[Bug 907342] [NEW] Firefox certificate segfault

Marco 907342 at bugs.launchpad.net
Wed Dec 21 13:17:49 UTC 2011 

Public bug reported:

My firefox instances crash quickly due to an obviously certificate
related issue.

E.g. after visiting sz.de with the following back trace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd1fe3700 (LWP 6564)]
0x00007fffd20024ea in builtins_mdObject_GetAttribute (mdObject=<optimized out>, fwObject=<optimized out>, mdSession=<optimized out>, 
    fwSession=<optimized out>, mdToken=0x7fffd2251a60, fwToken=0x7fffd27be030, mdInstance=0x7fffd200c4df, fwInstance=0x7fffd2251940, 
    attribute=140736724717616, pError=0x1) at bobject.c:194
194	bobject.c: No such file or directory.
	in bobject.c
(gdb) bt
#0  0x00007fffd20024ea in builtins_mdObject_GetAttribute (mdObject=<optimized out>, fwObject=<optimized out>, 
    mdSession=<optimized out>, fwSession=<optimized out>, mdToken=0x7fffd2251a60, fwToken=0x7fffd27be030, mdInstance=0x7fffd200c4df, 
    fwInstance=0x7fffd2251940, attribute=140736724717616, pError=0x1) at bobject.c:194
#1  0x00007fffd27be268 in ?? ()
#2  0x00007fffd200c4df in nssCKFWObject_GetAttribute (fwObject=0x7fffd27be268, attribute=1, itemOpt=0x7fffd1fe2608, arenaOpt=0x0, 
    pError=0x7fffd1fe2618) at object.c:634
#3  0x00007fffd2007028 in NSSCKFWC_GetAttributeValue (fwInstance=<optimized out>, hSession=<optimized out>, hObject=<optimized out>, 
    pTemplate=<optimized out>, ulCount=2) at wrap.c:2357
#4  0x00007ffff5b3e5b7 in nssCKObject_GetAttributes (object=2, obj_template=0x7fffd1fe26e0, count=2, arenaOpt=0x0, 
    session=0x7fffd2773238, slot=0x7fffd27c3030) at ckhelper.c:151
#5  0x00007ffff5b3d80c in nssCryptokiObject_Create (t=0x7fffd27c2030, session=<optimized out>, h=2) at devutil.c:65
#6  0x00007ffff5b3b605 in create_objects_from_handles (tok=0x7fffd27c2030, session=0x7fffd2773238, handles=0x7fffd1fe27b8, 
    numH=<optimized out>) at devtoken.c:275
#7  0x00007ffff5b3b88f in find_objects (tok=0x7fffd27c2030, sessionOpt=<optimized out>, obj_template=0x7fffd1fe27b8, 
    otsize=<optimized out>, maximumOpt=1, statusOpt=0x7fffd1fe29bc) at devtoken.c:382
#8  0x00007ffff5b3ba3a in find_objects_by_template (token=0x7fffd27c2030, sessionOpt=0x7fffd2773238, obj_template=0x7fffd1fe28f0, 
    otsize=4, maximumOpt=1, statusOpt=0x7fffd1fe29bc) at devtoken.c:468
#9  0x00007ffff5b3c1e2 in nssToken_FindCertificateByIssuerAndSerialNumber (token=0x7fffd27c2030, sessionOpt=0x7fffd2773238, 
    issuer=<optimized out>, serial=0x7fffd1fe2a10, searchType=nssTokenSearchType_TokenOnly, statusOpt=0x7fffd1fe29bc)
    at devtoken.c:880
#10 0x00007ffff5b36bd5 in nssTrustDomain_FindCertificateByIssuerAndSerialNumber (td=0x7fffd2773030, issuer=0x7fffd1fe2a00, 
    serial=0x7fffd1fe2a10) at trustdomain.c:808
#11 0x00007ffff5b36ce6 in nssTrustDomain_FindCertificateByEncodedCertificate (td=0x7fffd2773030, ber=0x7fffd1fe2a80)
    at trustdomain.c:879
#12 0x00007ffff5b325d8 in CERT_NewTempCertificate (handle=0x7fffd2773030, derCert=0x7fffd1fe2b98, nickname=0x0, 
    isperm=<optimized out>, copyDER=1) at stanpcertdb.c:394
#13 0x00007ffff58bcfd1 in ssl3_HandleCertificate (length=0, b=0x7fffcbad61e5 "", ss=0x7fffcbacc000) at ssl3con.c:7881
#14 ssl3_HandleHandshakeMessage (ss=0x7fffcbacc000, b=<optimized out>, length=<optimized out>) at ssl3con.c:8601
#15 0x00007ffff58beb4c in ssl3_HandleHandshake (origBuf=0x7fffcbacc368, ss=0x7fffcbacc000) at ssl3con.c:8725
#16 ssl3_HandleRecord (ss=0x7fffcbacc000, cText=<optimized out>, databuf=0x7fffcbacc368) at ssl3con.c:9064
#17 0x00007ffff58bf4ef in ssl3_GatherCompleteHandshake (ss=0x7fffcbacc000, flags=0) at ssl3gthr.c:209
#18 0x00007ffff58c0488 in ssl_GatherRecord1stHandshake (ss=0x7fffcbacc000) at sslcon.c:1258
#19 0x00007ffff58c5fbe in ssl_Do1stHandshake (ss=0x7fffcbacc000) at sslsecur.c:151
#20 0x00007ffff58c6ff3 in ssl_SecureSend (ss=0x7fffcbacc000, 
    buf=0x7fffd0534ca0 "GET /ipecho/ HTTP/1.1\r\nHost: secure.informaction.com\r\nReferer: https://secure.informaction.com/\r\nDNT: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n\377\377\324\317\001", len=150, flags=<optimized out>) at sslsecur.c:1222
#21 0x00007ffff58c9ed0 in ssl_Write (fd=<optimized out>, buf=0x7fffd0534ca0, len=150) at sslsock.c:1659
#22 0x00007ffff4458ed1 in nsSSLThread::Run (this=0x7fffd27ba560)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/security/manager/ssl/src/nsSSLThread.cpp:1047
#23 0x00007ffff6aea0f3 in _pt_root (arg=0x7fffd3e12130)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/nsprpub/pr/src/pthreads/ptthread.c:187
#24 0x00007ffff76bbefc in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
---Type <return> to continue, or q <return> to quit---
#25 0x00007ffff73f689d in clone () from /lib/x86_64-linux-gnu/libc.so.6
#26 0x0000000000000000 in ?? ()


Or after opening the extensions view:

Program received signal SIGSEGV, Segmentation fault.
0x00007fffd20024ea in builtins_mdObject_GetAttribute (mdObject=<optimized out>, fwObject=<optimized out>, mdSession=<optimized out>, 
    fwSession=<optimized out>, mdToken=0x7fffd2251a60, fwToken=0x7fffd27c5030, mdInstance=0x7fffd27c4030, fwInstance=0x1, 
    attribute=140737488331912, pError=0x7fffd2251a60) at bobject.c:194
194	bobject.c: No such file or directory.
	in bobject.c
(gdb) bt
#0  0x00007fffd20024ea in builtins_mdObject_GetAttribute (mdObject=<optimized out>, fwObject=<optimized out>, 
    mdSession=<optimized out>, fwSession=<optimized out>, mdToken=0x7fffd2251a60, fwToken=0x7fffd27c5030, mdInstance=0x7fffd27c4030, 
    fwInstance=0x1, attribute=140737488331912, pError=0x7fffd2251a60) at bobject.c:194
#1  0x00007fffd2251940 in ?? () from /usr/lib/firefox-8.0/libnssckbi.so
#2  0x00007fffd27c4030 in ?? ()
#3  0x0000000000000001 in ?? ()
#4  0x00007fffffffa488 in ?? ()
#5  0x00007fffd2251a60 in nss_builtins_mdSlot () from /usr/lib/firefox-8.0/libnssckbi.so
#6  0x00007fffd200c44c in nssCKFWObject_GetAttributeSize (fwObject=0x7fffd27c5268, attribute=0, pError=0x7fffffffa478) at object.c:586
#7  0x00007fffd2007028 in NSSCKFWC_GetAttributeValue (fwInstance=<optimized out>, hSession=<optimized out>, hObject=<optimized out>, 
    pTemplate=<optimized out>, ulCount=2) at wrap.c:2357
#8  0x00007ffff5b3e5b7 in nssCKObject_GetAttributes (object=2, obj_template=0x7fffffffa550, count=2, arenaOpt=0x0, 
    session=0x7fffd2773238, slot=0x7fffd27ca030) at ckhelper.c:151
#9  0x00007ffff5b3d80c in nssCryptokiObject_Create (t=0x7fffd27c9030, session=<optimized out>, h=2) at devutil.c:65
#10 0x00007ffff5b3b605 in create_objects_from_handles (tok=0x7fffd27c9030, session=0x7fffd2773238, handles=0x7fffffffa628, 
    numH=<optimized out>) at devtoken.c:275
#11 0x00007ffff5b3b88f in find_objects (tok=0x7fffd27c9030, sessionOpt=<optimized out>, obj_template=0x7fffffffa628, 
    otsize=<optimized out>, maximumOpt=0, statusOpt=0x7fffffffa7ec) at devtoken.c:382
#12 0x00007ffff5b3ba3a in find_objects_by_template (token=0x7fffd27c9030, sessionOpt=0x7fffd2773238, obj_template=0x7fffffffa758, 
    otsize=3, maximumOpt=0, statusOpt=0x7fffffffa7ec) at devtoken.c:468
#13 0x00007ffff5b3bddb in nssToken_FindCertificatesBySubject (token=<optimized out>, sessionOpt=<optimized out>, 
    subject=<optimized out>, searchType=<optimized out>, maximumOpt=<optimized out>, statusOpt=<optimized out>) at devtoken.c:666
#14 0x00007ffff5b369e9 in nssTrustDomain_FindCertificatesBySubject (td=<optimized out>, subject=0x7fffc8f810f8, rvOpt=0x0, 
    maximumOpt=0, arenaOpt=0x7fffc9074f20) at trustdomain.c:642
#15 0x00007ffff5b352bc in find_cert_issuer (cc=0x7fffd27ae030, td=0x7fffd2773030, policiesOpt=0x0, usage=0x7fffffffa874, 
    timeOpt=0x7fffc8f8bd90, c=0x7fffc8f81088) at certificate.c:441
#16 nssCertificate_BuildChain (c=0x7fffc8f81088, timeOpt=0x7fffc8f8bd90, usage=<optimized out>, policiesOpt=0x0, 
    rvOpt=0x7fffffffa8f8, rvLimit=2, arenaOpt=0x0, statusOpt=0x7fffffffa91c, td=<optimized out>, cc=0x7fffd27ae030)
    at certificate.c:516
#17 0x00007ffff5aff322 in CERT_FindCertIssuer (cert=0x7fffc8f81820, validTime=<optimized out>, usage=<optimized out>) at certvfy.c:186
#18 0x00007ffff5aff793 in cert_VerifyCertChainOld (revoked=0x0, log=0x0, wincx=0x0, t=1323855929000000, 
    certUsage=certUsageObjectSigner, sigerror=0x0, checkSig=1, cert=<optimized out>, handle=0x7fffd2773030) at certvfy.c:470
#19 cert_VerifyCertChain (handle=0x7fffd2773030, cert=<optimized out>, checkSig=1, sigerror=0x0, certUsage=certUsageObjectSigner, 
    t=1323855929000000, wincx=0x0, log=0x0, revoked=0x0) at certvfy.c:694
#20 0x00007ffff5affcef in CERT_VerifyCertChain (handle=<optimized out>, cert=<optimized out>, checkSig=<optimized out>, 
    certUsage=<optimized out>, t=<optimized out>, wincx=<optimized out>, log=0x0) at certvfy.c:703
#21 0x00007ffff5b006a4 in CERT_VerifyCert (handle=0x7fffd2773030, cert=0x7fffc8f7d020, checkSig=1, certUsage=certUsageObjectSigner, 
    t=1323855929000000, wincx=0x0, log=0x0) at certvfy.c:1291
#22 0x00007ffff569e4d6 in sec_pkcs7_verify_signature (cinfo=0x7fffd0518820, certusage=certUsageObjectSigner, 
    detached_digest=0x7fffffffadc0, digest_type=HASH_AlgSHA1, keepcerts=<optimized out>) at p7decode.c:1585
#23 0x00007ffff445df4d in nsNSSComponent::VerifySignature (this=0x7fffd2766000, aRSABuf=<optimized out>, aRSABufLen=<optimized out>, 
    aPlaintext=<optimized out>, aPlaintextLen=3971, aErrorCode=0x7fffffffb044, aPrincipal=0x7fffdd4d02d0)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/security/manager/ssl/src/nsNSSComponent.cpp:2135
#24 0x00007ffff3dc1e5e in nsJAR::ParseManifest (this=0x7fffdd4d0230)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/modules/libjar/nsJAR.cpp:625
#25 0x00007ffff3dc20f7 in nsJAR::GetCertificatePrincipal (this=0x7fffdd4d0230, aFilename=0x7fffc93b8c48 "icon.png", 
    aPrincipal=0x7fffffffb238) at /build/buildd/firefox-8.0+build1/build-tree/mozilla/modules/libjar/nsJAR.cpp:398
#26 0x00007ffff3dc3183 in nsJARChannel::GetOwner (this=0x7fffd276eec0, result=0x7fffffffb3c0)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/modules/libjar/nsJARChannel.cpp:538
#27 0x00007ffff41d9081 in nsScriptSecurityManager::GetChannelPrincipal (this=0x7fffe4d26af0, aChannel=0x7fffd276eec0, 
    aPrincipal=0x7fffd276fc30) at /build/buildd/firefox-8.0+build1/build-tree/mozilla/caps/src/nsScriptSecurityManager.cpp:353
#28 0x00007ffff3e0b36d in imgRequest::OnStartRequest (this=0x7fffd276fbd0, aRequest=0x7fffd276eec0, ctxt=<optimized out>)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/modules/libpr0n/src/imgRequest.cpp:881
#29 0x00007ffff3e04137 in OnStartRequest (ctxt=0x0, aRequest=0x7fffd276eec0, this=0x7fffc93b8be0)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/modules/libpr0n/src/imgLoader.cpp:2081
#30 ProxyListener::OnStartRequest (this=0x7fffc93b8be0, aRequest=0x7fffd276eec0, ctxt=0x0)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/modules/libpr0n/src/imgLoader.cpp:2047
#31 0x00007ffff3d1b685 in nsInputStreamPump::OnStateStart (this=0x7fffc900fe40)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/netwerk/base/src/nsInputStreamPump.cpp:441
#32 0x00007ffff3d1b8e7 in nsInputStreamPump::OnInputStreamReady (this=0x7fffc900fe40, stream=<optimized out>)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/netwerk/base/src/nsInputStreamPump.cpp:397
#33 0x00007ffff46ce9f4 in nsInputStreamReadyEvent::Run (this=<optimized out>)
---Type <return> to continue, or q <return> to quit---
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/xpcom/io/nsStreamUtils.cpp:114
#34 0x00007ffff46ddc84 in nsThread::ProcessNextEvent (this=0x7fffea32a950, mayWait=0, result=0x7fffffffb6cc)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/xpcom/threads/nsThread.cpp:631
#35 0x00007ffff46b21c2 in NS_ProcessNextEvent_P (thread=<optimized out>, mayWait=<optimized out>)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/obj-x86_64-linux-gnu/xpcom/build/nsThreadUtils.cpp:245
#36 0x00007ffff45fe79e in mozilla::ipc::MessagePump::Run (this=0x7fffea34d140, aDelegate=0x7ffff6d81f90)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/ipc/glue/MessagePump.cpp:110
#37 0x00007ffff46fac77 in RunHandler (this=0x7ffff6d81f90)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/ipc/chromium/src/base/message_loop.cc:205
#38 MessageLoop::Run (this=0x7ffff6d81f90)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/ipc/chromium/src/base/message_loop.cc:179
#39 0x00007ffff456209e in nsBaseAppShell::Run (this=0x7fffe4d2a320)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:189
#40 0x00007ffff4437002 in nsAppStartup::Run (this=0x7fffe2111ec0)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/toolkit/components/startup/nsAppStartup.cpp:224
#41 0x00007ffff3cfebf8 in XRE_main (argc=<optimized out>, argv=<optimized out>, aAppData=<optimized out>)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/toolkit/xre/nsAppRunner.cpp:3544
#42 0x0000555555555e77 in do_main (argv=0x7fffffffe238, argc=1, exePath=0x7fffffffc128 "/usr/lib/firefox-8.0/libxpcom.so")
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/browser/app/nsBrowserApp.cpp:198
#43 main (argc=<optimized out>, argv=<optimized out>)
    at /build/buildd/firefox-8.0+build1/build-tree/mozilla/browser/app/nsBrowserApp.cpp:281


It started to become very unstable after upgrading from Natty to Oneric (both amd64).

firefox package version: 8.0+build1-0ubuntu0.11.10.3

** Affects: firefox (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/907342

Title:
  Firefox certificate segfault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/907342/+subscriptions

More information about the Ubuntu-mozillateam-bugs mailing list