defect, P5)

Product:
NSS
Component:
Libraries
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: michael, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [tbird crash])

Crash Data

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Build ID: 20120423122624

Steps to reproduce:

Update to 12.0.1 (Ubuntu 12.04) which worked fine a few days.
Then it started to crash right after starting it.
Disabled all addons.
Deleted/recreated profile, it fetched emails from IMAP for a while and then again: crashes on every start.


Actual results:

I suspect it's a particular email (with SMIME?) but I cannot locate which causes the crash.


Expected results:

Shouldnt crash ;)
Are you sending the crash report ? if so can we get a crash id (https://support.mozillamessaging.com/en-US/kb/thunderbird-crashes?s=crash+id&as=s#os=mac&browser=tb13) ?
Severity: normal → critical
Keywords: crash
Additionally installed thunderbird-dbg and started "thunderbird --debug":
--- cut ---
mm@v3750mm:~$ thunderbird --debug
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /usr/lib/thunderbird/thunderbird-bin...Reading symbols from /usr/lib/debug/usr/lib/thunderbird/thunderbird-bin...done.
done.
(gdb) run
Starting program: /usr/lib/thunderbird/thunderbird-bin
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb460bb40 (LWP 10843)]
[New Thread 0xb3d4fb40 (LWP 10844)]
[New Thread 0xb2dffb40 (LWP 10845)]
[New Thread 0xb1ff1b40 (LWP 10846)]
[New Thread 0xb13ffb40 (LWP 10847)]
[New Thread 0xb0bfeb40 (LWP 10848)]
[New Thread 0xb03fdb40 (LWP 10849)]
[New Thread 0xaf7fcb40 (LWP 10850)]
[New Thread 0xaeaffb40 (LWP 10851)]
[New Thread 0xaddffb40 (LWP 10852)]
[New Thread 0xab66fb40 (LWP 10853)]
enigmail.js: Registered components
[New Thread 0xaaaffb40 (LWP 10854)]
[New Thread 0xaa2feb40 (LWP 10855)]
[New Thread 0xa9afdb40 (LWP 10856)]
[New Thread 0xa92fcb40 (LWP 10857)]
[New Thread 0xa8afbb40 (LWP 10858)]
[New Thread 0xa82fab40 (LWP 10859)]
[Thread 0xab66fb40 (LWP 10853) exited]
[Thread 0xa9afdb40 (LWP 10856) exited]
[Thread 0xaa2feb40 (LWP 10855) exited]
[New Thread 0xa7a49b40 (LWP 10860)]
[Thread 0xa82fab40 (LWP 10859) exited]
[Thread 0xa8afbb40 (LWP 10858) exited]
[Thread 0xa92fcb40 (LWP 10857) exited]
[New Thread 0xab66fb40 (LWP 10861)]
[New Thread 0xa9afdb40 (LWP 10862)]
[Thread 0xa7a49b40 (LWP 10860) exited]
[New Thread 0xa7a49b40 (LWP 10863)]
[Thread 0xa9afdb40 (LWP 10862) exited]
[New Thread 0xa9afdb40 (LWP 10864)]
[Thread 0xa7a49b40 (LWP 10863) exited]
[New Thread 0xa7a49b40 (LWP 10866)]
[New Thread 0xaa2feb40 (LWP 10867)]
[New Thread 0xa82fab40 (LWP 10868)]
[Thread 0xa82fab40 (LWP 10868) exited]
[Thread 0xa7a49b40 (LWP 10866) exited]
[Thread 0xa9afdb40 (LWP 10864) exited]
[New Thread 0xa7a49b40 (LWP 10869)]
[Thread 0xaa2feb40 (LWP 10867) exited]
[New Thread 0xaa2feb40 (LWP 10870)]
[Thread 0xa7a49b40 (LWP 10869) exited]
[New Thread 0xa7a49b40 (LWP 10871)]
[New Thread 0xa82fab40 (LWP 10872)]
[New Thread 0xa9afdb40 (LWP 10873)]
[New Thread 0xa49ffb40 (LWP 10874)]
[Thread 0xaa2feb40 (LWP 10870) exited]
[Thread 0xa9afdb40 (LWP 10873) exited]
[New Thread 0xaa2feb40 (LWP 10875)]
[New Thread 0xa9afdb40 (LWP 10876)]
[New Thread 0xa1cffb40 (LWP 10879)]
[New Thread 0xa14feb40 (LWP 10880)]
[New Thread 0xa08ffb40 (LWP 10881)]
[New Thread 0xa00feb40 (LWP 10882)]
[New Thread 0x9f8fdb40 (LWP 10883)]
[New Thread 0x9eeffb40 (LWP 10884)]
[New Thread 0x9e6feb40 (LWP 10885)]
[New Thread 0x99cc4b40 (LWP 10886)]

(thunderbird-bin:10838): libebook-WARNING **: e_book_client_new: Cannot get book from factory: Invalid source
[New Thread 0x98cffb40 (LWP 10887)]
[Thread 0x98cffb40 (LWP 10887) exited]
[New Thread 0x984feb40 (LWP 10889)]
[New Thread 0x98cffb40 (LWP 10890)]
[Thread 0x98cffb40 (LWP 10890) exited]
[New Thread 0x98cffb40 (LWP 10891)]
[Thread 0xa49ffb40 (LWP 10874) exited]

Program received signal SIGSEGV, Segmentation fault.
NSS_CMSContentInfo_GetContentTypeTag (cinfo=0xc) at cmscinfo.c:315
315 cmscinfo.c: Datei oder Verzeichnis nicht gefunden.
--- cut ---
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Hmm, sure about the duplicate on #668314, which happened on TB 5 under Windows and 1 year old - with no progress?

Please let me know if there is any debugging I can help with..

-> As a workaround, disabled (Offline)-Sync now "resolved" the immidiate crash, maybe I can find the mail causing this by scrolling through..
Just as a note, if somebody runs into the same:

disabling offline-sync helped for no more than 10 minutes, it crashed then again after every start after 7-10 secs..

I patched cmscinfo.c now in the ubuntu-package and rebuilt it, as I really want my preferred mail-client back->UP ;)
And dont care about s/mime at all (using PGP/GPG since 1998) --> which doesn't fix this surely but merely breaks smime I guess, but at least here avoids TB from crashing on this since some hours:

--- cut ---
--- a/thunderbird-12.0.1+build1/build-tree/mozilla/mozilla/security/nss/lib/smime/cmscinfo.c	2012-04-28 22:57:08.000000000 +0200
+++ b/thunderbird-12.0.1+build1/build-tree/mozilla/mozilla/security/nss/lib/smime/cmscinfo.c	2012-05-21 21:29:55.543690368 +0200
@@ -312,6 +312,7 @@
 SECOidTag
 NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo)
 {
+    return SEC_OID_UNKNOWN;
     if (cinfo->contentTypeTag == NULL)
 	cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
 
--- cut ---

Again, I really have no clue which of the 160785 elements in my mailbox is causing this crash, but I won't delete it because of one (unwanted, probably broken) S/MIME-Message and think whatever the reason is, TB shouldnt crash on it!

If you give me some instructions on how to find the real reason/message/missing file, I'll try..
(In reply to Michael from comment #5)
> Hmm, sure about the duplicate on #668314, which happened on TB 5 under
> Windows and 1 year old - with no progress?

Yes same signature and stack ...
 
> Please let me know if there is any debugging I can help with..
> 
> -> As a workaround, disabled (Offline)-Sync now "resolved" the immidiate
> crash, maybe I can find the mail causing this by scrolling through..

kaie would need to say
Whiteboard: I think this bug is still present, I hit it again: kubuntu 16.04 TB 38.8.0, gdb output Thread 1 "thunderbird" received signal SIGSEGV, Segmentation fault. 0x00007ffff5530926 in NSS_CMSContentInfo_GetContentTypeTag () from /usr/lib/thunderbird/libsmime3.so
Version: 12 Branch → 38 Branch
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
(copied from whiteboard)
> I think this bug is still present, I hit it again: kubuntu 16.04 TB 38.8.0, gdb output Thread 1 "thunderbird" received signal SIGSEGV, Segmentation fault. 0x00007ffff5530926 in NSS_CMSContentInfo_GetContentTypeTag () from /usr/lib/thunderbird/libsmime3.so

A. Somewhat unlikely you are seeing the "same bug" as what caused the crash 4+ years ago.
B. The info you provided isn't enough to be actionable. A set of steps to reproduce, an email testcase, or a full stacktrace with symbols is needed https://developer.mozilla.org/en-US/docs/Mozilla/How_to_get_a_stacktrace_for_a_bug_report#Linux
Flags: needinfo?(mm)
Whiteboard: I think this bug is still present, I hit it again: kubuntu 16.04 TB 38.8.0, gdb output Thread 1 "thunderbird" received signal SIGSEGV, Segmentation fault. 0x00007ffff5530926 in NSS_CMSContentInfo_GetContentTypeTag () from /usr/lib/thunderbird/libsmime3.so
though it's very similar and it wasn't really solved back in 2012.
Yesterday I synced the same inbox/subfolders again for the first time;

Just to be clear: I think it's a somewhat "broken" old email causing this, but I have no idea which.
And clearly, if it could be reproduced, it's a DoS-attack against TB..
I submitted new crash reports already: https://crash-stats.mozilla.com/report/index/62144c65-75e0-4377-8089-c48522160702

I'll find a workaround anyhow, but maybe its important to rule out this bug and rare corner-case(?)
Flags: needinfo?(mm)
I did exactly the same as in #6 https://bugzilla.mozilla.org/show_bug.cgi?id=757064#c6
Patched the function, rebuilt the package, the problem is gone! (but not really solved)
If I can do anything to find the offending msg please let me know..
(In reply to Michael Markstaller from comment #9)
> though it's very similar and it wasn't really solved back in 2012.
> Yesterday I synced the same inbox/subfolders again for the first time;
> 
> Just to be clear: I think it's a somewhat "broken" old email causing this,
> but I have no idea which.
> And clearly, if it could be reproduced, it's a DoS-attack against TB..
> I submitted new crash reports already:
> https://crash-stats.mozilla.com/report/index/62144c65-75e0-4377-8089-
> c48522160702

That's certainly a step in the right direction.

 0 	libsmime3.so	NSS_CMSContentInfo_GetContentTypeTag	/build/thunderbird-ib2wjW/thunderbird-38.8.0+build1/mozilla/security/nss/lib/smime/cmscinfo.c:281
1 	libsmime3.so	NSS_CMSContentInfo_Destroy	/build/thunderbird-ib2wjW/thunderbird-38.8.0+build1/mozilla/security/nss/lib/smime/cmscinfo.c:56
2 	libsmime3.so	NSS_CMSContentInfo_Destroy	/build/thunderbird-ib2wjW/thunderbird-38.8.0+build1/mozilla/security/nss/lib/smime/cmscinfo.c:65
3 	libsmime3.so	NSS_CMSContentInfo_Destroy	/build/thunderbird-ib2wjW/thunderbird-38.8.0+build1/mozilla/security/nss/lib/smime/cmscinfo.c:59
4 	libsmime3.so	NSS_CMSMessage_Destroy	/build/thunderbird-ib2wjW/thunderbird-38.8.0+build1/mozilla/security/nss/lib/smime/cmsmessage.c:99
5 	libsmime3.so	NSS_CMSDecoder_Finish	/build/thunderbird-ib2wjW/thunderbird-38.8.0+build1/mozilla/security/nss/lib/smime/cmsdecode.c:714
6 	libxul.so	nsCMSDecoder::Finish	/build/thunderbird-ib2wjW/thunderbird-38.8.0+build1/mailnews/mime/src/nsCMS.cpp:856
7 	libxul.so	MimeCMS_eof	/build/thunderbird-ib2wjW/thunderbird-38.8.0+build1/mailnews/mime/src/mimecms.cpp:610
8 	libxul.so	MimeEncrypted_parse_eof	/build/thunderbird-ib2wjW/thunderbird-38.8.0+build1/mailnews/mime/src/mimecryp.cpp:219
9 	libxul.so	MimeMultipart_close_child	/build/thunderbird-ib2wjW/thunderbird-38.8.0+build1/mailnews/mime/src/mimemult.cpp:547
10 	libxul.so	MimeMultipart_parse_line	/build/thunderbird-ib2wjW/thunderbird-38.8.0+build1/mailnews/mime/src/mimemult.cpp:153 

Other examples https://crash-stats.mozilla.com/signature/?date=%3E2016-04-01&signature=NSS_CMSContentInfo_GetContentTypeTag%20%7C%20NSS_CMSContentInfo_Destroy%20%7C%20NSS_CMSContentInfo_Destroy%20%7C%20NSS_CMSContentInfo_Destroy%20%7C%20NSS_CMSMessage_Destroy%20%7C%20NSS_CMSDecoder_Finish%20%7C%20nsCMSDecoder%3A%3AFinish&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&page=1   ALL are linux. And all from yesterday 7/1/2016 - are they all from you?
Most/all of them are probably from me; but still, isn't that a good reason to at least investigate this issue?

As said, it works again after just disabling NSS_CMSContentInfo_GetContentTypeTag in cmscinfo.c, but thats no real solution, just a workaround..
I suspect bug 668314 is the same issue
Assignee: nobody → nobody
Status: UNCONFIRMED → NEW
Crash Signature: [@ NSS_CMSContentInfo_GetContentTypeTag | NSS_CMSContentInfo_Destroy | NSS_CMSContentInfo_Destroy | NSS_CMSContentInfo_Destroy | NSS_CMSMessage_Destroy | NSS_CMSDecoder_Finish | nsCMSDecoder::Finish ]
Component: General → Libraries
Ever confirmed: true
Product: Thunderbird → NSS
Summary: Thunderbird crashes → Thunderbird crashes in NSS_CMSContentInfo_GetContentTypeTag
Version: 38 Branch → trunk
can you reproduce using nightly version 50?
see https://archive.mozilla.org/pub/thunderbird/nightly/latest-comm-central/
Flags: needinfo?(michael)
I'll try but it may take some time!
Compiling TB from source takes hours even an a core I7 with SSD.
And then it takes many hours to sync the inbox again..

If you could give me a hint how to find the offending mail, i'd happy to supply it(?)
Update: Still present in TB 45.5.1, submitted a crash-report today and yesterday; after patching & recompile as described in https://bugzilla.mozilla.org/show_bug.cgi?id=757064#c6 everything is fine (except from S/MIME surely - i don't care about..)

Its a little annoying to keep a locally patched version of TB for 4yrs :)
Think it just doesnt happen as long as all offending emails are once locally synced and not get accessed(?)
Priority: -- → P5
>If you could give me a hint how to find the offending mail, i'd happy to supply it(?)
Determining which folder it is in would be a start

bug 1376254 appears to be the same.

The only example reports I found for this signature are Mac
bp-d8389abd-06a3-410d-aa09-e6d830180330
 0 	libnss3.dylib	NSS_CMSContentInfo_GetContentTypeTag	security/nss/lib/smime/cmscinfo.c:285
1 	libnss3.dylib	NSS_CMSContentInfo_Destroy	security/nss/lib/smime/cmscinfo.c:54
2 	libnss3.dylib	NSS_CMSContentInfo_Destroy	security/nss/lib/smime/cmscinfo.c:63
3 	libnss3.dylib	NSS_CMSContentInfo_Destroy	security/nss/lib/smime/cmscinfo.c:57
4 	libnss3.dylib	NSS_CMSMessage_Destroy	security/nss/lib/smime/cmsmessage.c:99
5 	libnss3.dylib	NSS_CMSDecoder_Finish	security/nss/lib/smime/cmsdecode.c:714
6 	XUL	nsCMSDecoder::Finish(nsICMSMessage**)	/builds/slave/tb-rel-c-esr52-m64_bld-0000000/build/mailnews/mime/src/nsCMS.cpp:857
7 	XUL	MimeCMS_eof	/builds/slave/tb-rel-c-esr52-m64_bld-0000000/build/mailnews/mime/src/mimecms.cpp:610 

https://hg.mozilla.org/releases/mozilla-esr52/annotate/4caffebfb91f/security/nss/lib/smime/cmscinfo.c#l285


Firefox crash at slightly different place, that is a couple lines lower
bp-609f9f66-d522-4e92-9d47-f5fc00180305 NSS_CMSContentInfo_GetContentTypeTag | NSS_CMSMessage_Create | NSS_CMSDecoder_Start | NSS_CMSMessage_CreateFromDER | mozilla::VerifyCMSDetachedSignatureIncludingCertificate 

 0 	nss3.dll	NSS_CMSContentInfo_GetContentTypeTag	security/nss/lib/smime/cmscinfo.c:288
1 	nss3.dll	NSS_CMSMessage_Create	security/nss/lib/smime/cmsmessage.c:41
2 	nss3.dll	NSS_CMSDecoder_Start	security/nss/lib/smime/cmsdecode.c:606
3 	nss3.dll	NSS_CMSMessage_CreateFromDER	security/nss/lib/smime/cmsdecode.c:732
4 	xul.dll	mozilla::VerifyCMSDetachedSignatureIncludingCertificate(SECItemStr const&, SECItemStr const&, nsresult (*)(CERTCertificateStr*, void*, void*), void*, void*, nsNSSShutDownPreventionLock const&)	security/manager/ssl/nsDataSignatureVerifier.cpp:142
5 	xul.dll	`anonymous namespace'::VerifySignature	security/apps/AppSignatureVerification.cpp:699
6 	xul.dll	`anonymous namespace'::OpenSignedAppFile	security/apps/AppSignatureVerification.cpp:750
7 	xul.dll	`anonymous namespace'::OpenSignedAppFileTask::CalculateResult	security/apps/AppSignatureVerification.cpp:975
8 	xul.dll	mozilla::CryptoTask::Run()	security/manager/ssl/CryptoTask.cpp:53 

https://hg.mozilla.org/releases/mozilla-esr52/annotate/a7c8e85285e2/security/nss/lib/smime/cmscinfo.c#l288
Depends on: 1376254
Whiteboard: [tbird crash]
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 12 years ago6 years ago
Resolution: --- → WONTFIX
Flags: needinfo?(michael)
You need to log in before you can comment on or make changes to this bug.