Bug 424056

Summary: Okular crashed in cryptotech::cpp::utils::ILogOutput() while closing signed document and using proprietary driver for CryptoTech smart cards
Product: [Applications] okular Reporter: opensuse.lietuviu.kalba
Component: generalAssignee: Okular developers <okular-devel>
Status: RESOLVED UPSTREAM    
Severity: crash CC: aacid, jtamate, nate
Priority: NOR Keywords: drkonqi
Version First Reported In: 1.10.2   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: valgrind okular

Description opensuse.lietuviu.kalba 2020-07-10 06:15:21 UTC 
Application: okular (1.10.2)

Qt Version: 5.12.7
Frameworks Version: 5.71.0
Operating System: Linux 5.3.18-lp152.20.7-default x86_64
Windowing system: X11
Distribution: "openSUSE Leap 15.2"

-- Information about the crash:
- What I was doing when the application crashed:
I opened PDF document. This document was signed and had some forms – Okular showed notice about this features at top of document in banner. I tried to show/hide fields. I tried to look into signature. Finally I closed document. Crash dialog appeared.

-- Backtrace:
Application: Okular (okular), signal: Segmentation fault
Using host libthread_db library "/lib64/libthread_db.so.1".
[Current thread is 1 (Thread 0x7fa062e98f80 (LWP 8460))]

Thread 2 (Thread 0x7fa0488ab700 (LWP 8462)):
#0  0x00007fa05ea801d8 in read () from /lib64/libc.so.6
#1  0x00007fa0594279a0 in read (__nbytes=16, __buf=0x7fa0488aaa60, __fd=<optimized out>) at /usr/include/bits/unistd.h:44
#2  g_wakeup_acknowledge (wakeup=0x55ba06dab0b0) at ../glib/gwakeup.c:210
#3  0x00007fa0593e0298 in g_main_context_check (context=context@entry=0x7fa044000be0, max_priority=2147483647, fds=fds@entry=0x7fa044004e90, n_fds=n_fds@entry=1) at ../glib/gmain.c:3732
#4  0x00007fa0593e0720 in g_main_context_iterate (context=context@entry=0x7fa044000be0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3951
#5  0x00007fa0593e088c in g_main_context_iteration (context=0x7fa044000be0, may_block=may_block@entry=1) at ../glib/gmain.c:4015
#6  0x00007fa05f41a19b in QEventDispatcherGlib::processEvents (this=0x7fa044000b10, flags=...) at kernel/qeventdispatcher_glib.cpp:424
#7  0x00007fa05f3bb32a in QEventLoop::exec (this=this@entry=0x7fa0488aac80, flags=..., flags@entry=...) at kernel/qeventloop.cpp:225
#8  0x00007fa05f1e110a in QThread::exec (this=this@entry=0x7fa05fb02d80 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at thread/qthread.cpp:531
#9  0x00007fa05f88acd5 in QDBusConnectionManager::run (this=0x7fa05fb02d80 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at qdbusconnection.cpp:178
#10 0x00007fa05f1e28b2 in QThreadPrivate::start (arg=0x7fa05fb02d80 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at thread/qthread_unix.cpp:361
#11 0x00007fa05ba464f9 in start_thread () from /lib64/libpthread.so.0
#12 0x00007fa05ea8ef2f in clone () from /lib64/libc.so.6

Thread 1 (Thread 0x7fa062e98f80 (LWP 8460)):
[KCrash Handler]
#4  0x00007fa024ccd750 in boost::shared_ptr<cryptotech::cpp::utils::ILogOutput>::shared_ptr(boost::shared_ptr<cryptotech::cpp::utils::ILogOutput> const&) () from /usr/lib/ccs/libccpkip11.so
#5  0x00007fa024d2e601 in C_CloseAllSessions () from /usr/lib/ccs/libccpkip11.so
#6  0x00007fa03473c148 in PK11_DestroySlot (slot=0x55ba06dcc940) at pk11slot.c:444
#7  0x00007fa03473c1d5 in PK11_FreeSlot (slot=<optimized out>) at pk11slot.c:477
#8  0x00007fa0347403d3 in SECMOD_DestroyModule (module=0x55ba0734b340) at pk11util.c:922
#9  0x00007fa03474073a in SECMOD_DestroyModuleListElement (element=0x55ba072bfa40) at pk11util.c:968
#10 0x00007fa034740bf5 in SECMOD_DestroyModuleList (list=<optimized out>) at pk11util.c:983
#11 0x00007fa034740c79 in SECMOD_Shutdown () at pk11util.c:67
#12 0x00007fa0346f9d22 in nss_Shutdown () at nssinit.c:1163
#13 0x00007fa0346f9e1d in NSS_Shutdown () at nssinit.c:1221
#14 0x00007fa0353491c9 in shutdownNss () at /usr/src/debug/poppler-0.79.0-lp152.1.7.x86_64/poppler/SignatureHandler.cc:31
#15 0x00007fa05e9cf138 in __run_exit_handlers () from /lib64/libc.so.6
#16 0x00007fa05e9cf18a in exit () from /lib64/libc.so.6
#17 0x00007fa05e9b7351 in __libc_start_main () from /lib64/libc.so.6
#18 0x000055ba04f5594a in _start () at ../sysdeps/x86_64/start.S:120
[Inferior 1 (process 8460) detached]

Reported using DrKonqi
Comment 1 Albert Astals Cid 2020-07-10 20:51:07 UTC 
Can you share the document?

Can you reproduce the crash every time?

Can you run
  valgrind okular
in a terminal, make what you do to make it crash and attach the output of valgrind here?
Comment 2 opensuse.lietuviu.kalba 2020-07-12 10:42:34 UTC 
I can consistently (every time) reproduce this bug in my openSUSE Leap 15.2 system. Just:
1. open signed PDF 
2. close it
3. crash

I can reproduce even with another PDF document e.g. 
https://www.tecxoft.com/samples/pdf_digital_signature_timestamp.pdf
Comment 3 opensuse.lietuviu.kalba 2020-07-12 10:48:54 UTC 
Created attachment 130062 [details]
valgrind okular
Comment 4 Albert Astals Cid 2020-07-12 11:04:01 UTC 
I can't reproduce.

So the crash is

==7021==    at 0x32B35750: boost::shared_ptr<cryptotech::cpp::utils::ILogOutput>::shared_ptr(boost::shared_ptr<cryptotech::cpp::utils::ILogOutput> const&) (in /usr/lib/ccs/libccpkip11.so.2.00.00261)
==7021==    by 0x32B96600: C_CloseAllSessions (in /usr/lib/ccs/libccpkip11.so.2.00.00261)
==7021==    by 0x2F08B147: PK11_DestroySlot (pk11slot.c:444)
==7021==    by 0x2F08F3D2: SECMOD_DestroyModule (pk11util.c:922)
==7021==    by 0x2F08F739: SECMOD_DestroyModuleListElement (pk11util.c:968)
==7021==    by 0x2F08FBF4: SECMOD_DestroyModuleList (pk11util.c:983)
==7021==    by 0x2F08FC78: SECMOD_Shutdown (pk11util.c:67)
==7021==    by 0x2F048D21: nss_Shutdown (nssinit.c:1163)
==7021==    by 0x2F048E1C: NSS_Shutdown (nssinit.c:1221)
==7021==    by 0x2E6591C8: shutdownNss() (SignatureHandler.cc:31)


shutdownNss being poppler saying "i'm done using nss", so it would seem to me either the crash is in nss, in pk11 or more probably in libccpkip11, which is something my system doesn't have.

Looking around the internet i think libccpkip11 is the driver for "proprietary PKCS #11 driver for CryptoTech smart cards by CryptoTech".

My first suggestion would figure out if you can just uninstall that from your system, it's non Free code that's crashing, not much that we the Free people can do to help you.

If you didn't install that on purpose, i'd also suggest you file a bug against opensuse and figure out why they are installing non free code by default.

I'm going to close it as NOT A BUG since everything is pointing away from us. If you can remove that libccpkip11.so from your system and okular still crashes please reopen this bug.
Comment 5 opensuse.lietuviu.kalba 2022-07-21 10:34:00 UTC 
*** Bug 456910 has been marked as a duplicate of this bug. ***
Comment 6 opensuse.lietuviu.kalba 2022-07-21 10:34:46 UTC 
I can not reproduce bug after uninstalling ccs (CryptoTech proprietary driver).
Comment 7 Jaime Torres 2022-10-11 16:07:33 UTC 
I'm able to reproduce it with one of the dni readers and the pkcs#11 dnie library installed:

Just connect any dnie reader to any usb, with or without any dni, and open any pdf with signatures, for example:
/usr/bin/okular  "https://www.tecxoft.com/samples/pdf_digital_signature_timestamp.pdf"

In Valgrind:

==30095== Invalid read of size 4
==30095==    at 0x662CCC7: pthread_mutex_trylock@@GLIBC_2.34 (pthread_mutex_trylock.c:33)
==30095==    by 0x21834709: NativeLockMutex(void*) (in /usr/lib64/libpkcs11-dnie.so)
==30095==    by 0x21828C21: C_CloseAllSessions (in /usr/lib64/libpkcs11-dnie.so)
==30095==    by 0x1569303E: UnknownInlinedFun (pk11slot.c:452)
==30095==    by 0x1569303E: PK11_FreeSlot (pk11slot.c:489)
==30095==    by 0x15695F0B: UnknownInlinedFun (pk11util.c:923)
==30095==    by 0x15695F0B: SECMOD_DestroyModule (pk11util.c:885)
==30095==    by 0x1565E1CC: UnknownInlinedFun (pk11util.c:969)
==30095==    by 0x1565E1CC: UnknownInlinedFun (pk11util.c:984)
==30095==    by 0x1565E1CC: UnknownInlinedFun (pk11util.c:68)
==30095==    by 0x1565E1CC: nss_Shutdown (nssinit.c:1163)
==30095==    by 0x1565EEAF: UnknownInlinedFun (nssinit.c:1221)
==30095==    by 0x1565EEAF: NSS_Shutdown (nssinit.c:1200)
==30095==    by 0x20F933F8: ??? (in /usr/lib64/libpoppler.so.124.0.0)
==30095==    by 0x65DA0C4: __run_exit_handlers (exit.c:113)
==30095==    by 0x65DA24F: exit (exit.c:143)
==30095==    by 0x65C15B6: (below main) (libc_start_call_main.h:74)
==30095==  Address 0x10 is not stack'd, malloc'd or (recently) free'd

==30095== Invalid read of size 4
==30095==    at 0x662D2B0: __pthread_mutex_unlock_full (pthread_mutex_unlock.c:114)
==30095==    by 0x81B1349: QtWaylandClient::QWaylandDisplay::~QWaylandDisplay() (qwaylanddisplay.cpp:384)
==30095==    by 0x81B1948: QtWaylandClient::QWaylandDisplay::~QWaylandDisplay() (qwaylanddisplay.cpp:385)
==30095==    by 0x819FF68: QtWaylandClient::QWaylandIntegration::~QWaylandIntegration() (qwaylandintegration.cpp:132)
==30095==    by 0x5764FC6: QGuiApplicationPrivate::~QGuiApplicationPrivate() (qguiapplication.cpp:1731)
==30095==    by 0x50A9F58: QApplicationPrivate::~QApplicationPrivate() (qapplication.cpp:163)
==30095==    by 0x11C255: main (main.cpp:103)


In gdb:
(thread 1)
#0  ___pthread_mutex_trylock (mutex=0x0) at pthread_mutex_trylock.c:33
#1  0x00007fffc683470a in NativeLockMutex(void*) () at /usr/lib64/libpkcs11-dnie.so
#2  0x00007fffc6828c22 in C_CloseAllSessions () at /usr/lib64/libpkcs11-dnie.so
#3  0x00007fffc732903f in PK11_DestroySlot (slot=<optimized out>) at ../pk11wrap/pk11slot.c:452
#4  PK11_FreeSlot (slot=slot@entry=0x5555558c9970) at ../pk11wrap/pk11slot.c:489
#5  0x00007fffc732bf0c in SECMOD_DestroyModule (module=0x5555558f61c0) at ../pk11wrap/pk11util.c:923
#6  SECMOD_DestroyModule (module=0x5555558f61c0) at ../pk11wrap/pk11util.c:885
#7  0x00007fffc72f41cd in SECMOD_DestroyModuleListElement (element=0x55555603c6a0) at ../pk11wrap/pk11util.c:969
#8  SECMOD_DestroyModuleList (list=<optimized out>) at ../pk11wrap/pk11util.c:984
#9  SECMOD_Shutdown () at ../pk11wrap/pk11util.c:68
#10 nss_Shutdown () at /usr/src/debug/mozilla-nss-3.82-1.2.x86_64/nss/lib/nss/nssinit.c:1163
#11 0x00007fffc72f4eb0 in NSS_Shutdown () at /usr/src/debug/mozilla-nss-3.82-1.2.x86_64/nss/lib/nss/nssinit.c:1221
#12 NSS_Shutdown () at /usr/src/debug/mozilla-nss-3.82-1.2.x86_64/nss/lib/nss/nssinit.c:1200
#13 0x00007fffc76453f9 in shutdownNss() () at /usr/src/debug/poppler-22.09.0-1.1.x86_64/poppler/SignatureHandler.cc:268
#14 0x00007ffff5e450c5 in __run_exit_handlers (status=0, listp=0x7ffff5fea820 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:113
#15 0x00007ffff5e45250 in __GI_exit (status=<optimized out>) at exit.c:143
#16 0x00007ffff5e2c5b7 in __libc_start_call_main (main=main@entry=0x555555566ae0 <main(int, char**)>, argc=argc@entry=2, argv=argv@entry=0x7fffffffd1e8) at ../sysdeps/nptl/libc_start_call_main.h:74
#17 0x00007ffff5e2c679 in __libc_start_main_impl
     (main=0x555555566ae0 <main(int, char**)>, argc=2, argv=0x7fffffffd1e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd1d8) at ../csu/libc-start.c:381
#18 0x0000555555568d45 in _start () at ../sysdeps/x86_64/start.S:115
(thread 2)
#0  0x00007ffff5f0ba8f in __GI___poll (fds=0x7fffec0053c0, nfds=3, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
#1  0x00007ffff4d20d7e in g_main_context_poll (priority=<optimized out>, n_fds=3, fds=0x7fffec0053c0, timeout=<optimized out>, context=0x7fffec001cf0) at ../glib/gmain.c:4543
#2  g_main_context_iterate (context=context@entry=0x7fffec001cf0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4233
#3  0x00007ffff4d20e9c in g_main_context_iteration (context=0x7fffec001cf0, may_block=1) at ../glib/gmain.c:4303
#4  0x00007ffff6733806 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (this=0x7fffec000b70, flags=...) at kernel/qeventdispatcher_glib.cpp:423
#5  0x00007ffff66dabeb in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (this=this@entry=0x7ffff1dfec10, flags=..., flags@entry=...) at ../../include/QtCore/../../src/corelib/global/qflags.h:69
#6  0x00007ffff64f4c47 in QThread::exec() (this=this@entry=0x7ffff71ff060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at ../../include/QtCore/../../src/corelib/global/qflags.h:121
#7  0x00007ffff7186277 in QDBusConnectionManager::run() (this=0x7ffff71ff060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at qdbusconnection.cpp:179
#8  0x00007ffff64f5e4d in QThreadPrivate::start(void*) (arg=0x7ffff71ff060 <(anonymous namespace)::Q_QGS__q_manager::innerFunction()::holder>) at thread/qthread_unix.cpp:330
#9  0x00007ffff5e939ad in start_thread (arg=<optimized out>) at pthread_create.c:442
#10 0x00007ffff5f1a290 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81