[gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/ - gentoo-commits

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
Date:	Tue, 01 Dec 2020 16:56:46
Message-Id:	`1606841796.d3f2cba10c86d044abad85e9b00b539e365eca8f.whissi@gentoo`

1

commit:     d3f2cba10c86d044abad85e9b00b539e365eca8f

2

Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

3

AuthorDate: Tue Dec  1 16:53:52 2020 +0000

4

Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

5

CommitDate: Tue Dec  1 16:56:36 2020 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3f2cba1

7

8

dev-libs/nss: don't hold slot lock when taking session lock

9

10

Closes: https://bugs.gentoo.org/756244

11

Package-Manager: Portage-3.0.10, Repoman-3.0.2

12

Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

13

14

 ...t-hold-slot-lock-when-taking-session-lock.patch | 93 ++++++++++++++++++++++

15

 .../nss/{nss-3.59.ebuild => nss-3.59-r1.ebuild}    |  1 +

16

 2 files changed, 94 insertions(+)

17

18

diff --git a/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch b/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch

19

new file mode 100644

20

index 00000000000..be4ebfe4796

21

--- /dev/null

22

+++ b/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch

23

@@ -0,0 +1,93 @@

24

+

25

+# HG changeset patch

26

+# User Kevin Jacobs <kjacobs@×××××××.com>

27

+# Date 1606813429 0

28

+# Node ID 19585ccc7a1f0f4e9a8d2b9c5ceeb408ea90acb9

29

+# Parent  f1e48fbead3d9e69500d7aedc1ef6e4bf334f41e

30

+Bug 1679290 - Don't hold slot lock when taking session lock r=bbeurdouche

31

+

32

+[[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362cd61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed a number of race conditions related to NSSSlot member accesses. Unfortunately the locking order that was imposed by that patch has been found to cause problems for at least one PKCS11 module, libnsspem.

33

+

34

+This patch drops nested locking in favor of unlocking/re-locking. While this isn't perfect, the original problem in bug 1663661 was that `slot->token` could become NULL, which we can easily check after reacquiring.

35

+

36

+Differential Revision: https://phabricator.services.mozilla.com/D98247

37

+

38

+diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c

39

+--- a/lib/dev/devslot.c

40

++++ b/lib/dev/devslot.c

41

+@@ -183,25 +183,32 @@ nssSlot_IsTokenPresent(

42

+     if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) {

43

+         if (!slot->token) {

44

+             /* token was never present */

45

+             isPresent = PR_FALSE;

46

+             goto done; /* slot lock held */

47

+         }

48

+         session = nssToken_GetDefaultSession(slot->token);

49

+         if (session) {

50

++            nssSlot_ExitMonitor(slot);

51

+             nssSession_EnterMonitor(session);

52

+             /* token is not present */

53

+             if (session->handle != CK_INVALID_HANDLE) {

54

+                 /* session is valid, close and invalidate it */

55

+                 CKAPI(epv)

56

+                     ->C_CloseSession(session->handle);

57

+                 session->handle = CK_INVALID_HANDLE;

58

+             }

59

+             nssSession_ExitMonitor(session);

60

++            nssSlot_EnterMonitor(slot);

61

++            if (!slot->token) {

62

++                /* Check token presence after re-acquiring lock */

63

++                isPresent = PR_FALSE;

64

++                goto done; /* slot lock held */

65

++            }

66

+         }

67

+         if (slot->token->base.name[0] != 0) {

68

+             /* notify the high-level cache that the token is removed */

69

+             slot->token->base.name[0] = 0; /* XXX */

70

+             nssToken_NotifyCertsNotVisible(slot->token);

71

+         }

72

+         slot->token->base.name[0] = 0; /* XXX */

73

+         /* clear the token cache */

74

+@@ -218,34 +225,41 @@ nssSlot_IsTokenPresent(

75

+     }

76

+

77

+     /* token is present, use the session info to determine if the card

78

+      * has been removed and reinserted.

79

+      */

80

+     session = nssToken_GetDefaultSession(slot->token);

81

+     if (session) {

82

+         PRBool tokenRemoved;

83

++        nssSlot_ExitMonitor(slot);

84

+         nssSession_EnterMonitor(session);

85

+         if (session->handle != CK_INVALID_HANDLE) {

86

+             CK_SESSION_INFO sessionInfo;

87

+             ckrv = CKAPI(epv)->C_GetSessionInfo(session->handle, &sessionInfo);

88

+             if (ckrv != CKR_OK) {

89

+                 /* session is screwy, close and invalidate it */

90

+                 CKAPI(epv)

91

+                     ->C_CloseSession(session->handle);

92

+                 session->handle = CK_INVALID_HANDLE;

93

+             }

94

+         }

95

+         tokenRemoved = (session->handle == CK_INVALID_HANDLE);

96

+         nssSession_ExitMonitor(session);

97

++        nssSlot_EnterMonitor(slot);

98

+         /* token not removed, finished */

99

+         if (!tokenRemoved) {

100

+             isPresent = PR_TRUE;

101

+             goto done; /* slot lock held */

102

+         }

103

++        if (!slot->token) {

104

++            /* Check token presence after re-acquiring lock */

105

++            isPresent = PR_FALSE;

106

++            goto done; /* slot lock held */

107

++        }

108

+     }

109

+     /* the token has been removed, and reinserted, or the slot contains

110

+      * a token it doesn't recognize. invalidate all the old

111

+      * information we had on this token, if we can't refresh, clear

112

+      * the present flag */

113

+     nssToken_NotifyCertsNotVisible(slot->token);

114

+     nssToken_Remove(slot->token);

115

+     /* token has been removed, need to refresh with new session */

116

+

117

118

diff --git a/dev-libs/nss/nss-3.59.ebuild b/dev-libs/nss/nss-3.59-r1.ebuild

119

similarity index 99%

120

rename from dev-libs/nss/nss-3.59.ebuild

121

rename to dev-libs/nss/nss-3.59-r1.ebuild

122

index 37ab7c58696..82184ff8a71 100644

123

--- a/dev-libs/nss/nss-3.59.ebuild

124

+++ b/dev-libs/nss/nss-3.59-r1.ebuild

125

@@ -40,6 +40,7 @@ PATCHES=(

126

 	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"

127

 	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"

128

 	"${FILESDIR}/${PN}-3.53-fix-building-on-ppc.patch"

129

+	"${FILESDIR}/${PN}-3.59-dont-hold-slot-lock-when-taking-session-lock.patch"

130

)

131

132

 src_prepare() {

1	commit: d3f2cba10c86d044abad85e9b00b539e365eca8f
2	Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3	AuthorDate: Tue Dec 1 16:53:52 2020 +0000
4	Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5	CommitDate: Tue Dec 1 16:56:36 2020 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3f2cba1
7
8	dev-libs/nss: don't hold slot lock when taking session lock
9
10	Closes: https://bugs.gentoo.org/756244
11	Package-Manager: Portage-3.0.10, Repoman-3.0.2
12	Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
13
14	...t-hold-slot-lock-when-taking-session-lock.patch \| 93 ++++++++++++++++++++++
15	.../nss/{nss-3.59.ebuild => nss-3.59-r1.ebuild} \| 1 +
16	2 files changed, 94 insertions(+)
17
18	diff --git a/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch b/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch
19	new file mode 100644
20	index 00000000000..be4ebfe4796
21	--- /dev/null
22	+++ b/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch
23	@@ -0,0 +1,93 @@
24	+
25	+# HG changeset patch
26	+# User Kevin Jacobs <kjacobs@×××××××.com>
27	+# Date 1606813429 0
28	+# Node ID 19585ccc7a1f0f4e9a8d2b9c5ceeb408ea90acb9
29	+# Parent f1e48fbead3d9e69500d7aedc1ef6e4bf334f41e
30	+Bug 1679290 - Don't hold slot lock when taking session lock r=bbeurdouche
31	+
32	+[[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362cd61069d48f4c5db \| 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed a number of race conditions related to NSSSlot member accesses. Unfortunately the locking order that was imposed by that patch has been found to cause problems for at least one PKCS11 module, libnsspem.
33	+
34	+This patch drops nested locking in favor of unlocking/re-locking. While this isn't perfect, the original problem in bug 1663661 was that `slot->token` could become NULL, which we can easily check after reacquiring.
35	+
36	+Differential Revision: https://phabricator.services.mozilla.com/D98247
37	+
38	+diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c
39	+--- a/lib/dev/devslot.c
40	++++ b/lib/dev/devslot.c
41	+@@ -183,25 +183,32 @@ nssSlot_IsTokenPresent(
42	+ if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) {
43	+ if (!slot->token) {
44	+ /* token was never present */
45	+ isPresent = PR_FALSE;
46	+ goto done; /* slot lock held */
47	+ }
48	+ session = nssToken_GetDefaultSession(slot->token);
49	+ if (session) {
50	++ nssSlot_ExitMonitor(slot);
51	+ nssSession_EnterMonitor(session);
52	+ /* token is not present */
53	+ if (session->handle != CK_INVALID_HANDLE) {
54	+ /* session is valid, close and invalidate it */
55	+ CKAPI(epv)
56	+ ->C_CloseSession(session->handle);
57	+ session->handle = CK_INVALID_HANDLE;
58	+ }
59	+ nssSession_ExitMonitor(session);
60	++ nssSlot_EnterMonitor(slot);
61	++ if (!slot->token) {
62	++ /* Check token presence after re-acquiring lock */
63	++ isPresent = PR_FALSE;
64	++ goto done; /* slot lock held */
65	++ }
66	+ }
67	+ if (slot->token->base.name[0] != 0) {
68	+ /* notify the high-level cache that the token is removed */
69	+ slot->token->base.name[0] = 0; /* XXX */
70	+ nssToken_NotifyCertsNotVisible(slot->token);
71	+ }
72	+ slot->token->base.name[0] = 0; /* XXX */
73	+ /* clear the token cache */
74	+@@ -218,34 +225,41 @@ nssSlot_IsTokenPresent(
75	+ }
76	+
77	+ /* token is present, use the session info to determine if the card
78	+ * has been removed and reinserted.
79	+ */
80	+ session = nssToken_GetDefaultSession(slot->token);
81	+ if (session) {
82	+ PRBool tokenRemoved;
83	++ nssSlot_ExitMonitor(slot);
84	+ nssSession_EnterMonitor(session);
85	+ if (session->handle != CK_INVALID_HANDLE) {
86	+ CK_SESSION_INFO sessionInfo;
87	+ ckrv = CKAPI(epv)->C_GetSessionInfo(session->handle, &sessionInfo);
88	+ if (ckrv != CKR_OK) {
89	+ /* session is screwy, close and invalidate it */
90	+ CKAPI(epv)
91	+ ->C_CloseSession(session->handle);
92	+ session->handle = CK_INVALID_HANDLE;
93	+ }
94	+ }
95	+ tokenRemoved = (session->handle == CK_INVALID_HANDLE);
96	+ nssSession_ExitMonitor(session);
97	++ nssSlot_EnterMonitor(slot);
98	+ /* token not removed, finished */
99	+ if (!tokenRemoved) {
100	+ isPresent = PR_TRUE;
101	+ goto done; /* slot lock held */
102	+ }
103	++ if (!slot->token) {
104	++ /* Check token presence after re-acquiring lock */
105	++ isPresent = PR_FALSE;
106	++ goto done; /* slot lock held */
107	++ }
108	+ }
109	+ /* the token has been removed, and reinserted, or the slot contains
110	+ * a token it doesn't recognize. invalidate all the old
111	+ * information we had on this token, if we can't refresh, clear
112	+ * the present flag */
113	+ nssToken_NotifyCertsNotVisible(slot->token);
114	+ nssToken_Remove(slot->token);
115	+ /* token has been removed, need to refresh with new session */
116	+
117
118	diff --git a/dev-libs/nss/nss-3.59.ebuild b/dev-libs/nss/nss-3.59-r1.ebuild
119	similarity index 99%
120	rename from dev-libs/nss/nss-3.59.ebuild
121	rename to dev-libs/nss/nss-3.59-r1.ebuild
122	index 37ab7c58696..82184ff8a71 100644
123	--- a/dev-libs/nss/nss-3.59.ebuild
124	+++ b/dev-libs/nss/nss-3.59-r1.ebuild
125	@@ -40,6 +40,7 @@ PATCHES=(
126	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
127	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
128	"${FILESDIR}/${PN}-3.53-fix-building-on-ppc.patch"
129	+ "${FILESDIR}/${PN}-3.59-dont-hold-slot-lock-when-taking-session-lock.patch"
130	)
131
132	src_prepare() {

Gentoo Archives: gentoo-commits