-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
rhel-10.0
-
None
-
No
-
Low
-
rhel-security-crypto-clubs
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
ppc64le
-
None
What were you trying to do that didn't work?
The following happens on RHEL-10 and ppc64le only, we did not see it on RHEL-10.0.GA but we can see it on the current version of both RHEL-10.0 and RHEL-10.1 with both 3.101 and 3.112 version of nss.
# mkdir nssdb # certutil -d nssdb -N --empty-password # valgrind certutil -d nssdb -A -n ca -t 'cCT,,' -a -i ca.crt ==22701== Memcheck, a memory error detector ==22701== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al. ==22701== Using Valgrind-3.25.1 and LibVEX; rerun with -h for copyright info ==22701== Command: certutil -d nssdb -A -n ca -t cCT,, -a -i ca.crt ==22701== ==22701== Invalid read of size 8 ==22701== at 0x5795948: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x575B43F: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x57AAE9F: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x5730D4F: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x5711363: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x405827B: call_init (dl-init.c:74) ==22701== by 0x405827B: _dl_init (dl-init.c:121) ==22701== by 0x406B667: call_dl_init (dl-open.c:504) ==22701== by 0x40515DF: _dl_catch_exception (dl-catch.c:211) ==22701== by 0x406B823: dl_open_worker (dl-open.c:804) ==22701== by 0x406B823: dl_open_worker (dl-open.c:767) ==22701== by 0x405153B: _dl_catch_exception (dl-catch.c:237) ==22701== by 0x406D0CB: _dl_open (dl-open.c:880) ==22701== by 0x4DA3A77: dlopen_doit (in /usr/lib64/glibc-hwcaps/power10/libc.so.6) ==22701== Address 0x1fff0046b0 is on thread 1's stack ==22701== 336 bytes below stack pointer ==22701== ==22701== Invalid read of size 8 ==22701== at 0x579594C: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x575B43F: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x57AAE9F: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x5730D4F: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x5711363: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x405827B: call_init (dl-init.c:74) ==22701== by 0x405827B: _dl_init (dl-init.c:121) ==22701== by 0x406B667: call_dl_init (dl-open.c:504) ==22701== by 0x40515DF: _dl_catch_exception (dl-catch.c:211) ==22701== by 0x406B823: dl_open_worker (dl-open.c:804) ==22701== by 0x406B823: dl_open_worker (dl-open.c:767) ==22701== by 0x405153B: _dl_catch_exception (dl-catch.c:237) ==22701== by 0x406D0CB: _dl_open (dl-open.c:880) ==22701== by 0x4DA3A77: dlopen_doit (in /usr/lib64/glibc-hwcaps/power10/libc.so.6) ==22701== Address 0x1fff0046c0 is on thread 1's stack ==22701== 320 bytes below stack pointer ==22701== ==22701== Invalid read of size 8 ==22701== at 0x5795950: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x575B43F: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x57AAE9F: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x5730D4F: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x5711363: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x405827B: call_init (dl-init.c:74) ==22701== by 0x405827B: _dl_init (dl-init.c:121) ==22701== by 0x406B667: call_dl_init (dl-open.c:504) ==22701== by 0x40515DF: _dl_catch_exception (dl-catch.c:211) ==22701== by 0x406B823: dl_open_worker (dl-open.c:804) ==22701== by 0x406B823: dl_open_worker (dl-open.c:767) ==22701== by 0x405153B: _dl_catch_exception (dl-catch.c:237) ==22701== by 0x406D0CB: _dl_open (dl-open.c:880) ==22701== by 0x4DA3A77: dlopen_doit (in /usr/lib64/glibc-hwcaps/power10/libc.so.6) ==22701== Address 0x1fff0046d0 is on thread 1's stack ==22701== 304 bytes below stack pointer ==22701== ==22701== Invalid read of size 8 ==22701== at 0x5798458: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x575B41F: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x57AAE9F: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x5730D7B: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x5711363: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x405827B: call_init (dl-init.c:74) ==22701== by 0x405827B: _dl_init (dl-init.c:121) ==22701== by 0x406B667: call_dl_init (dl-open.c:504) ==22701== by 0x40515DF: _dl_catch_exception (dl-catch.c:211) ==22701== by 0x406B823: dl_open_worker (dl-open.c:804) ==22701== by 0x406B823: dl_open_worker (dl-open.c:767) ==22701== by 0x405153B: _dl_catch_exception (dl-catch.c:237) ==22701== by 0x406D0CB: _dl_open (dl-open.c:880) ==22701== by 0x4DA3A77: dlopen_doit (in /usr/lib64/glibc-hwcaps/power10/libc.so.6) ==22701== Address 0x1fff000ed0 is on thread 1's stack ==22701== 304 bytes below stack pointer ==22701== ==22701== Invalid read of size 8 ==22701== at 0x579B0BC: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x575B3FF: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x57AAE9F: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x5730DA7: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x5711363: ??? (in /usr/lib64/libfreeblpriv3.so) ==22701== by 0x405827B: call_init (dl-init.c:74) ==22701== by 0x405827B: _dl_init (dl-init.c:121) ==22701== by 0x406B667: call_dl_init (dl-open.c:504) ==22701== by 0x40515DF: _dl_catch_exception (dl-catch.c:211) ==22701== by 0x406B823: dl_open_worker (dl-open.c:804) ==22701== by 0x406B823: dl_open_worker (dl-open.c:767) ==22701== by 0x405153B: _dl_catch_exception (dl-catch.c:237) ==22701== by 0x406D0CB: _dl_open (dl-open.c:880) ==22701== by 0x4DA3A77: dlopen_doit (in /usr/lib64/glibc-hwcaps/power10/libc.so.6) ==22701== Address 0x1ffeffa6d0 is on thread 1's stack ==22701== 304 bytes below stack pointer ==22701== ==22701== ==22701== HEAP SUMMARY: ==22701== in use at exit: 7,955 bytes in 25 blocks ==22701== total heap usage: 10,341 allocs, 10,316 frees, 3,407,148 bytes allocated ==22701== ==22701== LEAK SUMMARY: ==22701== definitely lost: 0 bytes in 0 blocks ==22701== indirectly lost: 0 bytes in 0 blocks ==22701== possibly lost: 0 bytes in 0 blocks ==22701== still reachable: 7,955 bytes in 25 blocks ==22701== suppressed: 0 bytes in 0 blocks ==22701== Rerun with --leak-check=full to see details of leaked memory ==22701== ==22701== For lists of detected and suppressed errors, rerun with: -s ==22701== ERROR SUMMARY: 10 errors from 5 contexts (suppressed: 0 from 0)
This is most likely a valgrind problem but it is still worth investigting. Found by /Security/CVE-2021-43527-Memory-corruption-in-signature-decoding.
Please provide the package NVR for which the bug is seen:
- nss-3.101 and nss-3.112
- RHEL-10
- ppc64le
Expected results
==6973== Memcheck, a memory error detector ==6973== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al. ==6973== Using Valgrind-3.25.1 and LibVEX; rerun with -h for copyright info ==6973== Command: certutil -d nssdb -A -n ca -t cCT,, -a -i ca.crt ==6973== ==6973== ==6973== HEAP SUMMARY: ==6973== in use at exit: 8,723 bytes in 31 blocks ==6973== total heap usage: 10,314 allocs, 10,283 frees, 3,400,692 bytes allocated ==6973== ==6973== LEAK SUMMARY: ==6973== definitely lost: 0 bytes in 0 blocks ==6973== indirectly lost: 0 bytes in 0 blocks ==6973== possibly lost: 0 bytes in 0 blocks ==6973== still reachable: 8,723 bytes in 31 blocks ==6973== suppressed: 0 bytes in 0 blocks ==6973== Rerun with --leak-check=full to see details of leaked memory ==6973== ==6973== For lists of detected and suppressed errors, rerun with: -s ==6973== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Actual results
See above
