689776 – Certmonger segfaults when certificate request contains non-existent NSS database directory.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 689776 - Certmonger segfaults when certificate request contains non-existent NSS database directory.

Summary: Certmonger segfaults when certificate request contains non-existent NSS datab...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	certmonger
Sub Component:
Version:	6.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Nalin Dahyabhai
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-03-22 12:33 UTC by Kaleem
Modified:	2011-05-19 13:07 UTC (History)
CC List:	4 users (show)
Fixed In Version:	certmonger-0.38-1.el6
Doc Type:	Bug Fix
Doc Text:	Previously, the certmonger service terminated unexpectedly if the user attempted to use a certificate database stored in a non-existent directory. While preparing an error message to return to its client, the daemon attempted to use already-freed memory, which could have caused a segmentation fault. With this update, certmonger displays a message that the directory does not exist and remains stable in these circumstances.
Clone Of:
Environment:
Last Closed:	2011-05-19 13:07:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0570	0	normal	SHIPPED_LIVE	certmonger bug fix and enhancement update	2011-05-19 09:37:40 UTC

Description Kaleem 2011-03-22 12:33:04 UTC

Description of problem:
Certmonger segfaults when certificate request contains non-existent NSS database directory.

Version-Release number of selected component (if applicable):
certmonger-0.34-1.el6.x86_64

Steps to Reproduce:
1.Install certmonger
2.service certmonger start
3.Issue a selfsign certificate with a non-existent NSS database directory
  e.g selfsign-getcert request -d /tmp/kaleem/ -n test
  Where directory /tmp/kaleem is non-existent.

########################################
[root@jupiter ~]# service certmonger status
certmonger (pid  3364) is running...
-------------
[root@jupiter ~]# selfsign-getcert request -d /tmp/foo1 -n test1
Error org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus)
Please verify that the certmonger service is still running.
-------------
[root@jupiter ~]# service certmonger status
certmonger dead but pid file exists
###########################################

Actual results:
Error org.freedesktop.DBus.Error.ServiceUnknown: The name org.fedorahosted.certmonger was
not provided by any .service files
Please verify that the certmonger service has been started. 

Expected results:
Certificate should have been generated successfully.

Additional info:
Stack trace & bt:

=============================================================================
[root@jupiter yum.repos.d]# gdb certmonger
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-45.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/certmonger...Reading symbols from
/usr/lib/debug/usr/sbin/certmonger.debug...done.
done.
(gdb) run -S -d 1
Starting program: /usr/sbin/certmonger -S -d 1
[Thread debugging using libthread_db enabled]
Detaching after fork from child process 3175.
2011-03-22 11:27:07 [3175] Token is named "NSS Generic Crypto Services", not "NSS
Certificate DB".
Detaching after fork from child process 3176.
2011-03-22 11:27:07 [3176] Token is named "NSS Generic Crypto Services", not "NSS
Certificate DB".
Detaching after fork from child process 3177.
2011-03-22 11:27:07 [3177] Token is named "NSS Generic Crypto Services", not "NSS
Certificate DB".
Detaching after fork from child process 3178.
2011-03-22 11:27:07 [3178] Token is named "NSS Generic Crypto Services", not "NSS
Certificate DB".
2011-03-22 11:27:14 [3172] Cert storage location must be a directory.

Program received signal SIGSEGV, Segmentation fault.
0x0000003d88248037 in _IO_vfprintf_internal (s=<value optimized out>, format=<value
optimized out>, ap=<value optimized out>) at vfprintf.c:1593
1593 process_string_arg (((struct printf_spec *) NULL));
=============================================================================


(gdb) bt
#0  0x0000003d88248037 in _IO_vfprintf_internal (s=<value optimized out>, format=<value optimized out>, ap=<value optimized out>) at vfprintf.c:1593
#1  0x0000003d882fd110 in ___vsnprintf_chk (s=0x7fffffffe03f "", maxlen=<value optimized out>, flags=1, slen=<value optimized out>, 
    format=0x424a28 "The location \"%s\" must be a directory.", args=0x7fffffffe0d0) at vsnprintf_chk.c:65
#2  0x0000003d8aa2af93 in vsnprintf (format=<value optimized out>, args=<value optimized out>) at /usr/include/bits/stdio2.h:78
#3  _dbus_printf_string_upper_bound (format=<value optimized out>, args=<value optimized out>) at dbus-sysdeps-unix.c:2839
#4  0x0000003d8aa299a2 in _dbus_string_append_printf_valist (str=0x7fffffffe0b0, format=0x424a28 "The location \"%s\" must be a directory.", 
    args=<value optimized out>) at dbus-string.c:1255
#5  0x0000003d8aa1b797 in dbus_message_new_error_printf (reply_to=0x8374b0, error_name=0x423210 "org.fedorahosted.certmonger.bad_arg", 
    error_format=0x424a28 "The location \"%s\" must be a directory.") at dbus-message.c:1290
#6  0x0000000000412b08 in send_internal_base_bad_arg_error (conn=0x835b00, req=<value optimized out>, text=<value optimized out>, 
    badval=<value optimized out>, arg=0x422b9f "CERT_LOCATION") at tdbush.c:216
#7  0x0000000000414ffc in base_add_request (conn=0x835b00, msg=<value optimized out>, ctx=0x8313c0) at tdbush.c:729
#8  0x0000003d8aa109d6 in dbus_connection_dispatch (connection=0x835b00) at dbus-connection.c:4451
#9  0x0000000000411368 in cm_tdbus_dispatch_status (conn=0x835b00, new_status=<value optimized out>, data=<value optimized out>) at tdbus.c:67
#10 0x0000003d8aa0e290 in _dbus_connection_update_dispatch_status_and_unlock (connection=0x835b00, new_status=DBUS_DISPATCH_DATA_REMAINS)
    at dbus-connection.c:4117
#11 0x0000003d8aa100e8 in _dbus_connection_handle_watch (watch=<value optimized out>, condition=1, data=0x835b00) at dbus-connection.c:1459
#12 0x0000003d8aa24e5a in dbus_watch_handle (watch=0x8339b0, flags=1) at dbus-watch.c:669
#13 0x000000000041195e in cm_tdbus_handle_fd (ec=0x831290, tfd=<value optimized out>, tflags=<value optimized out>, pvt=0x838e20) at tdbus.c:161
#14 0x0000003d8ee05456 in epoll_event_loop (ev=<value optimized out>, location=<value optimized out>) at tevent_standard.c:309
#15 std_event_loop_once (ev=<value optimized out>, location=<value optimized out>) at tevent_standard.c:544
#16 0x0000003d8ee026d0 in _tevent_loop_once (ev=0x831290, location=0x41f6b7 "main.c:203") at tevent.c:490
#17 0x00000000004068bd in main (argc=<value optimized out>, argv=<value optimized out>) at main.c:203

=============================================================================

Comment 3 Kaleem 2011-03-24 08:05:35 UTC

(1)While verifying i found that with non-existent NSS database directory, now Segmentation fault is not there but following unhelpful message is displayed on console.

     [root@jupiter ~]# selfsign-getcert request -d /tmp/kaleem -n test
(null)Error org.fedorahosted.certmonger.bad_arg.

     Is this ok?

   
(2)I also observed that now when i am issuing duplicate request, it displays following on console.
 
    [root@dhcp193-17 ~]# selfsign-getcert request -d /tmp/kaleem -n test
(null)Error org.fedorahosted.certmonger.duplicate

 
    while earlier with certmonger-0.34 it was displaying,

   [root@dhcp193-17 ~]# selfsign-getcert request -d /tmp/kaleem -n test
Error org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request "20110324065406".

Comment 4 Nalin Dahyabhai 2011-03-24 14:13:58 UTC

(In reply to comment #3)
> (1)While verifying i found that with non-existent NSS database directory, now
> Segmentation fault is not there but following unhelpful message is displayed on
> console.
> 
>      [root@jupiter ~]# selfsign-getcert request -d /tmp/kaleem -n test
> (null)Error org.fedorahosted.certmonger.bad_arg.
> 
>      Is this ok?

No, that's a bug.  (Usually, the presence of "(null)" indicates that a NULL pointer is being used as a printable string, which shouldn't happen.)

Comment 5 Kaleem 2011-03-28 05:12:42 UTC

Verfied.

RHEL version:

[root@dhcp193-17 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.1 Beta (Santiago)

Certmonger Version:

[root@dhcp193-17 ~]# rpm -qai certmonger |head
Name        : certmonger                   Relocations: (not relocatable)
Version     : 0.39                              Vendor: Red Hat, Inc.
Release     : 1.el6                         Build Date: Fri 25 Mar 2011 11:49:35 PM IST
Install Date: Mon 28 Mar 2011 10:39:04 AM IST      Build Host: x86-002.build.bos.redhat.com
Group       : System Environment/Daemons    Source RPM: certmonger-0.39-1.el6.src.rpm
Size        : 678726                           License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://certmonger.fedorahosted.org
Summary     : Certificate status monitor and PKI enrollment client

Steps used to verify:
(1)Install certmonger

 [root@dhcp193-17 ~]# yum install certmonger -y
Loaded plugins: product-id, subscription-manager
Updating Red Hat repositories.
INFO:rhsm-app.repolib:repos updated: 0
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package certmonger.x86_64 0:0.39-1.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================
 Package                                Arch                               Version                                 Repository                           Size
=============================================================================================================================================================
Installing:
 certmonger                             x86_64                             0.39-1.el6                              rhel6.1                             175 k

Transaction Summary
=============================================================================================================================================================
Install       1 Package(s)

Total download size: 175 k
Installed size: 663 k
Downloading Packages:
certmonger-0.39-1.el6.x86_64.rpm                                                                                                      | 175 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing : certmonger-0.39-1.el6.x86_64                                                                                                              1/1 
duration: 91(ms)
Installed products updated.

Installed:
  certmonger.x86_64 0:0.39-1.el6                                                                                                                             

Complete!

  
(2)Start certmonger service

[root@dhcp193-17 ~]# service certmonger start
Starting certmonger:                                       [  OK  ]

(3)Issue a certificate request with non-existent database directory

[root@dhcp193-17 ~]# selfsign-getcert request -d /tmp/kaleem/ -n test
The location "/tmp/kaleem" must be a directory.

Result:
Now proper message is displayed on console for non-existent directory.

Comment 6 Eva Kopalova 2011-05-02 17:03:51 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, the certmonger service terminated unexpectedly if the user attempted to use a certificate database stored in a non-existent directory. While preparing an error message to return to its client, the daemon attempted to use already-freed memory, which could have caused a segmentation fault. With this update, certmonger displays a message that the directory does not exist and remains stable in these circumstances.

Comment 7 errata-xmlrpc 2011-05-19 13:07:20 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0570.html

Note You need to log in before you can comment on or make changes to this bug.