Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 784676

Summary: nss should protect against being called before nss_Init
Product: Red Hat Enterprise Linux 5 Reporter: Elio Maldonado Batiz <emaldona>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED ERRATA QA Contact: Alicja Kario <hkario>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.7CC: amarecek, emaldona, hkario, kdudka, kengert, ksrot, nkinder, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-3.13.6-2.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 784674 Environment:
Last Closed: 2013-09-30 22:40:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 784672, 784674    
Bug Blocks:    
Attachments:
Description Flags
Changes since this bug was cloned in patch form none

Comment 1 Rich Megginson 2012-01-25 19:45:26 UTC 
This causes crashes admin server in Red Hat Directory Server/389 because of
mod_nss https://bugzilla.redhat.com/show_bug.cgi?id=618466 because mod_nss
calls SSL_ClearSessionCache() during shutdown without checking to see if
NSS_IsInitialized() is true.

I can see where there is a chicken/egg problem here
    PZ_Lock(nssInitLock);
    if (!NSS_IsInitialized()) {

you have to acquire the nssInitLock to make sure nssIsInitted isn't changed out
from under you, but nssInitLock is NULL if nssIsInitted is 0.

So one way to guard against using NULL nssInitLock would be to call:
    /* make sure our lock and condition variable are initialized one and only
     * one time */ 
    if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
 return SECFailure;
    }

before the first attempt to use nssInitLock in any function that uses
nssInitLock.  That might be too heavyweight.

another approach would be to use an atomic integer for nssIsInitted.  NSPR
provides pratom.h.  That way you could be guaranteed that all accesses of
nssIsInitted would be implicitly protected.

The best approach would be to use static lock initialization like
 static pthread_mutex_t nssInitLock = PTHREAD_MUTEX_INITIALIZER;
but I do not think NSPR has support for static PR_Lock initialization.
Comment 4 Elio Maldonado Batiz 2013-02-20 19:38:11 UTC 
Created attachment 700186 [details]
Changes since this bug was cloned in patch form

No need to backport any patches, fix already in. We just need QE verification.
Comment 6 RHEL Program Management 2013-04-04 12:29:11 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 13 errata-xmlrpc 2013-09-30 22:40:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1318.html