On Wed, 2009-03-25 at 07:47 +0100, Julien Cristau wrote: > I've spent some time looking at this, and I'm a bit worried about > PKIX_PL_Object_Alloc. Specifically, sizeof(PKIX_PL_Object) seems to be > 28 on 32bit, and __alignof__(PKIX_PL_Object) is 4. PKIX_PL_Object_Alloc > goes to allocate some space for one PKIX_PL_Object + the size it was > asked for, and then goes and returns object + 1. Thus, if > PKIX_PL_Malloc gives it a 8 byte aligned pointer, PKIX_PL_Object_Alloc > will return an unaligned address to its caller. PKIX_PL_OcspResponse's > size is 56, and it has to be 8 byte aligned on sparc, so it's possible > this is the problem here.
It'd be nice if someone could try the attached patch on sparc and see if they can reproduce the browser crash. Cheers, Julien
diff -u nss-3.12.2.with.ckbi.1.73/debian/changelog nss-3.12.2.with.ckbi.1.73/debian/changelog --- nss-3.12.2.with.ckbi.1.73/debian/changelog +++ nss-3.12.2.with.ckbi.1.73/debian/changelog @@ -1,3 +1,9 @@ +nss (3.12.2.with.ckbi.1.73-2) UNRELEASED; urgency=low + + * Make sure PKIX_PL_Object_Alloc returns an aligned pointer. + + -- Julien Cristau <jcris...@debian.org> Wed, 25 Mar 2009 08:38:37 +0100 + nss (3.12.2.with.ckbi.1.73-1) unstable; urgency=low * debian/patches/38_kbsd.dpatch: Brown paper bag fix for regression only in patch2: unchanged: --- nss-3.12.2.with.ckbi.1.73.orig/mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c +++ nss-3.12.2.with.ckbi.1.73/mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c @@ -561,6 +561,7 @@ { PKIX_PL_Object *object = NULL; pkix_ClassTable_Entry *ctEntry = NULL; + PKIX_UInt32 alloc_size; PKIX_ENTER(OBJECT, "PKIX_PL_Object_Alloc"); PKIX_NULLCHECK_ONE(pObject); @@ -605,17 +606,20 @@ PORT_Assert(size == ctEntry->typeObjectSize); - /* Allocate space for the object header and the requested size */ + /* Allocate space for the object header and the requested size, + * and make sure that we return an aligned pointer */ + alloc_size = ((sizeof(PKIX_PL_Object) + 7) & ~7) + size; + #ifdef PKIX_OBJECT_LEAK_TEST PKIX_CHECK(PKIX_PL_Calloc (1, - ((PKIX_UInt32)sizeof (PKIX_PL_Object))+size, + alloc_size, (void **)&object, plContext), PKIX_MALLOCFAILED); #else PKIX_CHECK(PKIX_PL_Malloc - (((PKIX_UInt32)sizeof (PKIX_PL_Object))+size, + (alloc_size, (void **)&object, plContext), PKIX_MALLOCFAILED); @@ -641,7 +645,7 @@ /* Return a pointer to the user data. Need to offset by object size */ - *pObject = object + 1; + *pObject = (PKIX_PL_Object *)((((char*)object) + alloc_size - size)); object = NULL; /* Atomically increment object counter */