SIGSEGV when independent DSA keys are concurrently disposed #71738
Description
On macOS Monterey, I would expect this program to run forever.
using System.Security.Cryptography;
DSA dsa;
void Work()
{
while (true)
{
try
{
dsa = DSA.Create();
dsa.ImportParameters(new DSAParameters
{
P = Convert.FromBase64String(@"
nEx7rLmUg+FLq23XB/8rVFU3Txktd4NYVppGrJMdRKi0FktEj39g7vM33rA0g8Xf
BurQu9HkcblSR25E5beYrMbU8pJD1ZqmrltbnnlB+PHX5Pgbu91BCr2d5UjAIfiA
qIlnySMuV0XSqbb1A3qyWGIx3ATXBaXN9mm+paF2itE="),
Q = Convert.FromBase64String("vV0TbUwrTOkOoiyTJDxsaKWqWjE="),
G = Convert.FromBase64String(@"
XZESzrsgUFaS697sgeQEnFKrhh3S6C+gfVG2wL9JBv636QsEq2uxpOMl/1VQxjqx
Cys3x9YFOkdY1xYdk4ayhco6LYVr81X/lRUtx0YZxpaTt10XgcnlLwx772pYCcOH
UlyyGxq3GYCA1cglXtS80gPHIYieOqmUhvBHXMYBCAg="),
Y = Convert.FromBase64String(@"
e7NMNCxX/44GS2gUH+JyReWzdCUXcp6ax0PcF/XvIZ1mak74P8o8yqWseGa/10hR
CT92or4YBROsGtKqD/wqN0yJvVMkpPHHsWU9zs1Zt4CsQaZgUTw+vyjkw674OuyN
933pL+qQNvPuJcb/HK9ME2vSN/3Ki1lAqqKWuzcvggY="),
X = Convert.FromBase64String(@"DQrQZHBuIxyLlLqtNqOULp/tlH0="),
});
dsa.Dispose();
}
catch (Exception)
{
// Managed exceptions are okay, looking for crashes.
}
}
}
Thread t1 = new Thread(Work);
Thread t2 = new Thread(Work);
t1.Start();
t2.Start();
t1.Join();
t2.Join();It will quickly exit with status code 139, a segmentation fault.
I cannot reproduce this for RSA or ECDsa, only DSA.
The native stack trace is below. Unfortunately I've been struggling quite a bit to get dotnet-sos and dotnet-symbol to work on Apple Silicon, so no managed stack trace.
frame #1: 0x00000001b2067ca8 Security`CssmManager::getModule(Security::Guid const&) + 28
frame #2: 0x00000001b20676a0 Security`CSSM_ModuleAttach + 104
frame #3: 0x00000001b2058c04 Security`Security::CssmClient::AttachmentImpl::activate() + 332
frame #4: 0x00000001b2089f50 Security`Security::CssmClient::KeyImpl::deactivate() + 180
frame #5: 0x00000001b21dd940 Security`Security::CssmClient::KeyImpl::~KeyImpl() + 84
frame #6: 0x00000001b2089e84 Security`Security::CssmClient::KeyImpl::~KeyImpl() + 16
frame #7: 0x00000001b21b6dd0 Security`Security::RefPointer::release_internal() + 112
frame #8: 0x00000001b2058498 Security`Security::RefPointer::release() + 56
frame #9: 0x00000001b21b6d34 Security`Security::RefPointer::~RefPointer() + 24
frame #10: 0x00000001b2290304 Security`Security::KeychainCore::KeyItem::~KeyItem() + 140
frame #11: 0x00000001b2089e5c Security`Security::KeychainCore::KeyItem::~KeyItem() + 16
frame #12: 0x00000001b22bed74 Security`SecCDSAKeyDestroy(__SecKey*) + 328
frame #13: 0x00000001b00fad78 CoreFoundation`_CFRelease + 232
frame #14: 0x0000000280f56944
frame #15: 0x00000002804ed554
frame #16: 0x00000002804ed25c
frame #17: 0x0000000280f56a28
frame #18: 0x00000002804ed094
frame #19: 0x00000001033af5c8 libcoreclr.dylib`CallDescrWorkerInternal + 132
frame #20: 0x000000010321fc2c libcoreclr.dylib`DispatchCallSimple(unsigned long*, unsigned int, unsigned long, unsigned int) + 284
frame #21: 0x00000001031a8cb4 libcoreclr.dylib`MethodTable::CallFinalizer(Object*) + 400
frame #22: 0x0000000103260068 libcoreclr.dylib`FinalizerThread::FinalizeAllObjects() + 364
frame #23: 0x0000000103260270 libcoreclr.dylib`FinalizerThread::FinalizerThreadWorker(void*) + 184
frame #24: 0x00000001031eaaa0 libcoreclr.dylib`ManagedThreadBase_DispatchOuter(ManagedThreadCallState*) + 260
frame #25: 0x00000001031eb074 libcoreclr.dylib`ManagedThreadBase::FinalizerBase(void (*)(void*)) + 36
frame #26: 0x00000001032603ec libcoreclr.dylib`FinalizerThread::FinalizerThreadStart(void*) + 88
frame #27: 0x00000001030fd380 libcoreclr.dylib`CorUnix::CPalThread::ThreadEntry(void*) + 380
frame #28: 0x00000001aff5426c libsystem_pthread.dylib`_pthread_start + 148