Bug 768669

Summary: [PEM] an unregistered callback causes a SIGSEGV
Product: Red Hat Enterprise Linux 6 Reporter: Elio Maldonado Batiz <emaldona>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED ERRATA QA Contact: Aleš Mareček <amarecek>
Severity: medium Docs Contact:
Priority: high    
Version: 6.2CC: amarecek, danw, emaldona, jrieden, kdudka, kengert, rrelyea
Target Milestone: rcKeywords: EasyFix, Patch
Target Release: 6.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-3.13.3-3.el6 Doc Type: Bug Fix
Doc Text:
Cause: The PEM module did not fully initialize new constructed objects with function pointers set to NULL. Consequence: A segmentation violation in libcurl eas experienced while accessing a package repository. Fix: Fully initialize newly allocated objects. Result: The updates can now be installed without problems.
 Story Points: ---
Clone Of: 754771 Environment:
Last Closed: 2012-06-20 07:23:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 754771    
Bug Blocks: 702083, 733657, 733749, 733752, 746629, 1002271    
Attachments:
Description Flags
Initializes pointers to functions: Kamil's patch brought here rrelyea: review+

Description Elio Maldonado Batiz 2011-12-17 19:40:18 UTC 
+++ This bug was initially created as a clone of Bug #754771 +++

+++ This bug was initially created as a clone of Bug #733685 +++

--- Additional comment from kdudka on 2011-08-26 15:52:53 CEST ---

I needed the following patch:

diff --git a/pinst.c b/pinst.c
index 70f5f4e..d35d7cf 100644
--- a/pinst.c
+++ b/pinst.c
@@ -349,6 +349,9 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objClass,
     if (io == NULL)
         return NULL;

+    /* initialize pointers to functions */
+    pem_CreateMDObject(NULL, io, NULL);
+
     io->gobjIndex = count;

     /* add object to global array */


... to get over the following crash:

#0  0x0000000000000000 in ?? ()
#1  0x00007ffff04bd4f7 in pem_mdObject_GetAttributeSize (mdObject=0x721b60, ...)
#2  0x00007ffff04c2c9e in nssCKFWObject_GetAttributeSize (fwObject=0x6fb9c0,...)
#3  0x00007ffff04cbec7 in NSSCKFWC_GetAttributeValue (fwInstance=0x6f6580, ...)
#4  0x00007ffff04b8eaa in pemC_GetAttributeValue (hSession=2, hObject=2, ...)
#5  0x00007ffff75904e2 in PK11_ReadAttribute (slot=0x6fa700, id=2, type=17, ...)
#6  0x00007ffff75930cb in PK11_ReadRawAttribute (objType=PK11_TypeGeneric, ...)
#7  0x00007ffff7dc7e2d in SelectClientCert (arg=0x62efe8, sock=0x7207b0, ...)

--- Additional comment from emaldona on 2011-08-26 19:04:05 CEST ---

Ah, we now add to the global internal list a fully constructed object. The invocation of pem_CreateMDObject(NULL, io, NULL); is solely for it's side effect of setting the function pointers so a (void) cast seems in order.  Additionally, the (void) pem_CreateMDObject(NULL, io, NULL); could be inside CreateObject itself.

At some point should analyze why need CreateObject and pem_createObject. That's food for the upstream work, not now.

--- Additional comment from kdudka on 2011-12-12 08:09:24 EST ---

Elio, is there anything that prevents this one-liner from being applied?

--- Additional comment from emaldona on 2011-12-12 12:59:50 EST ---

Created attachment 545843 [details]
Initializes pointers to functions

Modified to account for code movement since Kamil first proposed it.
Comment 5 Elio Maldonado Batiz 2012-03-13 00:17:45 UTC 
Created attachment 569522 [details]
Initializes pointers to functions: Kamil's patch brought here

Renamed to along current nss patch naming conventions: Bug-number-some-description.patch
Comment 6 Bob Relyea 2012-03-13 00:39:35 UTC 
Comment on attachment 569522 [details]
Initializes pointers to functions: Kamil's patch brought here

r+

From a logical point of view, this may not be the most optimal patch, but it's both effective and safe, so it's the right patch for RHEL.
Comment 7 Elio Maldonado Batiz 2012-03-14 06:46:50 UTC 
*** Bug 754771 has been marked as a duplicate of this bug. ***
Comment 13 Elio Maldonado Batiz 2012-04-26 18:25:54 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: The PEM module did not fully initialize new constructed objects with function pointers set to NULL.

Consequence: A segmentation violation in libcurl eas experienced while accessing a package repository.

Fix: Fully initialize newly allocated objects.

Result: The updates can now be installed without problems.
Comment 14 errata-xmlrpc 2012-06-20 07:23:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0973.html