772628 – nss_Init() leaks memory

Bug 772628 - nss_Init() leaks memory

Summary: nss_Init() leaks memory

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Elio Maldonado Batiz
QA Contact:	Aleš Mareček
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	738456 812423
TreeView+	depends on / blocked

Reported:	2012-01-09 13:27 UTC by Kamil Dudka
Modified:	2013-10-18 11:33 UTC (History)
CC List:	5 users (show)
Fixed In Version:	nss-3.13.3-4.el6
Doc Type:	Bug Fix
Doc Text:	No documentation needed
Clone Of:
Clones:	812423 975755 (view as bug list)
Environment:
Last Closed:	2012-06-20 07:23:43 UTC
Target Upstream Version:

Attachments	(Terms of Use)
a proposed fix (802 bytes, patch) 2012-01-09 13:30 UTC, Kamil Dudka	no flags	Details \| Diff
a proposed fix V2 (847 bytes, patch) 2012-02-29 17:22 UTC, Kamil Dudka	emaldona: review+	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Mozilla Foundation	745224	None	None	None	2019-01-30 16:55:36 UTC
Red Hat Bugzilla	1007762	unspecified	CLOSED	Memory leak in nss_Init	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHSA-2012:0973	normal	SHIPPED_LIVE	Moderate: nss, nss-util, and nspr security, bug fix, and enhancement update	2012-06-19 19:28:14 UTC

Internal Links: 1007762

Description Kamil Dudka 2012-01-09 13:27:09 UTC

Version-Release number of selected component (if applicable):
nss-3.12.10-17.1.el6


How reproducible:
100 %


Steps to Reproduce:
1. patch curl by attachment #525555 [details]
2. run this test-case: attachment #551005 [details]

  
Actual results:
==17888== 512 bytes in 16 blocks are definitely lost in loss record 75 of 86
==17888==    at 0x4A05FDE: malloc (vg_replace_malloc.c:236)
==17888==    by 0x331A412574: GrowStuff (prprf.c:1076)
==17888==    by 0x331A411BD7: dosprintf (prprf.c:137)
==17888==    by 0x331A412439: PR_vsmprintf (prprf.c:1127)
==17888==    by 0x331A41272C: PR_smprintf (prprf.c:1105)
==17888==    by 0x5581D5C: nss_MkConfigString (nssinit.c:205)
==17888==    by 0x55826E9: nss_Init (nssinit.c:597)
==17888==    by 0x5582DFA: NSS_InitContext (nssinit.c:804)
==17888==    by 0x4EC8776: nss_init_core (nss.c:905)
==17888==    by 0x4EC8914: nss_init (nss.c:949)
==17888==    by 0x4EC8F7F: Curl_nss_connect (nss.c:1167)
==17888==    by 0x4EBC00A: Curl_ssl_connect (sslgen.c:185)

Comment 1 Kamil Dudka 2012-01-09 13:30:49 UTC

Created attachment 551566 [details]
a proposed fix

Comment 3 Elio Maldonado Batiz 2012-02-29 16:16:08 UTC

Thank you for the patch but is not needed since the update to nss 3.13.1.
In the current code in nssinit.c we have
loser:
    if (initContextPtr && *initContextPtr) {
	PORT_Free(*initContextPtr);
	*initContextPtr = NULL;
	if (configStrings) {
	   PR_smprintf_free(configStrings);
	}
    }
and with initContextPtr NULL configStrings = pk11_config_strings whose allocation/deallocation is handled by PK11_ConfigurePKCS11 and PK11_UnconfigurePKCS11.

Comment 4 Kamil Dudka 2012-02-29 17:15:17 UTC

(In reply to comment #3)
> Thank you for the patch but is not needed since the update to nss 3.13.1.

I disagree.

> In the current code in nssinit.c we have
> loser:
>     if (initContextPtr && *initContextPtr) {
>  PORT_Free(*initContextPtr);
>  *initContextPtr = NULL;
>  if (configStrings) {
>     PR_smprintf_free(configStrings);
>  }
>     }

This code is not new to 3.13.1 and does not solve the issue I reported.

> and with initContextPtr NULL configStrings = pk11_config_strings whose
> allocation/deallocation is handled by PK11_ConfigurePKCS11 and
> PK11_UnconfigurePKCS11.

Right, then we need to handle this case separately to avoid a double free.

Comment 5 Kamil Dudka 2012-02-29 17:22:19 UTC

Created attachment 566601 [details]
a proposed fix V2

Avoid a double free.

Comment 6 Eduard Benes 2012-03-05 17:53:10 UTC

Is this NSS bug required for fixing bug 738456?

Comment 7 Kamil Dudka 2012-03-05 18:18:17 UTC

(In reply to comment #6)
> Is this NSS bug required for fixing bug 738456?

Without this patch applied, nss will start to leak on initialization as soon as bug 738456 is fixed.  From my point of view, such amount of memory leakage is acceptable, but I am not the one here to make decisions.

Comment 11 Bob Relyea 2012-03-09 01:47:53 UTC

upstream bug?

Comment 13 Kamil Dudka 2012-04-13 11:21:50 UTC

Elio, could you please apply my fix on Fedora?

This bug breaks curl's test-suite badly:

http://koji.fedoraproject.org/koji/getfile?taskID=3987501&name=build.log

Comment 14 Elio Maldonado Batiz 2012-04-13 17:20:20 UTC

(In reply to comment #13)
Kamil, I applied your fix to Fedora Rawhide and submitted it upstream.

Comment 15 Elio Maldonado Batiz 2012-04-26 18:30:48 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed

Comment 17 errata-xmlrpc 2012-06-20 07:23:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0973.html

Note You need to log in before you can comment on or make changes to this bug.