[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Regression problem, call for advice Re: Call for advice and testing of nss (and nspr) and intention to upload correction



Hi Ben, Balint and others

I'd like to have some advice on this regression.

1) Is this worth investigating?
 - Chrome is not supported, however we have now made it to crash. Ben obviously like that but maybe others do not have the same opinion.
2) Is this severe enough for me to revert the nss 3.26 upload?
 If yes, how do I do that in the best way? I can not easily replace the .orig file, but I can make a version without an orig file maybe. And replace the source with the old one. Not sure how I should name the versions in that case.
3) If we think it is worth investigating do anyone have a good idea on how to do that. This is a multi-threaded program and gdb did not really help. When I run strace chrome fails as I'm running it with strace... So I end up in another problem. The only remaining thing seem to be to add quite a few printf statements. I'll do that tomorrow unless someone have told me to do otherwise.
4) Have anyone seen a problem on anything else than chrome?
 I'm a little worried that this is a bigger problem than chrome.

I have now got two other reports about this problem. One from Okajima and one from Jiri (cc to this mail). Both had the same problem.
As I understand it is not possible to upgrade chrome browser only. You have to upgrade more than that. I may be wrong though.

I have put in some effort to understand why it fails, but I do not yet do that. I'm a little worried that there may be other applications having the same problem.

The error number is: SEC_ERROR_PKCS11_DEVICE_ERROR =   (SEC_ERROR_BASE + 169) = -0x2000 + 169 = -8192 + 169 = -8023

Yesterday I found this article:
http://stackoverflow.com/questions/22303198/why-would-pk11-generaterandom-return-an-error-8023

So I tried to reverse that fix but it did not help.

The chromium nss_util.cc code looks like this:

// Force a crash with error info on NSS_NoDB_Init failure.                                     void CrashOnNSSInitFailure() {
  int nss_error = PR_GetError();
  int os_error = PR_GetOSError();
  base::debug::Alias(&nss_error);
  base::debug::Alias(&os_error);
  LOG(ERROR) << "Error initializing NSS without a persistent database: "
             << GetNSSErrorMessage();
  LOG(FATAL) << "nss_error=" << nss_error << ", os_error=" << os_error;
}

And then this function is called by
    if (nodb_init) {
      status = NSS_NoDB_Init(NULL);
      if (status != SECSuccess) {
        CrashOnNSSInitFailure();
        return;
      }

and
        status = NSS_InitReadWrite(nss_config_dir.c_str());
        if (status != SECSuccess) {
          LOG(ERROR) << "Error initializing NSS with a persistent "
                        "database (" << nss_config_dir
                     << "): " << GetNSSErrorMessage();
        }
      }
      if (status != SECSuccess) {
        VLOG(1) << "Initializing NSS without a persistent database.";
        status = NSS_NoDB_Init(NULL);
        if (status != SECSuccess) {
          CrashOnNSSInitFailure();
          return;
        }
      }

I tried to compare the NSS_NoDB_Init functions and the nss_init function but they are very similar. So it have to be some other deeper function.

I'll investigate more tomorrow to see what I can find out. It is a little too late now.

// Ola

On 1 November 2016 at 22:41, Ben Hutchings <ben@decadent.org.uk> wrote:
On Tue, 2016-11-01 at 17:53 +0100, Bálint Réczey wrote:
> Hi,
>
> It seems the nss update broke chromium:
> https://lists.debian.org/debian-user/2016/10/msg00981.html

Good.

> Maybe when we update gcc for firefox we can also continue supporting
> chromium:
> https://lists.debian.org/debian-security-announce/2015/msg00031.html
[...]

What would be the point?  Anyone using chromium on wheezy should have
upgraded already.

Ben.

-- 
Ben Hutchings
Horngren's Observation:
                   Among economists, the real world is often a special
case.




--
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------


Reply to: