1243243 – pkcs #11 gdm-smartcard-worker / gdm-plugin-smartcard crash when slot and token values are 0

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1243243 - pkcs #11 gdm-smartcard-worker / gdm-plugin-smartcard crash when slot and token values are 0

Summary: pkcs #11 gdm-smartcard-worker / gdm-plugin-smartcard crash when slot and toke...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	gdm
Sub Component:
Version:	6.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Ray Strode [halfline]
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1172231 1269194
TreeView+	depends on / blocked

Reported:	2015-07-15 03:33 UTC by Marc Sauton
Modified:	2019-12-16 04:49 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-08-02 21:36:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Marc Sauton 2015-07-15 03:33:56 UTC

Description of problem:

32 bits RHEL 6 client and Gemalto V2C smart card loaded with ActivClient applet for "DoD ALT Token"
ActivClient for Linux is installed on the RHEL 6 system, and can read the smart card using the ActivClient PKCS11 module.
But I cannot tell for sure the NSS PKCS #11 third party module is actually working fine, all I can see so far is a valid output from modutil, returning a slot and token numbers with value of 0 (should it be 1 ?)

The problem is at the RHEL 6 login screen, a click on Smartcard Authentication, produce the same message again and again, "Please insert your smart card", even though a card is inserted.
It will never prompt for the smart card pin.

Note that a smart card login works fine with coolkey and the standard DoD CAC.

A modutil list does show the NSS Internal PKCS #11, CoolKey PKCS #11, and ActivClient PKCS#11 modules are loaded (see details in section called "additional details"), for:
         slot: Gemplus GemPC Twin 00 00
        token: ActivIdentity ActivClient 0

Question: is this really supposed to be slot and token with value zero / 0 ?
As an example, I saw in the past with another card reader: SCM SCR 3310 (21120504104040) 01 00
Or with a network HSM, slot: NHSM6000-OCS

The pam_pkcs11.conf loks correct, and is available in the Salesforce case number 01444924

The GDM log is showing a crash from /usr/libexec/gdm-smartcard-worker, stack trace:

#0  0x0804a48a in gdm_smartcard_get_name (card=0x0) at gdm-smartcard.c:230
#1  0x0804b8e9 in gdm_smartcard_manager_get_all_cards (manager=0x8f41320 [GdmSmartcardManager], error=0xbfc50fdc) at gdm-smartcard-manager.c:864
#2  gdm_smartcard_manager_start (manager=0x8f41320 [GdmSmartcardManager], error=0xbfc50fdc) at gdm-smartcard-manager.c:974
#3  0x0804d121 in watch_for_smartcards (argc=1, argv=0xbfc510a4) at gdm-smartcard-worker.c:78
#4  main (argc=1, argv=0xbfc510a4) at gdm-smartcard-worker.c:126


/usr/libexec/gdm-smartcard-worker should not crash if the card number is 0, regardless of the validity of this value.


Version-Release number of selected component (if applicable):

trying to collect full exact details (no sosreport), but have this:

RHEL 6 32bits
coolkey version?
nss version?
nspr verson?
gdm-plugin-smartcard-2.30.4-52.el6.i686
pam_pkcs11 0.6.2-12.1.el6.
no exact version yet for ActivClient from /opt/hidglobal/ac.ac4linux.pkcs11/lib/libac.pkcs220ong.so
and the associated applet



How reproducible:
N/A
no card, no reader, no third party ActivClient module available to test in house


Steps to Reproduce:
1. install third arty PKCS #11 modult using modutil
2. connect, insert card in reader
3.


Actual results:
RHEL 6 login screen, a click on Smartcard Authentication, produce the same message again and again, "Please insert your smart card", even though a card is inserted.
It will never prompt for the smart card pin.


Expected results:
Should prompt for the smart card pin.


Additional info:

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. CoolKey PKCS #11 Module
        library name: libcoolkeypk11.so
         slots: 1 slot attached
        status: loaded

         slot: Gemplus GemPC Twin 00 00
        token:

  3. ActivClient PKCS#11 Module
        library name: /opt/hidglobal/ac.ac4linux.pkcs11/lib/libac.pkcs220ong.so
         slots: 1 slot attached
        status: loaded

         slot: Gemplus GemPC Twin 00 00
        token: ActivIdentity ActivClient 0



the GDM system logs, gdm/:0.log are like this, showing a crash:

May 26 13:33:59 localhost pcscd: winscard_msg_srv.c:317:SHMProcessEventsContext() command BEGIN_TRANSACTION received by client 7
May 26 13:33:59 localhost pcscd: winscard.c:1057:SCardBeginTransaction() Status: 0x00000000
May 26 13:33:59 localhost pcscd: winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT received by client 7
May 26 13:33:59 localhost pcscd: winscard.c:1647:SCardTransmit() Send Protocol: T=0
May 26 13:33:59 localhost pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:08e6/3437:libhal:/org/freedesktop/Hal/devices/usb_device_8e6_3437_noserial_if0 (lun: 0)
May 26 13:33:59 localhost pcscd: winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT received by client 7
May 26 13:33:59 localhost pcscd: winscard.c:1647:SCardTransmit() Send Protocol: T=0
May 26 13:33:59 localhost pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:08e6/3437:libhal:/org/freedesktop/Hal/devices/usb_device_8e6_3437_noserial_if0 (lun: 0)
May 26 13:33:59 localhost pcscd: winscard_msg_srv.c:317:SHMProcessEventsContext() command TRANSMIT received by client 7
May 26 13:33:59 localhost pcscd: winscard.c:1647:SCardTransmit() Send Protocol: T=0
May 26 13:33:59 localhost pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:08e6/3437:libhal:/org/freedesktop/Hal/devices/usb_device_8e6_3437_noserial_if0 (lun: 0)
May 26 13:33:59 localhost pcscd: winscard_msg_srv.c:317:SHMProcessEventsContext() command DISCONNECT received by client 7
May 26 13:33:59 localhost pcscd: winscard.c:880:SCardDisconnect() Active Contexts: 1
May 26 13:33:59 localhost pcscd: utils.c:115:StatSynchronize() status file: /var/run/pcscd.events/event.2849.16984272
May 26 13:34:30 localhost abrtd: Sending an email...
May 26 13:34:30 localhost abrtd: Email was sent to: root@localhost
May 26 13:34:31 localhost abrtd: Duplicate: UUID
May 26 13:34:31 localhost abrtd: DUP_OF_DIR: /var/spool/abrt/ccpp-2015-04-21-12:46:29-11336
May 26 13:34:31 localhost abrtd: Deleting problem directory ccpp-2015-05-26-13:33:25-2375 (dup of ccpp-2015-04-21-12:46:29-11336)
May 26 13:34:31 localhost abrtd: No actions are found for event 'notify-dup'


The X log has nothing special:

Xorg.0.log
[   128.956]
X.Org X Server 1.13.0
Release Date: 2012-09-05
[   128.956] X Protocol Version 11, Revision 0
[   128.956] Build Operating System: x86-003 2.6.18-371.el5
[   128.956] Current Operating System: Linux localhost.localdomain 2.6.32-431.el6.i686 #1 SMP Sun Nov 10 22:20:22 EST 2013 i686
[   128.956] Kernel command line: ro root=/dev/mapper/VolGroup-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=VolGroup/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=129M@0M rd_LVM_LV=VolGroup/lv_root  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
[   128.956] Build Date: 23 October 2013  10:22:57AM
[   128.956] Build ID: xorg-x11-server 1.13.0-23.el6
[   128.956] Current version of pixman: 0.26.2
...snip...
[   163.766] AUDIT: Tue May 26 13:33:55 2015: 2306: client 32 connected from local host ( uid=500 gid=500 pid=2849 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 238
[   170.609] AUDIT: Tue May 26 13:34:02 2015: 2306: client 11 connected from local host ( uid=500 gid=500 pid=2971 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 238
[   191.517] AUDIT: Tue May 26 13:34:23 2015: 2306: client 14 disconnected
[   209.666] AUDIT: Tue May 26 13:34:41 2015: 2306: client 14 connected from local host ( uid=500 gid=500 pid=2691 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 238
[   209.670] AUDIT: Tue May 26 13:34:41 2015: 2306: client 14 disconnected
(END)



core file reading, stack trace:

like seen in the modutil list output, the card and slot are set to a value of 0, and appear in
gdm_smartcard_get_name (card=0x0) at gdm-smartcard.c:230


#0  0x0804a48a in gdm_smartcard_get_name (card=0x0) at gdm-smartcard.c:230
#1  0x0804b8e9 in gdm_smartcard_manager_get_all_cards (manager=0x8f41320 [GdmSmartcardManager], error=0xbfc50fdc) at gdm-smartcard-manager.c:864
#2  gdm_smartcard_manager_start (manager=0x8f41320 [GdmSmartcardManager], error=0xbfc50fdc) at gdm-smartcard-manager.c:974
#3  0x0804d121 in watch_for_smartcards (argc=1, argv=0xbfc510a4) at gdm-smartcard-worker.c:78
#4  main (argc=1, argv=0xbfc510a4) at gdm-smartcard-worker.c:126


(gdb) backtrace full
#0  0x0804a48a in gdm_smartcard_get_name (card=0x0) at gdm-smartcard.c:230
No locals.
#1  0x0804b8e9 in gdm_smartcard_manager_get_all_cards (manager=0x8f41320 [GdmSmartcardManager], error=0xbfc50fdc) at gdm-smartcard-manager.c:864
        card = 0x0
        slot_id = <value optimized out>
        slot_series = <value optimized out>
        card_name = <value optimized out>
        worker = 0x8f49840
        node = 0x8f458a0 = {0x8f49840}
        i = <value optimized out>
#2  gdm_smartcard_manager_start (manager=0x8f41320 [GdmSmartcardManager], error=0xbfc50fdc) at gdm-smartcard-manager.c:974
        nss_error = 0x0
#3  0x0804d121 in watch_for_smartcards (argc=1, argv=0xbfc510a4) at gdm-smartcard-worker.c:78
        error = 0x0
        driver = 0x0
        cfg = 0x8f45c00
#4  main (argc=1, argv=0xbfc510a4) at gdm-smartcard-worker.c:126



The call to _gdm_smartcard_new returns NULL, and the code does not do validity check, the gdm_smartcard_get_name call crashes.
Unless g_hash_table_replace frees card and card_name then there are some leaks.

static void
gdm_smartcard_manager_get_all_cards (GdmSmartcardManager *manager)
{
        GList *node;
        int i;

        node = manager->priv->workers;
        while (node != NULL) {

                GdmSmartcardManagerWorker *worker;

                worker = (GdmSmartcardManagerWorker *) node->data;

                for (i = 0; i < worker->module->slotCount; i++) {
                        GdmSmartcard *card;
                        CK_SLOT_ID    slot_id;
                        gint          slot_series;
                        char         *card_name;

                        slot_id = PK11_GetSlotID (worker->module->slots[i]);
                        slot_series = PK11_GetSlotSeries (worker->module->slots[i]);

                        card = _gdm_smartcard_new (worker->module,
                                                   slot_id, slot_series);

                        card_name = gdm_smartcard_get_name (card);

                        g_hash_table_replace (manager->priv->smartcards,
                                              card_name, card);
                }
                node = node->next;
        }
}



and _gdm_smartcard_new could do more validity testing for slot_id or slot_series:


GdmSmartcard *
_gdm_smartcard_new (SECMODModule *module,
                    CK_SLOT_ID    slot_id,
                    int           slot_series)
{
        GdmSmartcard *card;

        g_return_val_if_fail (module != NULL, NULL);
        g_return_val_if_fail (slot_id >= 1, NULL);
        g_return_val_if_fail (slot_series > 0, NULL);
        g_return_val_if_fail (sizeof (gulong) == sizeof (slot_id), NULL);

        card = GDM_SMARTCARD (g_object_new (GDM_TYPE_SMARTCARD,
                                             "module", module,
                                             "slot-id", (gulong) slot_id,
                                             "slot-series", slot_series,
                                             NULL));
        return card;
}

Comment 2 Marc Sauton 2015-07-16 01:22:05 UTC

the customer is using

Red Hat Enterprise Linux Server release 6.5 (Santiago)
Linux localhost.localdomain 2.6.32-431.el6.i686 #1 SMP Sun Nov 10 22:20:22 EST 2013 i686 i686 i386 GNU/Linux
coolkey-1.1.0-31.el6.i686
gdm-plugin-smartcard-2.30.4-52.el6.i686
pam_pkcs11-0.6.2-12.1.el6.i686
nss-3.15.1-15.el6.i686
nspr-4.10.0-1.el6.i686

and ccid

Comment 3 Marc Sauton 2015-07-16 19:17:02 UTC

In Salesforce case 01444924, the customer made more tests as per our request, those all failed with the same error:
- RHEL 6.6 with ActivClient for Linux versions 3 and 4, same behavior as with RHEL 6.5
- RHEL 7.1 with ActivClient for Linux 4 , same incorrect behavior.
Will need bz 1243243 review for advice, thx.

Comment 4 Marc Sauton 2015-07-23 17:49:41 UTC

relaying details and info collected from NSS team / Bob R.

I was questioning the 0 values in:
>          slot: Gemplus GemPC Twin 00 00
>         token: ActivIdentity ActivClient 0
response:
"
These numbers are generated by active card. Some of them come directly from the reader and card itself. It's quite normal to see these in the slot names.
"
So I am going to assume we do have a good reading from modutil with this module.

Then about the gdm crash with this active card pluggin, it is possible there are some issues with the active card PKCS #11 module implementation, but till, gdm should not crash.

not sure how to troubleshoot this further to prove there are issues or incompatibilities with the third party module.

Note You need to log in before you can comment on or make changes to this bug.