Closed Bug 77567 Opened 23 years ago Closed 23 years ago

Segfault when trying to display a certificate

Categories

(Core Graveyard :: Security: UI, defect, P2)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 77701
Milestone:
psm2.0

People

(Reporter: inactive-mailbox, Assigned: bugz)

Details

Attachments

(1 file)

A proposed patch to enable checks for NULLs
1.25 KB, patch
Details | Diff | Splinter Review 
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.18x i686)
BuildID:    20010423

Some certificates cause a crash of Mozilla.

For example, go to https://www.kuix.de and import the certificate permanently
into the certificate database.

Next, open Preferences / Privacy, go to "server certificates", select the
certificate from www.kuix.de, and click on view. Mozilla will crash.

I experienced it for certificates without any know root CA.
I experienced it, too, for certificates from a CA, where the root certificate
should be known, as it has already been imported into the certificate
database...

I'll attach the stacktrace of the crash.

My opinion is: The crash is caused by the while loop in file
  mozilla/security/nss/lib/certhigh/certvfy.c
in function
  CERT_GetCertChainFromCert

The loop doesn't care for the case where cert gets zero, for whatever reason
this might happen. One reason might be, there is no known Issuer.

I'm attaching a patch to this bug, which stoped the program from crashing. And
with this patch PSM will even display details of the certificate.

However, I don't know yet enough to decide whether this patch is a good patch in
terms of intended functionality of this function.


Reproducible: Always
Here is the stacktrace of the crash:

#0  0x41297ca8 in SECITEM_CompareItem (a=0x48, b=0x54) at secitem.c:144
#1  0x412115e6 in CERT_GetCertChainFromCert (cert=0x0,
time=988070855637038, 
    usage=certUsageSSLClient) at certvfy.c:1565
#2  0x411cceb0 in nsNSSCertificate::GetChain (this=0x81e3780, 
    _rvChain=0xbfffa8c4) at nsNSSCertificate.cpp:614
#3  0x4016052b in XPTC_InvokeByIndex (that=0x81e3780, methodIndex=17, 
    paramCount=1, params=0xbfffa8c4) at xptcinvoke_unixish_x86.cpp:138
#4  0x40cb19c7 in nsXPCWrappedNativeClass::CallWrappedMethod
(this=0x8bf4978, 
    cx=0x8bf8258, wrapper=0x8b265d0, desc=0x8bf4a7c,
callMode=CALL_METHOD, 
    argc=0, argv=0x8ce9318, vp=0xbfffaa6c) at
xpcwrappednativeclass.cpp:934
#5  0x40cb3e86 in WrappedNative_CallMethod (cx=0x8bf8258, obj=0x8b89b28, 
    argc=0, argv=0x8ce9318, vp=0xbfffaa6c) at
xpcwrappednativejsops.cpp:250
#6  0x40229356 in js_Invoke (cx=0x8bf8258, argc=0, flags=0) at
jsinterp.c:813
#7  0x40237779 in js_Interpret (cx=0x8bf8258, result=0xbfffb348)
    at jsinterp.c:2706
#8  0x402293d8 in js_Invoke (cx=0x8bf8258, argc=1, flags=2) at
jsinterp.c:830
#9  0x40229710 in js_InternalInvoke (cx=0x8bf8258, obj=0x8b89b48, 
    fval=145489816, flags=0, argc=1, argv=0xbfffb63c, rval=0xbfffb500)
    at jsinterp.c:902
#10 0x401fcd58 in JS_CallFunctionValue (cx=0x8bf8258, obj=0x8b89b48, 
    fval=145489816, argc=1, argv=0xbfffb63c, rval=0xbfffb500) at
jsapi.c:3334
#11 0x406eb651 in nsJSContext::CallEventHandler (this=0x8aec608, 
    aTarget=0x8b89b48, aHandler=0x8abff98, argc=1, argv=0xbfffb63c, 
    aBoolResult=0xbfffb58c, aReverseReturnResult=0) at
nsJSEnvironment.cpp:939
#12 0x40749a2a in nsJSEventListener::HandleEvent (this=0x8cdfd58, 
    aEvent=0x8cf79f4) at nsJSEventListener.cpp:154
#13 0x4157fe11 in nsEventListenerManager::HandleEventSubType
(this=0x8cd35d8, 
    aListenerStruct=0x8cd4840, aDOMEvent=0x8cf79f4,
aCurrentTarget=0x8b3f8f0, 
    aSubType=1, aPhaseFlags=7) at nsEventListenerManager.cpp:1035
#14 0x41582108 in nsEventListenerManager::HandleEvent (this=0x8cd35d8, 
    aPresContext=0x8ca9660, aEvent=0xbfffbb0c, aDOMEvent=0xbfffbaa8, 
    aCurrentTarget=0x8b3f8f0, aFlags=7, aEventStatus=0xbfffbb34)
    at nsEventListenerManager.cpp:1658
#15 0x40704870 in GlobalWindowImpl::HandleDOMEvent (this=0x8b3f8e0, 
    aPresContext=0x8ca9660, aEvent=0xbfffbb0c, aDOMEvent=0xbfffbaa8,
aFlags=1, 
    aEventStatus=0xbfffbb34) at nsGlobalWindow.cpp:572
#16 0x417618ac in DocumentViewerImpl::LoadComplete (this=0x8c37b78,
aStatus=0)
    at nsDocumentViewer.cpp:1059
#17 0x4113bfaf in nsDocShell::EndPageLoad (this=0x8cdeae0, 
    aProgress=0x81d8264, aChannel=0x89a26d8, aStatus=0) at
nsDocShell.cpp:2754
#18 0x4114b89a in nsWebShell::EndPageLoad (this=0x8cdeae0, 
    aProgress=0x81d8264, channel=0x89a26d8, aStatus=0) at
nsWebShell.cpp:977
#19 0x4113bc55 in nsDocShell::OnStateChange (this=0x8cdeae0, 
    aProgress=0x81d8264, aRequest=0x89a26d8, aStateFlags=131088,
aStatus=0)
    at nsDocShell.cpp:2673
#20 0x4114b749 in nsWebShell::OnStateChange (this=0x8cdeae0, 
    aProgress=0x81d8264, request=0x89a26d8, aStateFlags=131088,
aStatus=0)
    at nsWebShell.cpp:948
#21 0x4106ae29 in nsDocLoaderImpl::FireOnStateChange (this=0x81d8250, 
    aProgress=0x81d8264, aRequest=0x89a26d8, aStateFlags=131088,
aStatus=0)
    at nsDocLoader.cpp:1329
#22 0x4106969c in nsDocLoaderImpl::doStopDocumentLoad (this=0x81d8250, 
    request=0x89a26d8, aStatus=0) at nsDocLoader.cpp:749
#23 0x41069368 in nsDocLoaderImpl::DocLoaderIsEmpty (this=0x81d8250,
aStatus=0)
    at nsDocLoader.cpp:655
#24 0x4106909c in nsDocLoaderImpl::OnStopRequest (this=0x81d8250, 
    aRequest=0x8ca7f30, aCtxt=0x0, aStatus=0) at nsDocLoader.cpp:585
#25 0x40e48271 in nsLoadGroup::RemoveRequest (this=0x8afaf90, 
    request=0x8ca7f30, ctxt=0x0, aStatus=0) at nsLoadGroup.cpp:491
#26 0x40ea016b in nsJARChannel::OnStopRequest (this=0x8ca7f30, 
    jarExtractionTransport=0x8cf5a5c, context=0x0, aStatus=0)
    at nsJARChannel.cpp:588
#27 0x40ebfffe in nsOnStopRequestEvent::HandleEvent (this=0x8cd2d68)
    at nsRequestObserverProxy.cpp:158
#28 0x40e396e0 in nsARequestObserverEvent::HandlePLEvent
(plev=0x8cd2d68)
    at nsRequestObserverProxy.cpp:63
#29 0x4013be33 in PL_HandleEvent (self=0x8cd2d68) at plevent.c:588
#30 0x4013bc10 in PL_ProcessPendingEvents (self=0x8b26910) at
plevent.c:518
#31 0x4013e0cc in nsEventQueueImpl::ProcessPendingEvents
(this=0x8b268e8)
    at nsEventQueue.cpp:361
#32 0x408e9ab2 in event_processor_callback (data=0x8b268e8, source=25, 
    condition=GDK_INPUT_READ) at nsAppShell.cpp:168
#33 0x408e9638 in our_gdk_io_invoke (source=0x8b26968,
condition=G_IO_IN, 
    data=0x8b26958) at nsAppShell.cpp:61
#34 0x40aec01e in g_io_unix_dispatch () from /usr/lib/libglib-1.2.so.0
#35 0x40aed7f3 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#36 0x40aeddd9 in g_main_iterate () from /usr/lib/libglib-1.2.so.0
#37 0x40aedebe in g_main_iteration () from /usr/lib/libglib-1.2.so.0
#38 0x408ea2fa in nsAppShell::DispatchNativeEvent (this=0x8b26df8, 
    aRealEvent=0, aEvent=0x0) at nsAppShell.cpp:397
#39 0x40869e15 in nsXULWindow::ShowModal (this=0x8b25938)
    at nsXULWindow.cpp:267
#40 0x40877bbf in nsWebShellWindow::ShowModal (this=0x8b25938)
    at nsWebShellWindow.cpp:1081
#41 0x40867cbe in nsContentTreeOwner::ShowAsModal (this=0x8acd1b0)
    at nsContentTreeOwner.cpp:392
#42 0x405bd727 in nsWindowWatcher::OpenWindowJS (this=0x8150930,
aParent=0x0, 
    aUrl=0x424549a0 "chrome://pippki/content/certViewer.xul", 
    aName=0x424544a8 "_blank", 
    aFeatures=0x42454440 "centerscreen,chrome,modal,titlebar",
aDialog=1, 
    argc=1, argv=0x8b266e0, _retval=0xbfffcc5c) at
nsWindowWatcher.cpp:653
#43 0x405bb569 in nsWindowWatcher::OpenWindow (this=0x8150930,
aParent=0x0, 
    aUrl=0x424549a0 "chrome://pippki/content/certViewer.xul", 
    aName=0x424544a8 "_blank", 
    aFeatures=0x42454440 "centerscreen,chrome,modal,titlebar", 
    aArguments=0x8b26670, _retval=0xbfffcc5c) at nsWindowWatcher.cpp:390
#44 0x4244b605 in nsNSSDialogHelper::openDialog (window=0x0, 
    url=0x424549a0 "chrome://pippki/content/certViewer.xul",
params=0x8b26670)
    at nsNSSDialogs.cpp:98
#45 0x4244f085 in nsNSSDialogs::ViewCert (this=0x87df340,
cert=0x81e3780)
    at nsNSSDialogs.cpp:734
#46 0x411ce637 in nsNSSCertificate::View (this=0x81e3780)
    at nsNSSCertificate.cpp:952
#47 0x4016052b in XPTC_InvokeByIndex (that=0x81e3780, methodIndex=19, 
    paramCount=0, params=0xbfffced8) at xptcinvoke_unixish_x86.cpp:138
#48 0x40cb19c7 in nsXPCWrappedNativeClass::CallWrappedMethod
(this=0x8bf4978, 
    cx=0x8b42608, wrapper=0x8b265d0, desc=0x8bf4a94,
callMode=CALL_METHOD, 
    argc=0, argv=0x8cd9600, vp=0xbfffd080) at
xpcwrappednativeclass.cpp:934
#49 0x40cb3e86 in WrappedNative_CallMethod (cx=0x8b42608, obj=0x8b89b28, 
    argc=0, argv=0x8cd9600, vp=0xbfffd080) at
xpcwrappednativejsops.cpp:250
#50 0x40229356 in js_Invoke (cx=0x8b42608, argc=0, flags=0) at
jsinterp.c:813
#51 0x40237779 in js_Interpret (cx=0x8b42608, result=0xbfffd95c)
    at jsinterp.c:2706
#52 0x402293d8 in js_Invoke (cx=0x8b42608, argc=1, flags=2) at
jsinterp.c:830
#53 0x40229710 in js_InternalInvoke (cx=0x8b42608, obj=0x8b89388, 
    fval=146315104, flags=0, argc=1, argv=0xbfffdc50, rval=0xbfffdb14)
    at jsinterp.c:902
#54 0x401fcd58 in JS_CallFunctionValue (cx=0x8b42608, obj=0x8b89388, 
    fval=146315104, argc=1, argv=0xbfffdc50, rval=0xbfffdb14) at
jsapi.c:3334
#55 0x406eb651 in nsJSContext::CallEventHandler (this=0x8b425c8, 
    aTarget=0x8b89388, aHandler=0x8b89760, argc=1, argv=0xbfffdc50, 
    aBoolResult=0xbfffdba0, aReverseReturnResult=0) at
nsJSEnvironment.cpp:939
#56 0x40749a2a in nsJSEventListener::HandleEvent (this=0x8ba1450, 
    aEvent=0x419bc3c4) at nsJSEventListener.cpp:154
#57 0x4157fe11 in nsEventListenerManager::HandleEventSubType
(this=0x8ba1418, 
    aListenerStruct=0x8ba1488, aDOMEvent=0x419bc3c4,
aCurrentTarget=0x8ba9668, 
    aSubType=4, aPhaseFlags=7) at nsEventListenerManager.cpp:1035
#58 0x41580818 in nsEventListenerManager::HandleEvent (this=0x8ba1418, 
    aPresContext=0x8b2aaf0, aEvent=0xbfffe8dc, aDOMEvent=0xbfffe728, 
    aCurrentTarget=0x8ba9668, aFlags=7, aEventStatus=0xbfffee04)
    at nsEventListenerManager.cpp:1201
#59 0x416a4263 in nsXULElement::HandleDOMEvent (this=0x8ba9660, 
    aPresContext=0x8b2aaf0, aEvent=0xbfffe8dc, aDOMEvent=0xbfffe728,
aFlags=1, 
    aEventStatus=0xbfffee04) at nsXULElement.cpp:3672
#60 0x41e29bdf in PresShell::HandleEventInternal (this=0x8b2b3f8, 
    aEvent=0xbfffe8dc, aView=0x0, aFlags=1, aStatus=0xbfffee04)
    at nsPresShell.cpp:5405
#61 0x41e29a21 in PresShell::HandleEventWithTarget (this=0x8b2b3f8, 
    aEvent=0xbfffe8dc, aFrame=0x8be3bac, aContent=0x8ba9660, aFlags=1, 
    aStatus=0xbfffee04) at nsPresShell.cpp:5378
#62 0x4158d9b3 in nsEventStateManager::CheckForAndDispatchClick (
    this=0x8bc9db0, aPresContext=0x8b2aaf0, aEvent=0xbfffef50, 
    aStatus=0xbfffee04) at nsEventStateManager.cpp:2293
#63 0x4158ac56 in nsEventStateManager::PostHandleEvent (this=0x8bc9db0, 
    aPresContext=0x8b2aaf0, aEvent=0xbfffef50, aTargetFrame=0x8be3bac, 
    aStatus=0xbfffee04, aView=0x8be4bf8) at nsEventStateManager.cpp:1392
#64 0x41e29d6a in PresShell::HandleEventInternal (this=0x8b2b3f8, 
    aEvent=0xbfffef50, aView=0x8be4bf8, aFlags=1, aStatus=0xbfffee04)
    at nsPresShell.cpp:5425
#65 0x41e29719 in PresShell::HandleEvent (this=0x8b2b3f8,
aView=0x8be4bf8, 
    aEvent=0xbfffef50, aEventStatus=0xbfffee04, aForceHandle=1, 
    aHandled=@0xbfffedc4) at nsPresShell.cpp:5332
#66 0x4209fcfe in nsView::HandleEvent (this=0x8be4bf8, event=0xbfffef50, 
    aEventFlags=28, aStatus=0xbfffee04, aForceHandle=1,
aHandled=@0xbfffedc4)
    at nsView.cpp:364
#67 0x420ac95b in nsViewManager::DispatchEvent (this=0x8b2ae28, 
    aEvent=0xbfffef50, aStatus=0xbfffee04) at nsViewManager.cpp:2037
#68 0x4209f2d0 in HandleEvent (aEvent=0xbfffef50) at nsView.cpp:67
#69 0x4090012b in nsWidget::DispatchEvent (this=0x8be4c60,
aEvent=0xbfffef50, 
    aStatus=@0xbfffeec4) at nsWidget.cpp:1488
#70 0x408ffd06 in nsWidget::DispatchWindowEvent (this=0x8be4c60, 
    event=0xbfffef50) at nsWidget.cpp:1379
#71 0x409001eb in nsWidget::DispatchMouseEvent (this=0x8be4c60, 
    aEvent=@0xbfffef50) at nsWidget.cpp:1515
#72 0x409016b5 in nsWidget::OnButtonReleaseSignal (this=0x8be4c60, 
    aGdkButtonEvent=0x829e804) at nsWidget.cpp:2064
#73 0x40908733 in nsWindow::HandleGDKEvent (this=0x8be4c60,
event=0x829e804)
    at nsWindow.cpp:1465
#74 0x408f67f0 in dispatch_superwin_event (event=0x829e804,
window=0x8be4c60)
    at nsGtkEventHandler.cpp:1022
#75 0x408f630b in handle_gdk_event (event=0x829e804, data=0x0)
    at nsGtkEventHandler.cpp:843
#76 0x40abde4f in gdk_event_dispatch () from /usr/lib/libgdk-1.2.so.0
#77 0x40aed7f3 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#78 0x40aeddd9 in g_main_iterate () from /usr/lib/libglib-1.2.so.0
#79 0x40aedf8c in g_main_run () from /usr/lib/libglib-1.2.so.0
#80 0x40a05803 in gtk_main () from /usr/lib/libgtk-1.2.so.0
#81 0x408ea24d in nsAppShell::Run (this=0x80bb3f0) at nsAppShell.cpp:360
#82 0x408732e5 in nsAppShellService::Run (this=0x80b84f0)
    at nsAppShellService.cpp:407
#83 0x08055149 in main1 (argc=1, argv=0xbffff5bc, nativeApp=0x0)
    at nsAppRunner.cpp:1005
#84 0x08055fc1 in main (argc=1, argv=0xbffff5bc) at nsAppRunner.cpp:1300
#85 0x4034ce2e in __libc_start_main (main=0x8055dac <main>, argc=1, 
    ubp_av=0xbffff5bc, init=0x804f938 <_init>, fini=0x80632e8 <_fini>, 
    rtld_fini=0x4000d3a4 <_dl_fini>, stack_end=0xbffff5ac)
    at ../sysdeps/generic/libc-start.c:129

setting bug status to New
Status: UNCONFIRMED → NEW
Ever confirmed: true
Kai, great bug report thanks for all the info and the patch I wish all the bugs 
gave us this much info and a fix. Adding patch, review keywords.
Keywords: patch, review
gotta love a stacktrace that long ;)

Bob-

Shouldn't NSS store each of the chain certs in the temp db as it is decoding the
cert?  If it doesn't, should it?
Component: Security: General → Client Library
Product: Browser → PSM
Version: other → 2.0
reassigning to myself

the code in question begins at:

http://lxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#1556
Assignee: mstoltz → mcgreer
with regards to the patch, if at any time the issuer cert is NULL, I think the
function should return an error.  That means it failed to get the full cert chain.


I'm still wondering what causes this...
Qa > junruh
OS: Linux → All
Priority: -- → P2
QA Contact: ckritzer → junruh
Hardware: PC → All
Target Milestone: --- → 2.0
Hmm it's hard to tell what's going on here. The stack trace seems to indidcate
that we're passing in 'NULL' for the certificate, but the code wouldn't get very
far if that were the case. It is clear that 'cert' is NULL by the time we do the
SECITEM_Compare (look at the small values passed to it as parameters). The only
way that could happen is if CERT_DupCertificate is failing.... but that's not
likely because it only gets a lock, bumps a reference count, and returns.

That leaves us with the only other option... someone is trashing the stack. I
would suppect something with CERT_UnlockCertReference.

Try setting a breakpoint at CERT_DupCertificate and stepping through the code.
It must be something serializable because it's so reproducible (according to the
bug report).

bob
*** Bug 79414 has been marked as a duplicate of this bug. ***

*** This bug has been marked as a duplicate of 77701 ***
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
Verified dupe.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: