Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 784674

Summary: nss should protect against being called before nss_Init
Product: Red Hat Enterprise Linux 6 Reporter: Elio Maldonado Batiz <emaldona>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED ERRATA QA Contact: Aleš Mareček <amarecek>
Severity: high Docs Contact:
Priority: high    
Version: 6.3CC: amarecek, emaldona, jpallich, kchamart, kdudka, kengert, ksrot, mharmsen, rmeggins, rrelyea, syeghiay
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-3.13.1-2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 784672
: 784676 (view as bug list) Environment:
Last Closed: 2012-06-20 07:23:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 784672    
Bug Blocks: 784676, 789043    
Attachments:
Description Flags
Patch: make sure the initLock has been initialized in every case we use it. none

Description Elio Maldonado Batiz 2012-01-25 19:18:21 UTC 
+++ This bug was initially created as a clone of Bug #784672 +++

beginning with nss 3.13 there is code like this:

SECStatus
NSS_RegisterShutdown(NSS_ShutdownFunc sFunc, void *appData)
{
    int i;

    PZ_Lock(nssInitLock);

The problem is that nssInitLock is NULL until nss_Init() is called, PZ_Lock will crash if called with NULL, and there are some poorly written applications that may call NSS_RegisterShutdown() and other functions before calling nss_Init().
Comment 2 Bob Relyea 2012-01-25 19:43:50 UTC 
The correct thread-safe fix here would be to add the following code before references to PZ_Lock(nssInitLock):

+ /* make sure our lock and condition variable are initialized one and only
+ * one time */
+ if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
+ return SECFailure;
+ }
+

This code should be added to:

 NSS_RegisterShutdown()
 NSS_Shutdown()
 NSS_ShutdownContext()

This problem exists in upstream NSS as well.

bob
Comment 3 Rich Megginson 2012-01-25 19:45:23 UTC 
This causes crashes admin server in Red Hat Directory Server/389 because of
mod_nss https://bugzilla.redhat.com/show_bug.cgi?id=618466 because mod_nss
calls SSL_ClearSessionCache() during shutdown without checking to see if
NSS_IsInitialized() is true.

I can see where there is a chicken/egg problem here
    PZ_Lock(nssInitLock);
    if (!NSS_IsInitialized()) {

you have to acquire the nssInitLock to make sure nssIsInitted isn't changed out
from under you, but nssInitLock is NULL if nssIsInitted is 0.

So one way to guard against using NULL nssInitLock would be to call:
    /* make sure our lock and condition variable are initialized one and only
     * one time */ 
    if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
 return SECFailure;
    }

before the first attempt to use nssInitLock in any function that uses
nssInitLock.  That might be too heavyweight.

another approach would be to use an atomic integer for nssIsInitted.  NSPR
provides pratom.h.  That way you could be guaranteed that all accesses of
nssIsInitted would be implicitly protected.

The best approach would be to use static lock initialization like
 static pthread_mutex_t nssInitLock = PTHREAD_MUTEX_INITIALIZER;
but I do not think NSPR has support for static PR_Lock initialization.
Comment 4 Bob Relyea 2012-01-25 19:55:45 UTC 
Created attachment 557514 [details]
Patch: make sure the initLock has been initialized in every case we use it.
Comment 5 Bob Relyea 2012-01-25 20:00:33 UTC 
Clearly Rich and I reach the same conclusions (see Comment 2 and 3).

As for using atomic integers: that's how PR_CallOnce() is implemented. It's meant to be relatively lightweight, and NSS uses it in cases that are far more common than init, shutdown, or register.

bob
Comment 26 errata-xmlrpc 2012-06-20 07:23:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0973.html