784676 – nss should protect against being called before nss_Init

Bug 784676 - nss should protect against being called before nss_Init

Summary: nss should protect against being called before nss_Init

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	5.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Elio Maldonado Batiz
QA Contact:	Hubert Kario
Docs Contact:
URL:
Whiteboard:
Depends On:	784672 784674
Blocks:
TreeView+	depends on / blocked

Reported:	2012-01-25 19:23 UTC by Elio Maldonado Batiz
Modified:	2013-09-30 22:40 UTC (History)
CC List:	8 users (show)
Fixed In Version:	nss-3.13.6-2.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:	784674
Environment:
Last Closed:	2013-09-30 22:40:16 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Changes since this bug was cloned in patch form (1.66 KB, patch) 2013-02-20 19:38 UTC, Elio Maldonado Batiz	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1318	0	normal	SHIPPED_LIVE	nss bug fix and enhancement update	2013-09-30 21:13:17 UTC

Comment 1 Rich Megginson 2012-01-25 19:45:26 UTC

This causes crashes admin server in Red Hat Directory Server/389 because of
mod_nss https://bugzilla.redhat.com/show_bug.cgi?id=618466 because mod_nss
calls SSL_ClearSessionCache() during shutdown without checking to see if
NSS_IsInitialized() is true.

I can see where there is a chicken/egg problem here
    PZ_Lock(nssInitLock);
    if (!NSS_IsInitialized()) {

you have to acquire the nssInitLock to make sure nssIsInitted isn't changed out
from under you, but nssInitLock is NULL if nssIsInitted is 0.

So one way to guard against using NULL nssInitLock would be to call:
    /* make sure our lock and condition variable are initialized one and only
     * one time */ 
    if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
 return SECFailure;
    }

before the first attempt to use nssInitLock in any function that uses
nssInitLock.  That might be too heavyweight.

another approach would be to use an atomic integer for nssIsInitted.  NSPR
provides pratom.h.  That way you could be guaranteed that all accesses of
nssIsInitted would be implicitly protected.

The best approach would be to use static lock initialization like
 static pthread_mutex_t nssInitLock = PTHREAD_MUTEX_INITIALIZER;
but I do not think NSPR has support for static PR_Lock initialization.

Comment 4 Elio Maldonado Batiz 2013-02-20 19:38:11 UTC

Created attachment 700186 [details]
Changes since this bug was cloned in patch form

No need to backport any patches, fix already in. We just need QE verification.

Comment 6 RHEL Program Management 2013-04-04 12:29:11 UTC

This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 13 errata-xmlrpc 2013-09-30 22:40:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1318.html

Note You need to log in before you can comment on or make changes to this bug.