Bug 1125965
| Summary: | p11-kit killed by SIGSEGV | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | David Jaša <djasa> | ||||||||||||||||||||||||||
| Component: | p11-kit | Assignee: | Stef Walter <stefw> | ||||||||||||||||||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Aleš Mareček <amarecek> | ||||||||||||||||||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||||||||||||||||||
| Priority: | unspecified | ||||||||||||||||||||||||||||
| Version: | 7.0 | CC: | amarecek, ksrot | ||||||||||||||||||||||||||
| Target Milestone: | rc | ||||||||||||||||||||||||||||
| Target Release: | --- | ||||||||||||||||||||||||||||
| Hardware: | x86_64 | ||||||||||||||||||||||||||||
| OS: | Unspecified | ||||||||||||||||||||||||||||
| Whiteboard: | abrt_hash:b57ba06cb0e9a6ec085ee413172afa4619202c17 | ||||||||||||||||||||||||||||
| Fixed In Version: | p11-kit-0.20.4-1.el7 | Doc Type: | Bug Fix | ||||||||||||||||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||||||||||||||||
| Clone Of: | |||||||||||||||||||||||||||||
| : | 1152679 (view as bug list) | Environment: | |||||||||||||||||||||||||||
| Last Closed: | 2015-03-05 07:54:59 UTC | Type: | --- | ||||||||||||||||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||||||||||||||||
| Documentation: | --- | CRM: | |||||||||||||||||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||||||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||||||||||||
| Embargoed: | |||||||||||||||||||||||||||||
| Bug Depends On: | |||||||||||||||||||||||||||||
| Bug Blocks: | 1152679 | ||||||||||||||||||||||||||||
| Attachments: |
|
||||||||||||||||||||||||||||
Created attachment 923304 [details]
File: backtrace
Created attachment 923305 [details]
File: cgroup
Created attachment 923306 [details]
File: core_backtrace
Created attachment 923307 [details]
File: dso_list
Created attachment 923308 [details]
File: environ
Created attachment 923309 [details]
File: limits
Created attachment 923310 [details]
File: maps
Created attachment 923311 [details]
File: open_fds
Created attachment 923312 [details]
File: proc_pid_status
Created attachment 923313 [details]
File: var_log_messages
Created attachment 923314 [details]
File: binary
Created attachment 923316 [details]
File: sosreport.tar.xz
*** Bug 1125956 has been marked as a duplicate of this bug. *** From the duplicate bug: (In reply to David Jaša from bug 1125956#c13) > The bug actually seems to be in p11-kit. My p11-kit configuration is altered > by addition of opencryptoki module in hope of seeing thinkpad TPM module > through it: > > # cat /etc/pkcs11/modules/opencryptoki.module > module: /usr/lib64/opencryptoki/libopencryptoki.so > critical: no > You have new mail in /var/spool/mail/root > [root@cihla ~]# rpm -qa '*opencryptoki*' > opencryptoki-tpmtok-3.0-11.el7.x86_64 > opencryptoki-libs-3.0-11.el7.x86_64 > opencryptoki-3.0-11.el7.x86_64 > > (this didn't materialize, instead of it, I hit this bug). I believe this is fixed upstream with this bug: https://bugs.freedesktop.org/show_bug.cgi?id=74919 Could you test p11-kit-0.20.4-1.el7 and see if it fixes this issue? Yes, the crash is fixed in all cases. There seems to be some issue with ca-certificates handling though (ca-certificates didn't change): $ modutil -dbdir sql:/etc/pki/nssdb -list p11-kit: invalid basic constraints certificate extension p11-kit: invalid basic constraints certificate extension p11-kit: invalid basic constraints certificate extension p11-kit: invalid basic constraints certificate extension p11-kit: invalid basic constraints certificate extension p11-kit: the CKA_X_CRITICAL attribute is not valid for the object p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit Listing of PKCS #11 Modules ... -------------- 8< -------------- BTW now with the opencryptoki.module in place, the addition of p11-kit module to nss fails: # modutil -dbdir sql:/etc/pki/nssdb -add "p11-kit" -libfile /usr/lib64/p11-kit-proxy.so WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: p11-kit: opencryptoki: module failed to initialize: The operation failed p11-kit: opencryptoki: module failed to initialize: The operation failed ERROR: Failed to add module "p11-kit". Probable cause : "A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed. Trying the same operation again might succeed.". Without opencryptoki.module, the module adds but nss doesn't load it so it can't see any slots: $ modutil -dbdir sql:/etc/pki/nssdb -list p11-kit: invalid basic constraints certificate extension p11-kit: invalid basic constraints certificate extension p11-kit: invalid basic constraints certificate extension p11-kit: invalid basic constraints certificate extension p11-kit: invalid basic constraints certificate extension p11-kit: the CKA_X_CRITICAL attribute is not valid for the object p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit p11-kit: opencryptoki: module failed to initialize: The operation failed p11-kit: opencryptoki: module failed to initialize: The operation failed Listing of PKCS #11 Modules ----------------------------------------------------------- <other modules> 4. p11-kit library name: /usr/lib64/p11-kit-proxy.so slots: There are no slots attached to this module status: Not loaded ----------------------------------------------------------- perhaps a separate new issue? I'd expect that mis-behaving module of p11-kit shouldn't prevent all other modules from working... (In reply to David Jaša from comment #19) > Yes, the crash is fixed in all cases. There seems to be some issue with > ca-certificates handling though (ca-certificates didn't change): > $ modutil -dbdir sql:/etc/pki/nssdb -list > p11-kit: invalid basic constraints certificate extension > p11-kit: invalid basic constraints certificate extension > p11-kit: invalid basic constraints certificate extension > p11-kit: invalid basic constraints certificate extension > p11-kit: invalid basic constraints certificate extension This is fixed with the patch here, which I would like to also include in RHEL 7.1. Are you able to test this? https://bugs.freedesktop.org/show_bug.cgi?id=82328 > p11-kit: the CKA_X_CRITICAL attribute is not valid for the object > p11-kit: couldn't load file into objects: > /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit Hmmm, I haven't seen this one. Have you customized your /etc/pki/ca-trust/source at all? Or perhaps the /usr/share/pki/ca-trust-source directory? > BTW now with the opencryptoki.module in place, Are you able to provide step by step instructions as to how you setup your opencryptoki module and populated it? I would like to reproduce this issue. > the addition of p11-kit > module to nss fails: > # modutil -dbdir sql:/etc/pki/nssdb -add "p11-kit" -libfile > /usr/lib64/p11-kit-proxy.so > > WARNING: Performing this operation while the browser is running could cause > corruption of your security databases. If the browser is currently running, > you should exit browser before continuing this operation. Type > 'q <enter>' to abort, or <enter> to continue: > > p11-kit: opencryptoki: module failed to initialize: The operation failed > p11-kit: opencryptoki: module failed to initialize: The operation failed > ERROR: Failed to add module "p11-kit". Probable cause : "A PKCS #11 module > returned CKR_FUNCTION_FAILED, indicating that the requested function could > not be performed. Trying the same operation again might succeed.". > > Without opencryptoki.module, the module adds but nss doesn't load it so it > can't see any slots: > $ modutil -dbdir sql:/etc/pki/nssdb -list > p11-kit: invalid basic constraints certificate extension > p11-kit: invalid basic constraints certificate extension > p11-kit: invalid basic constraints certificate extension > p11-kit: invalid basic constraints certificate extension > p11-kit: invalid basic constraints certificate extension > p11-kit: the CKA_X_CRITICAL attribute is not valid for the object > p11-kit: couldn't load file into objects: > /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit > p11-kit: opencryptoki: module failed to initialize: The operation failed > p11-kit: opencryptoki: module failed to initialize: The operation failed > > Listing of PKCS #11 Modules > ----------------------------------------------------------- > <other modules> > > 4. p11-kit > library name: /usr/lib64/p11-kit-proxy.so > slots: There are no slots attached to this module > status: Not loaded > ----------------------------------------------------------- > > perhaps a separate new issue? I'd expect that mis-behaving module of p11-kit > shouldn't prevent all other modules from working... Indeed. I fixed a few issues related to this, but perhaps the proxy module continues to have such an issue. Does 'p11-kit list-modules' output the modules other than the failing one? (In reply to Stef Walter from comment #20) > (In reply to David Jaša from comment #19) > > Yes, the crash is fixed in all cases. There seems to be some issue with ... > > p11-kit: invalid basic constraints certificate extension > > This is fixed with the patch here, which I would like to also include in > RHEL 7.1. Are you able to test this? > > https://bugs.freedesktop.org/show_bug.cgi?id=82328 > Give me a (scratch) build and I'll test it. :) > > p11-kit: the CKA_X_CRITICAL attribute is not valid for the object > > p11-kit: couldn't load file into objects: > > /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit > > Hmmm, I haven't seen this one. Have you customized your > /etc/pki/ca-trust/source at all? Yes, I do add internal CA certs there (followed by update-ca-trust). > Or perhaps the > /usr/share/pki/ca-trust-source directory? > > > BTW now with the opencryptoki.module in place, > > Are you able to provide step by step instructions as to how you setup your > opencryptoki module and populated it? I would like to reproduce this issue. > I just installed opencryptoki-{libs,tpmtok} and trousers (and started the tcsd) and that's it. I must be missing something but the scattered docs aren't exactly helpful :( The fact that this block diagram is actually helpful for me says it all: http://tiebing.blogspot.cz/2014/02/linux-tpm-and-smartcard-block-diagram.html > > the addition of p11-kit > > module to nss fails: > > # modutil -dbdir sql:/etc/pki/nssdb -add "p11-kit" -libfile > > /usr/lib64/p11-kit-proxy.so > > > > WARNING: Performing this operation while the browser is running could cause > > corruption of your security databases. If the browser is currently running, > > you should exit browser before continuing this operation. Type > > 'q <enter>' to abort, or <enter> to continue: > > > > p11-kit: opencryptoki: module failed to initialize: The operation failed > > p11-kit: opencryptoki: module failed to initialize: The operation failed > > ERROR: Failed to add module "p11-kit". Probable cause : "A PKCS #11 module > > returned CKR_FUNCTION_FAILED, indicating that the requested function could > > not be performed. Trying the same operation again might succeed.". > > > > Without opencryptoki.module, the module adds but nss doesn't load it so it > > can't see any slots: > > $ modutil -dbdir sql:/etc/pki/nssdb -list > > p11-kit: invalid basic constraints certificate extension > > p11-kit: invalid basic constraints certificate extension > > p11-kit: invalid basic constraints certificate extension > > p11-kit: invalid basic constraints certificate extension > > p11-kit: invalid basic constraints certificate extension > > p11-kit: the CKA_X_CRITICAL attribute is not valid for the object > > p11-kit: couldn't load file into objects: > > /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit > > p11-kit: opencryptoki: module failed to initialize: The operation failed > > p11-kit: opencryptoki: module failed to initialize: The operation failed > > > > Listing of PKCS #11 Modules > > ----------------------------------------------------------- > > <other modules> > > > > 4. p11-kit > > library name: /usr/lib64/p11-kit-proxy.so > > slots: There are no slots attached to this module > > status: Not loaded > > ----------------------------------------------------------- > > > > perhaps a separate new issue? I'd expect that mis-behaving module of p11-kit > > shouldn't prevent all other modules from working... > > Indeed. I fixed a few issues related to this, but perhaps the proxy module > continues to have such an issue. Does 'p11-kit list-modules' output the > modules other than the failing one? Yes, it does: bash-4.2$ modutil -dbdir sql:/etc/pki/nssdb -list ; echo '--==<<< >>>==--' ; p11-kit list-modules p11-kit: opencryptoki: module failed to initialize: The operation failed p11-kit: opencryptoki: module failed to initialize: The operation failed Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal Crypto Services slots: 3 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB slot: NSS Application Slot 00000004 token: NSS system database 2. p11-kit library name: /usr/lib64/p11-kit-proxy.so slots: There are no slots attached to this module status: Not loaded ----------------------------------------------------------- --==<<< >>>==-- p11-kit: opencryptoki: module failed to initialize, skipping: The operation failed p11-kit-trust: p11-kit-trust.so library-description: PKCS#11 Kit Trust Module library-manufacturer: PKCS#11 Kit library-version: 0.20 token: System Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.20 flags: write-protected token-initialized token: Default Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.20 flags: write-protected token-initialized coolkey: /usr/lib64/pkcs11/libcoolkeypk11.so library-description: CoolKey PKCS #11 Module library-manufacturer: Mozilla Foundation library-version: 1.0 gnome-keyring: gnome-keyring-pkcs11.so library-description: GNOME Keyring Daemon Core library-manufacturer: GNOME Keyring library-version: 1.1 token: SSH Keys manufacturer: Gnome Keyring model: 1.0 serial-number: 1:SSH:HOME flags: write-protected user-pin-initialized protected-authentication-path token-initialized token: Secret Store manufacturer: Gnome Keyring model: 1.0 serial-number: 1:SECRET:MAIN flags: login-required user-pin-initialized protected-authentication-path token-initialized token: Gnome2 Key Storage manufacturer: Gnome Keyring model: 1.0 serial-number: 1:USER:DEFAULT flags: login-required user-pin-initialized protected-authentication-path token-initialized token: User Key Storage manufacturer: Gnome Keyring model: 1.0 serial-number: 1:XDG:DEFAULT flags: protected-authentication-path token-initialized Created attachment 925156 [details] archive of /etc/pki/ca-trust/source/anchors (In reply to David Jaša from comment #21) ... > > > p11-kit: the CKA_X_CRITICAL attribute is not valid for the object > > > p11-kit: couldn't load file into objects: > > > /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit > > > > Hmmm, I haven't seen this one. Have you customized your > > /etc/pki/ca-trust/source at all? > > Yes, I do add internal CA certs there (followed by update-ca-trust). > > > Or perhaps the > > /usr/share/pki/ca-trust-source directory? > > /usr/share/pki/ca-trust-source/anchors is empty (just default ca-certificates contents are there) /etc/pki/ca-trust/source/anchors is attached Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0339.html |
Description of problem: "p11-kit list-modules" and "modutil -dbdir sql:/etc/pki/nssdb" both fail with segfault time to time. I have loaded the p11-kit to nss: ----------------------------------------------------------- 3. p11-kit library name: /usr/lib64/p11-kit-proxy.so slots: 6 slots attached status: loaded slot: /etc/pki/ca-trust/source token: System Trust slot: /usr/share/pki/ca-trust-source token: Default Trust slot: SSH Keys token: SSH Keys slot: Secret Store token: Secret Store slot: Gnome2 Key Storage token: Gnome2 Key Storage slot: User Key Storage token: User Key Storage ----------------------------------------------------------- and I have opencryptoki library loaded in p11-kit: # cat /etc/pkcs11/modules/opencryptoki.module module: /usr/lib64/opencryptoki/libopencryptoki.so critical: no Version-Release number of selected component: p11-kit-0.18.7-4.el7 Additional info: reporter: libreport-2.1.11 backtrace_rating: 3 cmdline: p11-kit list-modules executable: /usr/bin/p11-kit kernel: 3.10.0-123.4.4.el7.x86_64 runlevel: N 5 type: CCpp uid: 16189 Truncated backtrace: [New LWP 29267] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `p11-kit list-modules'. Program terminated with signal 11, Segmentation fault. #0 0x00000000019ad4c0 in ?? () Thread 1 (Thread 0x7f5d64793740 (LWP 29267)): #0 0x00000000019ad4c0 in ?? () No symbol table info available. #1 0x00007f5d643735c1 in finalize_module_unlocked_reentrant (mod=0x19ae370) at modules.c:666 __PRETTY_FUNCTION__ = "finalize_module_unlocked_reentrant" #2 0x00007f5d64373ead in _p11_kit_finalize_registered_unlocked_reentrant () at modules.c:815 mod = 0x19ae370 iter = {dict = 0x19ad270, next = 0x0, index = 9} to_finalize = 0x19aece0 i = <optimized out> count = 3 __PRETTY_FUNCTION__ = "_p11_kit_finalize_registered_unlocked_reentrant" #3 0x00007f5d64373f6d in p11_kit_finalize_registered () at modules.c:858 rv = <optimized out> __PRETTY_FUNCTION__ = "p11_kit_finalize_registered" #4 0x0000000000403445 in print_modules () at list.c:231 module_list = 0x19aece0 rv = <optimized out> i = <optimized out> name = <optimized out> path = <optimized out> #5 p11_tool_list_modules (argc=<optimized out>, argv=<optimized out>) at list.c:291 opt = <optimized out> options = {{name = 0x410877 "verbose", has_arg = 0, flag = 0x0, val = 118}, {name = 0x410893 "quiet", has_arg = 0, flag = 0x0, val = 113}, {name = 0x410386 "list", has_arg = 0, flag = 0x0, val = 108}, {name = 0x4108aa "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}} usages = {{option = 0, text = 0x410377 "usage: p11-kit list", arg = 0x0}, {option = 118, text = 0x41038b "show verbose debug output", arg = 0x0}, {option = 113, text = 0x4103a5 "supress command output", arg = 0x0}, {option = 0, text = 0x0, arg = 0x0}} __PRETTY_FUNCTION__ = "p11_tool_list_modules" #6 0x0000000000402c67 in main (argc=<optimized out>, argv=0x7fff65900f08) at tool.c:343 command = 0x7fff65901a46 "list-modules" want_help = <optimized out> skip = <optimized out> in = <optimized out> out = 1 i = 1 From To Syms Read Shared Object Library 0x00007f5d64370790 0x00007f5d64380bec Yes /lib64/libp11-kit.so.0 0x00007f5d64159b70 0x00007f5d64165d1c Yes (*) /lib64/libtasn1.so.6 0x00007f5d63edb780 0x00007f5d63f31930 Yes /lib64/libfreebl3.so 0x00007f5d63cd4ed0 0x00007f5d63cd59d0 Yes /lib64/libdl.so.2 0x00007f5d63abd8a0 0x00007f5d63ac8554 Yes /lib64/libpthread.so.0 0x00007f5d637163c0 0x00007f5d63859d50 Yes /lib64/libc.so.6 0x00007f5d6458dae0 0x00007f5d645a7c9a Yes /lib64/ld-linux-x86-64.so.2 (*): Shared library is missing debugging information. $1 = 0x0 No symbol "__glib_assert_msg" in current context. rax 0x19ae970 26929520 rbx 0x19ae370 26927984 rcx 0x42 66 rdx 0x7f5d6458c980 140039092226432 rsi 0x0 0 rdi 0x0 0 rbp 0x7f5d6458c980 0x7f5d6458c980 <p11_library_mutex> rsp 0x7fff65900268 0x7fff65900268 r8 0x0 0 r9 0x101010101010101 72340172838076673 r10 0x335a 13146 r11 0x7f5d637807e6 140039077496806 r12 0x19ae3c8 26928072 r13 0x3 3 r14 0x3 3 r15 0x19af5b0 26932656 rip 0x19ad4c0 0x19ad4c0 eflags 0x10246 [ PF ZF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 No function contains program counter for selected frame.