Closed
Bug 1025729
Opened 10 years ago
Closed 10 years ago
Win64 PROCESS-CRASH | /tests/security/manager/ssl/tests/mochitest/bugs/test_generateCRMFRequest.html | application crashed [@ nsKeygenThread::Run()]
Categories
(NSS :: Libraries, defect, P1)
Tracking
(firefox31 wontfix, firefox32 wontfix, firefox33 fixed)
RESOLVED
FIXED
3.16.4
People
(Reporter: away, Assigned: away)
References
Details
Attachments
(1 file, 1 obsolete file)
(deleted),
patch
|
m_kato
:
review+
wtc
:
review+
wtc
:
checked-in+
|
Details | Diff | Splinter Review |
https://tbpl.mozilla.org/php/getParsedLog.php?id=41403307&tree=Date
Only on Win64 debug. After the call to PK11_GenerateKeyPairWithFlags [1], rbx is supposed to be |this| but instead it's pointing into freebl3 code.
[1] http://hg.mozilla.org/mozilla-central/file/80431d4fd0da/security/manager/ssl/src/nsKeygenThread.cpp#l189
Found it. In s_mp_sqr_comba_4, the |push rbx| from line 7872 needs to happen before the |sub rsp, 80| at line 7866.
http://hg.mozilla.org/mozilla-central/file/80431d4fd0da/security/nss/lib/freebl/mpi/mp_comba_amd64_masm.asm#l7857
How does freebl work? Do we just change the code directly, or is there some upstream for this?
Flags: needinfo?(kaie)
Moving the |push rbx| also fixes the SSL xpcshell test failures in: https://tbpl.mozilla.org/php/getParsedLog.php?id=41409112&tree=Date
Haven't heard from Kai. Adding some other security folks: how can I get a change into freebl3?
Flags: needinfo?(wtc)
Flags: needinfo?(brian)
Updated•10 years ago
|
Assignee: nobody → nobody
Component: Security → Libraries
Flags: needinfo?(brian)
Product: Core → NSS
Version: 32 Branch → trunk
Comment 4•10 years ago
|
||
(In reply to David Major [:dmajor] from comment #3)
> Haven't heard from Kai. Adding some other security folks: how can I get a
> change into freebl3?
Please attach a patch to the bug and ask one of the people who has most recently committed a change to that file to review the patch using the review? flag. I am not the best reviewer for this, because I haven't looked at or touched that code.
I know how to submit patches in general. But all of the source history in this area goes like "Update to NSS <version>" so it sounds like I should really be making this change somewhere other than m-c. That's what I'm trying to figure out.
Comment 7•10 years ago
|
||
(In reply to David Major [:dmajor] from comment #5)
> I know how to submit patches in general. But all of the source history in
> this area goes like "Update to NSS <version>" so it sounds like I should
> really be making this change somewhere other than m-c. That's what I'm
> trying to figure out.
https://hg.mozilla.org/projects/nss is the upstream NSS repository. It is best if you can post patches against that repository instead of mozilla-central, but people can also generally figure out how to deal with a mozilla-central patch (patch -p3, IIRC). Please use the changelog of the file in question from the https://hg.mozilla.org/projects/nss repository to pick a reviewer.
Aha. That's the information I was looking for. Thanks!
Flags: needinfo?(wtc)
Flags: needinfo?(kaie)
I guess Makoto would be the best reviewer, based on https://hg.mozilla.org/projects/nss/annotate/777ff0acc9e8/lib/freebl/mpi/mp_comba_amd64_masm.asm#l7854
Assignee: nobody → dmajor
Attachment #8445653 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8445665 -
Flags: review?(m_kato)
Comment 10•10 years ago
|
||
Comment on attachment 8445665 [details] [diff] [review]
Fix register saving for amd64
Review of attachment 8445665 [details] [diff] [review]:
-----------------------------------------------------------------
::: lib/freebl/mpi/mp_comba_amd64_masm.asm
@@ +7862,5 @@
> mov rdi, rcx
> mov rsi, rdx
>
> push rbp
> + push rbx
David: thanks for the patch. Could you explain this change?
rbx is not used until line 7873:
mov rbx, rsi
So it seems fine to push rbx on line 7872. Is it because of
the side effect of line 7867?
sub rsp, 80
Assignee | ||
Comment 11•10 years ago
|
||
(In reply to Wan-Teh Chang from comment #10)
Yes, it's because of the sub instruction. The order needs to match the order of the epilogue:
add rsp, 80
pop rbx
pop rbp
mov dword ptr [r11], eax
pop rsi
pop rdi
Updated•10 years ago
|
Attachment #8445665 -
Flags: review?(m_kato) → review+
Comment 14•10 years ago
|
||
Comment on attachment 8445665 [details] [diff] [review]
Fix register saving for amd64
r=wtc.
Patch checked in: https://hg.mozilla.org/projects/nss/rev/81e8b725bf7a
David: this patch should appear in mozilla-central within two weeks as
part of a regular NSS update. Do you need it in m-c sooner?
Updated•10 years ago
|
Priority: -- → P1
Target Milestone: --- → 3.17
Assignee | ||
Comment 15•10 years ago
|
||
> David: this patch should appear in mozilla-central within two weeks as
> part of a regular NSS update. Do you need it in m-c sooner?
Two weeks should be fine, thanks for the checkin.
Comment 17•10 years ago
|
||
If we're dealing with garbage memory, it seems like this should be a sec bug. Is that not right?
Group: core-security
Updated•10 years ago
|
Flags: needinfo?(dmajor)
Assignee | ||
Comment 18•10 years ago
|
||
No objection. You would know better than me.
Flags: needinfo?(dmajor)
Comment 19•10 years ago
|
||
Comment on attachment 8445665 [details] [diff] [review]
Fix register saving for amd64
Patch pushed to mozilla-inbound as part of NSS_3_17_BETA1:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3e672df388ed
Comment 20•10 years ago
|
||
If this is Win64 only, it sounds like we don't need to bother backporting it.
Comment 21•10 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Comment 22•10 years ago
|
||
Can we remove the security flag from this? It's been several weeks of nightlies now.
Flags: needinfo?(continuation)
Updated•10 years ago
|
Group: core-security
Flags: needinfo?(continuation)
Comment 23•10 years ago
|
||
for nss 3.16.4:
https://hg.mozilla.org/projects/nss/rev/0f6effa542e6
Target Milestone: 3.17 → 3.16.4
You need to log in
before you can comment on or make changes to this bug.
Description
•