Description of problem: certutil utility causes segmentation fault when listing keys in cert database after adding moduleDBOnly flag into pkcs11.txt. This bug is reported to nss component since nss-tools is missing in bugzilla at the moment. Version-Release number of selected component (if applicable): nss-tools-3.12.4-14.fc12.i686 How reproducible: always Steps to Reproduce: 1. set environment variable NSS_DEFAULT_DB_TYPE=sql 2. create new nss cert database, e.g. ~/nssdb 3. add moduleDBOnly flag into ~/nssdb/pkcs11.txt 4. certutil -K -d ~/nssdb see additional info for console log Actual results: segmentation fault Expected results: list keys in database (or some error message if the setting is misleading??) Additional info: [karel@fedora12 nssdb]$ uname -a Linux fedora12.localdomain 2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7 21:25:57 EST 2009 i686 i686 i386 GNU/Linux [karel@fedora12 nssdb]$ rpm -q nss nss-3.12.4-14.fc12.i686 [karel@fedora12 nssdb]$ rpm -q nss-tools nss-tools-3.12.4-14.fc12.i686 [karel@fedora12 ~]$ export NSS_DEFAULT_DB_TYPE=sql [karel@fedora12 ~]$ bash [karel@fedora12 ~]$ cd ~/nssdb [karel@fedora12 nssdb]$ certutil -N -d . Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password: [karel@fedora12 nssdb]$ ls cert9.db key4.db pkcs11.txt [karel@fedora12 nssdb]$ certutil -K -d . certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: no keys found [karel@fedora12 nssdb]$ vim pkcs11.txt [karel@fedora12 nssdb]$ # adding moduleDBOnly flag [karel@fedora12 nssdb]$ cat pkcs11.txt library= name=NSS Internal PKCS #11 Module parameters=configdir='.' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' NSS=Flags=internal,critical,moduleDBOnly trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) [karel@fedora12 nssdb]$ certutil -K -d . Segmentation fault (core dumped) [karel@fedora12 nssdb]$
Created attachment 373478 [details] backtrace
I can confirm the crash. It ends in an infinite loop calling SECMOD_LoadModule() recursively and crashes on stack overflow. A backtrace of the crash without optimizations is attached.
From https://developer.mozilla.org/en/PKCS11_Module_Specs moduleDB - this library includes NSS specific functions to supply additional module specs for loading. moduleDBOnly - this library has no PKCS #11 functions and is only used for loading additional modules. Why would one add moduleDBOnly to flags for the NSS Internal PKCS #11 Module when it isn't so?
(In reply to comment #3) > Why would one add moduleDBOnly to flags for the NSS Internal PKCS #11 Module > when it isn't so? That's not enough reason for stack overflow within a security library :-)
Created attachment 377848 [details] proposed fix
Created attachment 377849 [details] proposed fix
This looks good. +1
Comment on attachment 377849 [details] proposed fix r+, but it's not really a sufficient check to prevent recursion (only the simplest type of recursion). (it's possible that some grandchild could call the return the modulespec of a grandparent.) bob
(In reply to comment #8) > (From update of attachment 377849 [details]) > r+, but it's not really a sufficient check to prevent recursion (only the > simplest type of recursion). Exactly. That's why the comment is there. I've been forced to make a trade-off between correctness and complexity. Anyway it should be sufficient to solve the bug reported in comment #0.
Right. Solving the bigger problem is my issue (actually solving the first problem was my issue as well, but I don't mind the help;). bob
nss-3.12.5-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/nss-3.12.5-2.fc12
nss-3.12.5-2.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update nss'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0262
nss-3.12.5-7.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/nss-3.12.5-7.fc12
nss-3.12.5-7.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update nss'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0685
nss-3.12.5-8.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/nss-3.12.5-8.fc12
nss-3.12.5-8.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update nss'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1127
nss-3.12.5-8.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.