[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Regression problem, call for advice Re: Call for advice and testing of nss (and nspr) and intention to upload correction

Hi all

I have now analyzed the problem and the problem is that libfreebl3.so have been split into a libfreebl3.so that is pre-loaded and a libfreeblpriv3.so that is dynamically loaded by libfreebl3.so. This works well in many situations but apparently not in google chrome. I guess this is because of some kind of forking mechanism.

The library split was mentioned here:

I have tried to patch so that the dlopen call is first tested with RTLD_NOLOAD option, but that just give the result that it is not loaded and then when loaded it returns null because it is already loaded (I guess that is the reason).

I have also tried without RTLD_NOW option but then it does not work at all.

I have also tried to make static variables to check for the handle but apparently they are not in the same memory space because it is not set the second time.

I can see that the library is first loaded here:
[nssinit.c:556(nss_Init)] ENTER nss_Init(sql:/home/ola/.pki/nssdb, ...)

And then later (by another thready I guess) it is loaded by
[nssinit.c:556(nss_Init)] ENTER nss_Init(, ...)

From the NSS code there is a function that should only be called once and it is apparently called twice.

As I can see it there are the following options:
1) Do nothing. Let it be like this. We have a regression problem but only for software that fork and use nss in several threads.
2) Try to reverse the library split. This is a non-trivial task.
3) Try to fix the dlopen problem. I have tried in many ways but always fail. If anyone have a really good idea about this, please let me know.
4) Reverse the whole nss update. I'm not 100% sure how to do that as we did a version update and it is hard to "downgrade". We can certainly fix the CVE that this update solved. It should not be too hard.

What do you all think is the best option?

The investigation have taken a considerable amount of time so I do not want to continue with this unless you really think it is important.
Also I think I need some help as I'm running load on time.

I have made a heavy patch for this that you can have if you are interested. It just adds debug code.
The result of that is seen below.

(gdb) run
Starting program: /usr/lib/chromium/chromium --password-store=detect 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffeb8b1700 (LWP 19564)]
[1:1:1104/115422:ERROR:image_metadata_extractor.cc(106)] Couldn't load libexif.
[New Thread 0x7fffeb0b0700 (LWP 19571)]
[New Thread 0x7fffe9e75700 (LWP 19572)]
[New Thread 0x7fffe9674700 (LWP 19573)]
[New Thread 0x7ffff7ea9700 (LWP 19574)]
[New Thread 0x7ffff7e88700 (LWP 19575)]
[New Thread 0x7fffe8e73700 (LWP 19576)]
[Thread 0x7fffe8e73700 (LWP 19576) exited]
[New Thread 0x7fffe8e73700 (LWP 19577)]
[New Thread 0x7ffff7e67700 (LWP 19578)]
[nssinit.c:556(nss_Init)] ENTER nss_Init(sql:/home/ola/.pki/nssdb, ...)
[genload.c:155(loader_LoadLibrary)] Enter libfreeblpriv3.so => /usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so
[genload.c:108(loader_LoadLibInReferenceDir)] 'dlopen' /usr/lib/x86_64-linux-gnu/nss/libfreeblpriv3.so
[genload.c:113(loader_LoadLibInReferenceDir)] It was not loaded before! Loading now.
[pk11load.c:455(secmod_LoadPKCS11Module)] library == NULL
[nssinit.c:798(nss_Init)] RET Success
[New Thread 0x7fffe2ed4700 (LWP 19579)]
[New Thread 0x7fffe26d3700 (LWP 19580)]
[New Thread 0x7fffe1ed2700 (LWP 19581)]
[New Thread 0x7fffe16d1700 (LWP 19582)]
[New Thread 0x7fffe0ed0700 (LWP 19583)]
[New Thread 0x7fffe06cf700 (LWP 19584)]
[New Thread 0x7fffdfece700 (LWP 19585)]
[New Thread 0x7fffdf6cd700 (LWP 19586)]
[New Thread 0x7fffde6cb700 (LWP 19588)]
[New Thread 0x7fffddeca700 (LWP 19589)]
[New Thread 0x7fffdeecc700 (LWP 19587)]
[New Thread 0x7fffdd6c9700 (LWP 19591)]
[New Thread 0x7fffdcec8700 (LWP 19593)]
[New Thread 0x7fffd7fff700 (LWP 19595)]
[19590:19590:1104/115423:ERROR:sandbox_linux.cc(308)] InitializeSandbox() called with multiple threads in process gpu-process
[New Thread 0x7fffd77fe700 (LWP 19603)]
[New Thread 0x7fffd6ffd700 (LWP 19604)]
[New Thread 0x7fffd67fc700 (LWP 19607)]
[nssinit.c:556(nss_Init)] ENTER nss_Init(, ...)
[genload.c:155(loader_LoadLibrary)] Enter libfreeblpriv3.so => /usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so
[genload.c:108(loader_LoadLibInReferenceDir)] 'dlopen' /usr/lib/x86_64-linux-gnu/nss/libfreeblpriv3.so
[genload.c:113(loader_LoadLibInReferenceDir)] It was not loaded before! Loading now.
[genload.c:186(loader_LoadLibrary)] Loading failed: libfreeblpriv3.so
[loader.c:89(freebl_LoadDSO)] Other failure for name libfreeblpriv3.so
[loader.c:746(RNG_RNGInit)] !vector && PR_SUCCESS != freebl_RunLoaderOnce()
[pkcs11.c:2921(nsc_CommonInitialize)] RNG_RNGInit() -1
[loader.c:746(RNG_RNGInit)] !vector && PR_SUCCESS != freebl_RunLoaderOnce()
[pkcs11.c:2921(nsc_CommonInitialize)] RNG_RNGInit() -1
[pk11load.c:301(secmod_ModuleInit)] PK11_MapError 48
[pk11load.c:504(secmod_LoadPKCS11Module)] secmod_ModuleInit
[pk11pars.c:1544(SECMOD_LoadModule)] secmod_LoadPKCS11Module
[pk11pars.c:1583(SECMOD_LoadModule)] Child load error: -8023 (library= name="NSS Internal PKCS #11 Module" parameters="configdir='' certPrefix='' keyPrefix='' secmod='' flags=readOnly,noCertDB,noModDB,forceOpen,optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' " NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})")

Best regards

// Ola

On 3 November 2016 at 05:22, Ben Hutchings <ben@decadent.org.uk> wrote:
On Wed, 2016-11-02 at 20:41 +0100, Jiří Jánský wrote:
> Hello all,
> there is still one thing, that is unclear for me. Chromium is security
> unsupported package. But does it also mean, that it is unsupported at all
> (can be non-function after install by apt-get install chromium)?

I don't think we've specifically discussed this yet.  That's what is
happening now.


Ben Hutchings
The world is coming to an end.  Please log off.

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: