User on Solaris 10 reports that mod_nss causes Apache to core when generating the CGI environment variables in the call to DER_GetInteger(). Program received signal SIGSEGV, Segmentation fault. [Switching to LWP 8] 0xfe95b5f8 in DER_GetInteger () from /usr/lib/mps/libnss3.so (gdb) bt full #0 0xfe95b5f8 in DER_GetInteger () from /usr/lib/mps/libnss3.so No symbol table info available. #1 0xfeedf944 in nss_var_lookup_nss_cert (p=0x161c98, xs=0x146788, var=0xfeee7d2b "M_VERSION", c=0x14c2a8) at nss_engine_vars.c:324 result = <value optimized out> xsname = <value optimized out> #2 0xfeee0418 in nss_var_lookup (p=0x161c98, s=<value optimized out>, c=0x14c2a8, r=0x161cd0, var=0xfeee7d20 "SSL_SERVER_M_VERSION") at nss_engine_vars.c:306 sslconn = <value optimized out> mc = <value optimized out> result = <value optimized out> tm = {tm_usec = 1455119, tm_sec = 1059672, tm_min = 1450224, tm_hour = 1452552, tm_mday = 0, tm_mon = 0, tm_year = 0, tm_wday = 0, tm_yday = 1, tm_isdst = 1455024, tm_gmtoff = 95} #3 0xfeedda94 in nss_hook_Fixup (r=0x161cd0) at nss_engine_kernel.c:809 sslconn = <value optimized out> ssl = (PRFileDesc *) 0x543a98 env = (apr_table_t *) 0x1620f0 var = 0xfeee7d20 "SSL_SERVER_M_VERSION" val = <value optimized out> i = <value optimized out> cert = <value optimized out> chain = <value optimized out> #4 0x00041a5c in ap_run_fixups () No symbol table info available. #5 0x00042cc8 in ap_process_request_internal () No symbol table info available. #6 0x00064f54 in ap_process_request () No symbol table info available. #7 0x000608f8 in ?? () No symbol table info available. #8 0x000608f8 in ?? () No symbol table info available. Backtrace stopped: previous frame identical to this frame (corrupt stack?) Examination of the process reveals that the SecItem contains {type: 0 = siBuffer, data = 0x0, len = 0}. Indeed, if I step into frame 1 and print xs, I get: (gdb) print *xs $5 = {arena = 0x5834f0, subjectName = 0x586bf8 "C=ch,ST=zh,L=zh,OU=devel,O=visonys,CN=iischia0.visonys.com", issuerName = 0x586c38 "C=ch,ST=zh,L=zh,OU=devel,O=visonys,CN=MyCA", signatureWrap = {data = {type = siBuffer, data = 0x58675c "0\202\001\230\002\001\0020\r\006\t*\206H\206 r\001\001\005\005", len = 412}, signatureAlgorithm = {algorithm = { type = siBuffer, data = 0x5868fc "*\206H\206 r\001\001\005\005", len = 9}, parameters = {type = siBuffer, data = 0x586905 "\005", len = 2}}, signature = {type = siBuffer, data = 0x58690b "\202jY #+ 002H 004\003# 1\202\t\202 025\b w< 030\031E\177\031\002 \004H\f%\003\016\222 o[\203i\a t\0361?0\233P\016J\235h 4\v\206\201\037\2251\vGu\216$ b\022\002\217ʨW\\\020 021yw8 | 017 \v}\035", len = 1024}}, derCert = {type = siBuffer, data = 0x586758 "0\202\002/0\202\001\230\002\001\0020\r\006\t*\206H\206 r\001\001\005\005", len = 563}, derIssuer = {type = siBuffer, data = 0x586772 "0X1\r0\v\006\003U\004\003\023\004MyCA1\0200\016\006\003U\004\n\023\avisonys1\0160\f\006\003U\004\v\023\005devel1\v0\t\006\003U\004\a\023\002zh1\v0\t\006\003U\004\b\023\002zh1\v0\t\006\003U\004\006\023\002ch0\036\027\r070614162332Z\027\r080614162332Z0h1\0350\033\006\003U\004\003\023\024iischia0.visonys.com1\0200\016\006\003U\004\n\023\avisonys1\0160\f\006\003U\004\v\023\005devel1\v0\t\006\003U\004\a\023\002"..., len = 90}, derSubject = {type = siBuffer, data = 0x5867ec "0h1\0350\033\006\003U\004\003\023\024iischia0.visonys.com1\0200\016\006\003U\004\n\023\avisonys1\0160\f\006\003U\004\v\023\005devel1\v0\t\006\003U\004\a\023\002zh1\v0\t\006\003U\004\b\023\002zh1\v0\t\006\003U\004\006\023\002ch0\201\2370\r\006\t*\206H\206 r\001\001\001\005", len = 106}, derPublicKey = {type = siBuffer, data = 0x586856 "0\201\2370\r\006\t*\206H\206 r\001\001\001\005", len = 162}, certKey = {type = siBuffer, data = 0x586b80 "\0020X1\r0\v\006\003U\004\003\023\004MyCA1\0200\016\006\003U\004\n\023\avisonys1\0160\f\006\003U\004\v\023\005devel1\v0\t\006\003U\004\a\023\002zh1\v0\t\006\003U\004\b\023\002zh1\v0\t\006\003U\004\006\023\002ch", len = 91}, version = {type = siBuffer, data = 0x0, len = 0}, serialNumber = {type = siBuffer, data = 0x586762 "\0020\r\006\t*\206H\206 r\001\001\005\005", len = 1}, signature = {algorithm = {type = siBuffer, data = 0x586767 "*\206H\206 r\001\001\005\005", len = 9}, parameters = {type = siBuffer, data = 0x586770 "\005", len = 2}}, issuer = {arena = 0x0, rdns = 0x586990}, validity = {arena = 0x0, notBefore = { type = siUTCTime, data = 0x5867d0 "070614162332Z\027\r080614162332Z0h1\0350\033\006\003U\004\003\023\024iischia0.visonys.com1\0200\016\006\003U\004\n\023\avisonys1\0160\f\006\003U\004\v\023\005devel1\v0\t\006\003U\004\a\023\002zh1\v0\t\006\003U\004\b\023\002zh1\v0\t\006\003U\004\006\023\002ch0\201\2370\r\006\t*\206H\206 r\001\001\001\005", len = 13}, notAfter = {type = siUTCTime, data = 0x5867df "080614162332Z0h1\0350\033\006\003U\004\003\023\024iischia0.visonys.com1\0200\016\006\003U\004\n\023\avisonys1\0160\f\006\003U\004\v\023\005devel1\v0\t\006\003U\004\a\023\002zh1\v0\t\006\003U\004\b\023\002zh1\v0\t\006\003U\004\006\023\002ch0\201\2370\r\006\t*\206H\206 r\001\001\001\005", len = 13}}, subject = {arena = 0x0, rdns = 0x586a88}, subjectPublicKeyInfo = {arena = 0x0, algorithm = {algorithm = {type = siBuffer, data = 0x58685d "*\206H\206 r\001\001\001\005", len = 9}, parameters = {type = siBuffer, data = 0x586866 "\005", len = 2}}, subjectPublicKey = {type = siBuffer, data = 0x58686c "0\201\211\002\201\201", len = 1120}}, issuerID = {type = siBuffer, data = 0x0, len = 0}, subjectID = {type = siBuffer, data = 0x0, len = 0}, extensions = 0x0, emailAddr = 0x0, dbhandle = 0x572b40, subjectKeyID = {type = siBuffer, data = 0x586be0 "\225 D\027 \230^\203\031m6^*\005", len = 20}, keyIDGenerated = 0, keyUsage = 254, rawKeyUsage = 254, keyUsagePresent = 0, nsCertType = 224, keepSession = 0, timeOK = 0, domainOK = 0x0, isperm = 1, istemp = 0, nickname = 0x586c68 "airlock:iischia0", dbnickname = 0x0, nssCertificate = 0x514fd0, trust = 0x586c80, referenceCount = 1, subjectList = 0x0, authKeyID = 0x0, isRoot = 0, authsocketlist = 0x0, series = 2, slot = 0x56b3d0, pkcs11ID = 10, ownSlot = 1} His fix was to change: nss_engine_vars.c, line 323: if (strcEQ(var, "M_VERSION")) { if (xs->version.data){ result = apr_psprintf(p, "%lu", DER_GetInteger(&xs->version)+1); resdup = FALSE; } else { // version seems not to be available - ignore } }
Created attachment 290783 [details] See if the secitem has data in it before calling DER_GetInteger()
Checking in nss_engine_vars.c; /cvs/dirsec/mod_nss/nss_engine_vars.c,v <-- nss_engine_vars.c new revision: 1.11; previous revision: 1.10 done