Bug 1125965 - p11-kit killed by SIGSEGV
Summary: p11-kit killed by SIGSEGV
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: p11-kit
Version: 7.0
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Stef Walter
QA Contact: Aleš Mareček
URL:
Whiteboard: abrt_hash:b57ba06cb0e9a6ec085ee413172...
: 1125956 (view as bug list)
Depends On:
Blocks: 1152679
TreeView+ depends on / blocked
 
Reported: 2014-08-01 13:17 UTC by David Jaša
Modified: 2015-03-05 07:54 UTC (History)
2 users (show)

Fixed In Version: p11-kit-0.20.4-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1152679 (view as bug list)
Environment:
Last Closed: 2015-03-05 07:54:59 UTC


Attachments (Terms of Use)
File: backtrace (3.66 KB, text/plain)
2014-08-01 13:17 UTC, David Jaša
no flags Details
File: cgroup (172 bytes, text/plain)
2014-08-01 13:17 UTC, David Jaša
no flags Details
File: core_backtrace (249 bytes, text/plain)
2014-08-01 13:17 UTC, David Jaša
no flags Details
File: dso_list (642 bytes, text/plain)
2014-08-01 13:17 UTC, David Jaša
no flags Details
File: environ (1.40 KB, text/plain)
2014-08-01 13:17 UTC, David Jaša
no flags Details
File: limits (1.29 KB, text/plain)
2014-08-01 13:17 UTC, David Jaša
no flags Details
File: maps (3.50 KB, text/plain)
2014-08-01 13:17 UTC, David Jaša
no flags Details
File: open_fds (105 bytes, text/plain)
2014-08-01 13:17 UTC, David Jaša
no flags Details
File: proc_pid_status (1.09 KB, text/plain)
2014-08-01 13:17 UTC, David Jaša
no flags Details
File: var_log_messages (1.91 KB, text/plain)
2014-08-01 13:17 UTC, David Jaša
no flags Details
File: binary (118.57 KB, application/octet-stream)
2014-08-01 13:17 UTC, David Jaša
no flags Details
File: sosreport.tar.xz (6.96 MB, application/octet-stream)
2014-08-01 13:18 UTC, David Jaša
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0339 normal SHIPPED_LIVE p11-kit bug fix and enhancement update 2015-03-05 12:22:29 UTC

Description David Jaša 2014-08-01 13:17:37 UTC
Description of problem:
"p11-kit list-modules" and "modutil -dbdir sql:/etc/pki/nssdb" both fail with segfault time to time. I have loaded the p11-kit to nss:
-----------------------------------------------------------
  3. p11-kit
	library name: /usr/lib64/p11-kit-proxy.so
	 slots: 6 slots attached
	status: loaded

	 slot: /etc/pki/ca-trust/source
	token: System Trust

	 slot: /usr/share/pki/ca-trust-source
	token: Default Trust

	 slot: SSH Keys
	token: SSH Keys

	 slot: Secret Store
	token: Secret Store

	 slot: Gnome2 Key Storage
	token: Gnome2 Key Storage

	 slot: User Key Storage
	token: User Key Storage
-----------------------------------------------------------

and I have opencryptoki library loaded in p11-kit:


# cat /etc/pkcs11/modules/opencryptoki.module 
module: /usr/lib64/opencryptoki/libopencryptoki.so
critical: no

Version-Release number of selected component:
p11-kit-0.18.7-4.el7

Additional info:
reporter:       libreport-2.1.11
backtrace_rating: 3
cmdline:        p11-kit list-modules
executable:     /usr/bin/p11-kit
kernel:         3.10.0-123.4.4.el7.x86_64
runlevel:       N 5
type:           CCpp
uid:            16189

Truncated backtrace:
[New LWP 29267]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `p11-kit list-modules'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000000019ad4c0 in ?? ()

Thread 1 (Thread 0x7f5d64793740 (LWP 29267)):
#0  0x00000000019ad4c0 in ?? ()
No symbol table info available.
#1  0x00007f5d643735c1 in finalize_module_unlocked_reentrant (mod=0x19ae370) at modules.c:666
        __PRETTY_FUNCTION__ = "finalize_module_unlocked_reentrant"
#2  0x00007f5d64373ead in _p11_kit_finalize_registered_unlocked_reentrant () at modules.c:815
        mod = 0x19ae370
        iter = {dict = 0x19ad270, next = 0x0, index = 9}
        to_finalize = 0x19aece0
        i = <optimized out>
        count = 3
        __PRETTY_FUNCTION__ = "_p11_kit_finalize_registered_unlocked_reentrant"
#3  0x00007f5d64373f6d in p11_kit_finalize_registered () at modules.c:858
        rv = <optimized out>
        __PRETTY_FUNCTION__ = "p11_kit_finalize_registered"
#4  0x0000000000403445 in print_modules () at list.c:231
        module_list = 0x19aece0
        rv = <optimized out>
        i = <optimized out>
        name = <optimized out>
        path = <optimized out>
#5  p11_tool_list_modules (argc=<optimized out>, argv=<optimized out>) at list.c:291
        opt = <optimized out>
        options = {{name = 0x410877 "verbose", has_arg = 0, flag = 0x0, val = 118}, {name = 0x410893 "quiet", has_arg = 0, flag = 0x0, val = 113}, {name = 0x410386 "list", has_arg = 0, flag = 0x0, val = 108}, {name = 0x4108aa "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
        usages = {{option = 0, text = 0x410377 "usage: p11-kit list", arg = 0x0}, {option = 118, text = 0x41038b "show verbose debug output", arg = 0x0}, {option = 113, text = 0x4103a5 "supress command output", arg = 0x0}, {option = 0, text = 0x0, arg = 0x0}}
        __PRETTY_FUNCTION__ = "p11_tool_list_modules"
#6  0x0000000000402c67 in main (argc=<optimized out>, argv=0x7fff65900f08) at tool.c:343
        command = 0x7fff65901a46 "list-modules"
        want_help = <optimized out>
        skip = <optimized out>
        in = <optimized out>
        out = 1
        i = 1
From                To                  Syms Read   Shared Object Library
0x00007f5d64370790  0x00007f5d64380bec  Yes         /lib64/libp11-kit.so.0
0x00007f5d64159b70  0x00007f5d64165d1c  Yes (*)     /lib64/libtasn1.so.6
0x00007f5d63edb780  0x00007f5d63f31930  Yes         /lib64/libfreebl3.so
0x00007f5d63cd4ed0  0x00007f5d63cd59d0  Yes         /lib64/libdl.so.2
0x00007f5d63abd8a0  0x00007f5d63ac8554  Yes         /lib64/libpthread.so.0
0x00007f5d637163c0  0x00007f5d63859d50  Yes         /lib64/libc.so.6
0x00007f5d6458dae0  0x00007f5d645a7c9a  Yes         /lib64/ld-linux-x86-64.so.2
(*): Shared library is missing debugging information.
$1 = 0x0
No symbol "__glib_assert_msg" in current context.
rax            0x19ae970	26929520
rbx            0x19ae370	26927984
rcx            0x42	66
rdx            0x7f5d6458c980	140039092226432
rsi            0x0	0
rdi            0x0	0
rbp            0x7f5d6458c980	0x7f5d6458c980 <p11_library_mutex>
rsp            0x7fff65900268	0x7fff65900268
r8             0x0	0
r9             0x101010101010101	72340172838076673
r10            0x335a	13146
r11            0x7f5d637807e6	140039077496806
r12            0x19ae3c8	26928072
r13            0x3	3
r14            0x3	3
r15            0x19af5b0	26932656
rip            0x19ad4c0	0x19ad4c0
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
No function contains program counter for selected frame.

Comment 1 David Jaša 2014-08-01 13:17:38 UTC
Created attachment 923304 [details]
File: backtrace

Comment 2 David Jaša 2014-08-01 13:17:39 UTC
Created attachment 923305 [details]
File: cgroup

Comment 3 David Jaša 2014-08-01 13:17:40 UTC
Created attachment 923306 [details]
File: core_backtrace

Comment 4 David Jaša 2014-08-01 13:17:42 UTC
Created attachment 923307 [details]
File: dso_list

Comment 5 David Jaša 2014-08-01 13:17:43 UTC
Created attachment 923308 [details]
File: environ

Comment 6 David Jaša 2014-08-01 13:17:44 UTC
Created attachment 923309 [details]
File: limits

Comment 7 David Jaša 2014-08-01 13:17:45 UTC
Created attachment 923310 [details]
File: maps

Comment 8 David Jaša 2014-08-01 13:17:46 UTC
Created attachment 923311 [details]
File: open_fds

Comment 9 David Jaša 2014-08-01 13:17:47 UTC
Created attachment 923312 [details]
File: proc_pid_status

Comment 10 David Jaša 2014-08-01 13:17:48 UTC
Created attachment 923313 [details]
File: var_log_messages

Comment 11 David Jaša 2014-08-01 13:17:50 UTC
Created attachment 923314 [details]
File: binary

Comment 13 David Jaša 2014-08-01 13:18:21 UTC
Created attachment 923316 [details]
File: sosreport.tar.xz

Comment 14 Stef Walter 2014-08-07 07:28:06 UTC
*** Bug 1125956 has been marked as a duplicate of this bug. ***

Comment 15 David Jaša 2014-08-07 08:33:20 UTC
From the duplicate bug:

(In reply to David Jaša from bug 1125956#c13)
> The bug actually seems to be in p11-kit. My p11-kit configuration is altered
> by addition of opencryptoki module in hope of seeing thinkpad TPM module
> through it:
> 
> # cat /etc/pkcs11/modules/opencryptoki.module 
> module: /usr/lib64/opencryptoki/libopencryptoki.so
> critical: no
> You have new mail in /var/spool/mail/root
> [root@cihla ~]# rpm -qa '*opencryptoki*'
> opencryptoki-tpmtok-3.0-11.el7.x86_64
> opencryptoki-libs-3.0-11.el7.x86_64
> opencryptoki-3.0-11.el7.x86_64
> 
> (this didn't materialize, instead of it, I hit this bug).

Comment 16 Stef Walter 2014-08-07 09:55:22 UTC
I believe this is fixed upstream with this bug: https://bugs.freedesktop.org/show_bug.cgi?id=74919

Comment 17 Stef Walter 2014-08-07 14:03:35 UTC
Could you test p11-kit-0.20.4-1.el7 and see if it fixes this issue?

Comment 19 David Jaša 2014-08-08 09:01:07 UTC
Yes, the crash is fixed in all cases. There seems to be some issue with ca-certificates handling though (ca-certificates didn't change):
$ modutil -dbdir sql:/etc/pki/nssdb -list
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit

Listing of PKCS #11 Modules
...

--------------      8<      --------------

BTW now with the opencryptoki.module in place, the addition of p11-kit module to nss fails:
# modutil -dbdir sql:/etc/pki/nssdb -add "p11-kit" -libfile /usr/lib64/p11-kit-proxy.so 

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

p11-kit: opencryptoki: module failed to initialize: The operation failed
p11-kit: opencryptoki: module failed to initialize: The operation failed
ERROR: Failed to add module "p11-kit". Probable cause : "A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed.  Trying the same operation again might succeed.".

Without opencryptoki.module, the module adds but nss doesn't load it so it can't see any slots:
$ modutil -dbdir sql:/etc/pki/nssdb -list
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
p11-kit: opencryptoki: module failed to initialize: The operation failed
p11-kit: opencryptoki: module failed to initialize: The operation failed

Listing of PKCS #11 Modules
-----------------------------------------------------------
<other modules>

  4. p11-kit
	library name: /usr/lib64/p11-kit-proxy.so
	 slots: There are no slots attached to this module
	status: Not loaded
-----------------------------------------------------------

perhaps a separate new issue? I'd expect that mis-behaving module of p11-kit shouldn't prevent all other modules from working...

Comment 20 Stef Walter 2014-08-08 09:06:10 UTC
(In reply to David Jaša from comment #19)
> Yes, the crash is fixed in all cases. There seems to be some issue with
> ca-certificates handling though (ca-certificates didn't change):
> $ modutil -dbdir sql:/etc/pki/nssdb -list
> p11-kit: invalid basic constraints certificate extension
> p11-kit: invalid basic constraints certificate extension
> p11-kit: invalid basic constraints certificate extension
> p11-kit: invalid basic constraints certificate extension
> p11-kit: invalid basic constraints certificate extension

This is fixed with the patch here, which I would like to also include in RHEL 7.1. Are you able to test this?

https://bugs.freedesktop.org/show_bug.cgi?id=82328

> p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
> p11-kit: couldn't load file into objects:
> /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit

Hmmm, I haven't seen this one. Have you customized your /etc/pki/ca-trust/source at all? Or perhaps the /usr/share/pki/ca-trust-source directory? 

> BTW now with the opencryptoki.module in place, 

Are you able to provide step by step instructions as to how you setup your opencryptoki module and populated it? I would like to reproduce this issue.

> the addition of p11-kit
> module to nss fails:
> # modutil -dbdir sql:/etc/pki/nssdb -add "p11-kit" -libfile
> /usr/lib64/p11-kit-proxy.so 
> 
> WARNING: Performing this operation while the browser is running could cause
> corruption of your security databases. If the browser is currently running,
> you should exit browser before continuing this operation. Type 
> 'q <enter>' to abort, or <enter> to continue: 
> 
> p11-kit: opencryptoki: module failed to initialize: The operation failed
> p11-kit: opencryptoki: module failed to initialize: The operation failed
> ERROR: Failed to add module "p11-kit". Probable cause : "A PKCS #11 module
> returned CKR_FUNCTION_FAILED, indicating that the requested function could
> not be performed.  Trying the same operation again might succeed.".
> 
> Without opencryptoki.module, the module adds but nss doesn't load it so it
> can't see any slots:
> $ modutil -dbdir sql:/etc/pki/nssdb -list
> p11-kit: invalid basic constraints certificate extension
> p11-kit: invalid basic constraints certificate extension
> p11-kit: invalid basic constraints certificate extension
> p11-kit: invalid basic constraints certificate extension
> p11-kit: invalid basic constraints certificate extension
> p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
> p11-kit: couldn't load file into objects:
> /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
> p11-kit: opencryptoki: module failed to initialize: The operation failed
> p11-kit: opencryptoki: module failed to initialize: The operation failed
> 
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
> <other modules>
> 
>   4. p11-kit
> 	library name: /usr/lib64/p11-kit-proxy.so
> 	 slots: There are no slots attached to this module
> 	status: Not loaded
> -----------------------------------------------------------
> 
> perhaps a separate new issue? I'd expect that mis-behaving module of p11-kit
> shouldn't prevent all other modules from working...

Indeed. I fixed a few issues related to this, but perhaps the proxy module continues to have such an issue. Does 'p11-kit list-modules' output the modules other than the failing one?

Comment 21 David Jaša 2014-08-08 10:22:53 UTC
(In reply to Stef Walter from comment #20)
> (In reply to David Jaša from comment #19)
> > Yes, the crash is fixed in all cases. There seems to be some issue with
...
> > p11-kit: invalid basic constraints certificate extension
> 
> This is fixed with the patch here, which I would like to also include in
> RHEL 7.1. Are you able to test this?
> 
> https://bugs.freedesktop.org/show_bug.cgi?id=82328
> 

Give me a (scratch) build and I'll test it. :)

> > p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
> > p11-kit: couldn't load file into objects:
> > /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
> 
> Hmmm, I haven't seen this one. Have you customized your
> /etc/pki/ca-trust/source at all?

Yes, I do add internal CA certs there (followed by update-ca-trust).

> Or perhaps the
> /usr/share/pki/ca-trust-source directory? 
> 
> > BTW now with the opencryptoki.module in place, 
> 
> Are you able to provide step by step instructions as to how you setup your
> opencryptoki module and populated it? I would like to reproduce this issue.
> 

I just installed opencryptoki-{libs,tpmtok} and trousers (and started the tcsd) and that's it. I must be missing something but the scattered docs aren't exactly helpful :( The fact that this block diagram is actually helpful for me says it all: http://tiebing.blogspot.cz/2014/02/linux-tpm-and-smartcard-block-diagram.html

> > the addition of p11-kit
> > module to nss fails:
> > # modutil -dbdir sql:/etc/pki/nssdb -add "p11-kit" -libfile
> > /usr/lib64/p11-kit-proxy.so 
> > 
> > WARNING: Performing this operation while the browser is running could cause
> > corruption of your security databases. If the browser is currently running,
> > you should exit browser before continuing this operation. Type 
> > 'q <enter>' to abort, or <enter> to continue: 
> > 
> > p11-kit: opencryptoki: module failed to initialize: The operation failed
> > p11-kit: opencryptoki: module failed to initialize: The operation failed
> > ERROR: Failed to add module "p11-kit". Probable cause : "A PKCS #11 module
> > returned CKR_FUNCTION_FAILED, indicating that the requested function could
> > not be performed.  Trying the same operation again might succeed.".
> > 
> > Without opencryptoki.module, the module adds but nss doesn't load it so it
> > can't see any slots:
> > $ modutil -dbdir sql:/etc/pki/nssdb -list
> > p11-kit: invalid basic constraints certificate extension
> > p11-kit: invalid basic constraints certificate extension
> > p11-kit: invalid basic constraints certificate extension
> > p11-kit: invalid basic constraints certificate extension
> > p11-kit: invalid basic constraints certificate extension
> > p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
> > p11-kit: couldn't load file into objects:
> > /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
> > p11-kit: opencryptoki: module failed to initialize: The operation failed
> > p11-kit: opencryptoki: module failed to initialize: The operation failed
> > 
> > Listing of PKCS #11 Modules
> > -----------------------------------------------------------
> > <other modules>
> > 
> >   4. p11-kit
> > 	library name: /usr/lib64/p11-kit-proxy.so
> > 	 slots: There are no slots attached to this module
> > 	status: Not loaded
> > -----------------------------------------------------------
> > 
> > perhaps a separate new issue? I'd expect that mis-behaving module of p11-kit
> > shouldn't prevent all other modules from working...
> 
> Indeed. I fixed a few issues related to this, but perhaps the proxy module
> continues to have such an issue. Does 'p11-kit list-modules' output the
> modules other than the failing one?

Yes, it does:
bash-4.2$ modutil -dbdir sql:/etc/pki/nssdb -list ; echo '--==<<<  >>>==--' ; p11-kit list-modules
p11-kit: opencryptoki: module failed to initialize: The operation failed
p11-kit: opencryptoki: module failed to initialize: The operation failed

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal Crypto Services
	 slots: 3 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

	 slot: NSS Application Slot 00000004
	token: NSS system database

  2. p11-kit
	library name: /usr/lib64/p11-kit-proxy.so
	 slots: There are no slots attached to this module
	status: Not loaded
-----------------------------------------------------------
--==<<<  >>>==--
p11-kit: opencryptoki: module failed to initialize, skipping: The operation failed
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.20
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.20
        flags:
               write-protected
               token-initialized
    token: Default Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.20
        flags:
               write-protected
               token-initialized
coolkey: /usr/lib64/pkcs11/libcoolkeypk11.so
    library-description: CoolKey PKCS #11 Module     
    library-manufacturer: Mozilla Foundation
    library-version: 1.0
gnome-keyring: gnome-keyring-pkcs11.so
    library-description: GNOME Keyring Daemon Core
    library-manufacturer: GNOME Keyring
    library-version: 1.1
    token: SSH Keys
        manufacturer: Gnome Keyring
        model: 1.0
        serial-number: 1:SSH:HOME
        flags:
               write-protected
               user-pin-initialized
               protected-authentication-path
               token-initialized
    token: Secret Store
        manufacturer: Gnome Keyring
        model: 1.0
        serial-number: 1:SECRET:MAIN
        flags:
               login-required
               user-pin-initialized
               protected-authentication-path
               token-initialized
    token: Gnome2 Key Storage
        manufacturer: Gnome Keyring
        model: 1.0
        serial-number: 1:USER:DEFAULT
        flags:
               login-required
               user-pin-initialized
               protected-authentication-path
               token-initialized
    token: User Key Storage
        manufacturer: Gnome Keyring
        model: 1.0
        serial-number: 1:XDG:DEFAULT
        flags:
               protected-authentication-path
               token-initialized

Comment 22 David Jaša 2014-08-08 11:00:56 UTC
Created attachment 925156 [details]
archive of /etc/pki/ca-trust/source/anchors

(In reply to David Jaša from comment #21)
...
> > > p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
> > > p11-kit: couldn't load file into objects:
> > > /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
> > 
> > Hmmm, I haven't seen this one. Have you customized your
> > /etc/pki/ca-trust/source at all?
> 
> Yes, I do add internal CA certs there (followed by update-ca-trust).
> 
> > Or perhaps the
> > /usr/share/pki/ca-trust-source directory? 
> > 

/usr/share/pki/ca-trust-source/anchors is empty (just default ca-certificates contents are there)
/etc/pki/ca-trust/source/anchors is attached

Comment 27 errata-xmlrpc 2015-03-05 07:54:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0339.html


Note You need to log in before you can comment on or make changes to this bug.