Bug 768669 - [PEM] an unregistered callback causes a SIGSEGV
Summary: [PEM] an unregistered callback causes a SIGSEGV
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss
Version: 6.2
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: 6.3
Assignee: Elio Maldonado Batiz
QA Contact: Aleš Mareček
URL:
Whiteboard:
Depends On: 754771
Blocks: 702083 733657 733749 733752 746629 1002271
TreeView+ depends on / blocked
 
Reported: 2011-12-17 19:40 UTC by Elio Maldonado Batiz
Modified: 2013-08-28 18:52 UTC (History)
7 users (show)

Fixed In Version: nss-3.13.3-3.el6
Doc Type: Bug Fix
Doc Text:
Cause: The PEM module did not fully initialize new constructed objects with function pointers set to NULL. Consequence: A segmentation violation in libcurl eas experienced while accessing a package repository. Fix: Fully initialize newly allocated objects. Result: The updates can now be installed without problems.
Clone Of: 754771
Environment:
Last Closed: 2012-06-20 07:23:33 UTC
Target Upstream Version:


Attachments (Terms of Use)
Initializes pointers to functions: Kamil's patch brought here (540 bytes, patch)
2012-03-13 00:17 UTC, Elio Maldonado Batiz
rrelyea: review+
Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0973 normal SHIPPED_LIVE Moderate: nss, nss-util, and nspr security, bug fix, and enhancement update 2012-06-19 19:28:14 UTC

Description Elio Maldonado Batiz 2011-12-17 19:40:18 UTC
+++ This bug was initially created as a clone of Bug #754771 +++

+++ This bug was initially created as a clone of Bug #733685 +++

--- Additional comment from kdudka on 2011-08-26 15:52:53 CEST ---

I needed the following patch:

diff --git a/pinst.c b/pinst.c
index 70f5f4e..d35d7cf 100644
--- a/pinst.c
+++ b/pinst.c
@@ -349,6 +349,9 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objClass,
     if (io == NULL)
         return NULL;

+    /* initialize pointers to functions */
+    pem_CreateMDObject(NULL, io, NULL);
+
     io->gobjIndex = count;

     /* add object to global array */


... to get over the following crash:

#0  0x0000000000000000 in ?? ()
#1  0x00007ffff04bd4f7 in pem_mdObject_GetAttributeSize (mdObject=0x721b60, ...)
#2  0x00007ffff04c2c9e in nssCKFWObject_GetAttributeSize (fwObject=0x6fb9c0,...)
#3  0x00007ffff04cbec7 in NSSCKFWC_GetAttributeValue (fwInstance=0x6f6580, ...)
#4  0x00007ffff04b8eaa in pemC_GetAttributeValue (hSession=2, hObject=2, ...)
#5  0x00007ffff75904e2 in PK11_ReadAttribute (slot=0x6fa700, id=2, type=17, ...)
#6  0x00007ffff75930cb in PK11_ReadRawAttribute (objType=PK11_TypeGeneric, ...)
#7  0x00007ffff7dc7e2d in SelectClientCert (arg=0x62efe8, sock=0x7207b0, ...)

--- Additional comment from emaldona on 2011-08-26 19:04:05 CEST ---

Ah, we now add to the global internal list a fully constructed object. The invocation of pem_CreateMDObject(NULL, io, NULL); is solely for it's side effect of setting the function pointers so a (void) cast seems in order.  Additionally, the (void) pem_CreateMDObject(NULL, io, NULL); could be inside CreateObject itself.

At some point should analyze why need CreateObject and pem_createObject. That's food for the upstream work, not now.

--- Additional comment from kdudka@redhat.com on 2011-12-12 08:09:24 EST ---

Elio, is there anything that prevents this one-liner from being applied?

--- Additional comment from emaldona@redhat.com on 2011-12-12 12:59:50 EST ---

Created attachment 545843 [details]
Initializes pointers to functions

Modified to account for code movement since Kamil first proposed it.

Comment 5 Elio Maldonado Batiz 2012-03-13 00:17:45 UTC
Created attachment 569522 [details]
Initializes pointers to functions: Kamil's patch brought here

Renamed to along current nss patch naming conventions: Bug-number-some-description.patch

Comment 6 Bob Relyea 2012-03-13 00:39:35 UTC
Comment on attachment 569522 [details]
Initializes pointers to functions: Kamil's patch brought here

r+

From a logical point of view, this may not be the most optimal patch, but it's both effective and safe, so it's the right patch for RHEL.

Comment 7 Elio Maldonado Batiz 2012-03-14 06:46:50 UTC
*** Bug 754771 has been marked as a duplicate of this bug. ***

Comment 13 Elio Maldonado Batiz 2012-04-26 18:25:54 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: The PEM module did not fully initialize new constructed objects with function pointers set to NULL.

Consequence: A segmentation violation in libcurl eas experienced while accessing a package repository.

Fix: Fully initialize newly allocated objects.

Result: The updates can now be installed without problems.

Comment 14 errata-xmlrpc 2012-06-20 07:23:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0973.html


Note You need to log in before you can comment on or make changes to this bug.