1435017 – Segfault in libssl3.so during connection.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1435017 - Segfault in libssl3.so during connection.

Summary: Segfault in libssl3.so during connection.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Daiki Ueno
QA Contact:	Hubert Kario
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1449227 1449228 (view as bug list)
Depends On:
Blocks:	CVE-2017-7502
TreeView+	depends on / blocked

Reported:	2017-03-22 22:20 UTC by wibrown@redhat.com
Modified:	2020-09-13 21:58 UTC (History)
CC List:	10 users (show)
Fixed In Version:	nss-3.28.4-5.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 16:50:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Stack trace captured during segfault occurred on 389-ds-base process (58.39 KB, text/plain) 2017-03-23 12:03 UTC, Matteo Piva	no flags	Details
Stack trace captured during segfault occurred on 389-ds-base process (nss-debuginfo installed) (59.19 KB, text/plain) 2017-03-23 14:06 UTC, Matteo Piva	no flags	Details
Stack trace captured during segfault occurred on 389-ds-base process (nss-debuginfo installed) (52.48 KB, text/plain) 2017-03-23 15:56 UTC, Matteo Piva	no flags	Details
Show Obsolete (2) View All

Links
System	ID	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 2248	None	None	None	2020-09-13 21:58:12 UTC
Mozilla Foundation	1328122	--	RESOLVED	Various ssl3_GatherData() issues	2020-02-12 08:37:54 UTC
Mozilla Foundation	1359963	None	None	None	2020-02-12 08:37:54 UTC
Red Hat Bugzilla	1449161	high	CLOSED	crash in ssl3_GatherData	2022-03-13 14:16:57 UTC
Red Hat Product Errata	RHEA-2017:1977	normal	SHIPPED_LIVE	nss bug fix and enhancement update	2017-08-01 17:57:47 UTC

Internal Links: 1449161

Comment 6 Matteo Piva 2017-03-23 12:03:30 UTC

Created attachment 1265709 [details]
Stack trace captured during segfault occurred on 389-ds-base process

Comment 7 Kai Engert (:kaie) (inactive account) 2017-03-23 12:07:16 UTC

(In reply to Matteo Piva from comment #6)
> Created attachment 1265709 [details]
> Stack trace captured during segfault occurred on 389-ds-base process

This stacktrace still doesn't provide more details in the stack:

#1  0x00007f53786af85e in ssl3_GatherCompleteHandshake () from /lib64/libssl3.so
No symbol table info available.

It's necessary to have the nss-debuginfo package installed, prior to reproducing the problem again and creating the new stack.

Comment 8 Matteo Piva 2017-03-23 12:09:57 UTC

We have two 389 servers with replication configured and active. Some Java applications served by both.
When we run a Qualys vulnerability scan on the VMs that runs the services one or both ns-slapd daemons dies unexpectedly:

Mar 22 13:42:52 ips1.devenv.dev kernel: ns-slapd[2321]: segfault at 0 ip 00007f244de1a4e8 sp 00007f24237e57e8 error 6 in libc-2.17.so 7f244dccf000+1b6000]
Mar 22 13:42:53 ips1.devenv.dev systemd[1]: dirsrv @ips_ips1.service: main process exited, code=killed, status=11/SEGV

We run on CentOS Linux release 7.3.1611 (Core). Every packages is kept up to date to centos-updates and epel repos

The version of 389-ds-base installed is 1.3.5.10-18.el7_3 (latest)
The version of nss we use is 3.28.2-1.6.el7_3 (latest)


I attacked a stack trace captured during the sefault showing that the cause should be found in the libssl3.so code:

Thread 1 (Thread 0x7f53577fe700 (LWP 25383)):
#0  __memcpy_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:2183
No locals.
#1  0x00007f53786af85e in ssl3_GatherCompleteHandshake () from /lib64/libssl3.so
No symbol table info available.
#2  0x00007f53786aff79 in ssl_GatherRecord1stHandshake () from /lib64/libssl3.so
No symbol table info available.
#3  0x00007f53786b5182 in ssl_Do1stHandshake () from /lib64/libssl3.so
No symbol table info available.
#4  0x00007f53786b5f7e in ssl_SecureRecv () from /lib64/libssl3.so
No symbol table info available.
#5  0x00007f53786b9be1 in ssl_Recv () from /lib64/libssl3.so
No symbol table info available.
#6  0x00007f5379e4e5c7 in connection_read_operation ()
No symbol table info available.
#7  0x00007f5379e4edde in connection_threadmain ()
No symbol table info available.
#8  0x00007f5377b459bb in _pt_root () from /lib64/libnspr4.so
No symbol table info available.
#9  0x00007f53774e5dc5 in start_thread (arg=0x7f53577fe700) at pthread_create.c:308
        __res = <optimized out>
        pd = 0x7f53577fe700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139995927013120, 169946331390907139, 0, 139995927013824, 139995927013120, 1, -216898777570635005, -216969013174627581}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
#10 0x00007f537721473d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
No locals.

Comment 9 Matteo Piva 2017-03-23 14:05:15 UTC

Hello,

I reproduced again the segfault and created a new stack for you as attachment.

Installed Packages
Name        : nss-debuginfo
Arch        : x86_64
Version     : 3.21.3
Release     : 2.el7_3
Size        : 24 M
Repo        : installed
From repo   : base-debuginfo
Summary     : Debug information for package nss
URL         : http://www.mozilla.org/projects/security/pki/nss/
License     : MPLv2.0
Description : This package provides debug information for package nss.
            : Debug information is useful when developing applications that use this
            : package or when debugging this package.

Installed Packages
Name        : nss
Arch        : x86_64
Version     : 3.28.2
Release     : 1.6.el7_3
Size        : 2.5 M
Repo        : installed
From repo   : updates
Summary     : Network Security Services
URL         : http://www.mozilla.org/projects/security/pki/nss/
License     : MPLv2.0
Description : Network Security Services (NSS) is a set of libraries designed to
            : support cross-platform development of security-enabled client and
            : server applications. Applications built with NSS can support SSL v2
            : and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
            : v3 certificates, and other security standards.

Thank you

Comment 10 Matteo Piva 2017-03-23 14:06:12 UTC

Created attachment 1265776 [details]
Stack trace captured during segfault occurred on 389-ds-base process (nss-debuginfo installed)

Comment 11 Kai Engert (:kaie) (inactive account) 2017-03-23 14:33:39 UTC

This didn't work yet. Unfortunately you have a version mismatch in the installed nss.rpm and nss-debuginfo.rpm packages. 

warning: the debug information found in "/usr/lib/debug//lib64/libssl3.so.debug" does not match "/lib64/libssl3.so" (CRC mismatch).

Name        : nss-debuginfo
Version     : 3.21.3
Release     : 2.el7_3

Name        : nss
Version     : 3.28.2
Release     : 1.6.el7_3

It will only work to create a detailed stack trace, if both version and release numbers of the installed packages match exactly.

Comment 12 Matteo Piva 2017-03-23 15:56:25 UTC

For some reason at http://debuginfo.centos.org/7/x86_64/ we only have the nss-debuginfo-3.21.3-2.el7_3.x86_64.rpm version as latest, but it's not related with the issue.
I've manually got it by the last build at https://buildlogs.centos.org/c7.1611.u/nss/20170308180428/3.28.2-1.6.el7_3.x86_64/nss-debuginfo-3.28.2-1.6.el7_3.x86_64.rpm.

Installed Packages
Name        : nss
Arch        : x86_64
Version     : 3.28.2
Release     : 1.6.el7_3
Size        : 2.5 M
Repo        : installed
From repo   : updates
Summary     : Network Security Services
URL         : http://www.mozilla.org/projects/security/pki/nss/
License     : MPLv2.0
Description : Network Security Services (NSS) is a set of libraries designed to
            : support cross-platform development of security-enabled client and
            : server applications. Applications built with NSS can support SSL v2
            : and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
            : v3 certificates, and other security standards.

Installed Packages
Name        : nss-debuginfo
Arch        : x86_64
Version     : 3.28.2
Release     : 1.6.el7_3
Size        : 25 M
Repo        : installed
Summary     : Debug information for package nss
URL         : http://www.mozilla.org/projects/security/pki/nss/
License     : MPLv2.0
Description : This package provides debug information for package nss.
            : Debug information is useful when developing applications that use this
            : package or when debugging this package.


New stack trace attached

Comment 13 Matteo Piva 2017-03-23 15:56:53 UTC

Created attachment 1265825 [details]
Stack trace captured during segfault occurred on 389-ds-base process (nss-debuginfo installed)

Comment 26 German Parente 2017-05-10 10:07:26 UTC

*** Bug 1449228 has been marked as a duplicate of this bug. ***

Comment 29 Petr Vobornik 2017-05-15 15:21:18 UTC

*** Bug 1449227 has been marked as a duplicate of this bug. ***

Comment 30 errata-xmlrpc 2017-08-01 16:50:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1977

Note You need to log in before you can comment on or make changes to this bug.