Zoltan Lugossy | 27 May 17:32 2013
Picon

strongSwan 5.0.4: crash in method memwipe_inline (called by query_sa)

Hi,

I experienced some crashes when using strongswan 5.0.4.
The problem seems to be pretty straightforward, and based on the code, it could also affect update_sa.


The call trace is as follows:
...
Core was generated by `/usr/lib64/ipsec/charon --use-syslog'.
Program terminated with signal 6, Aborted.

(gdb) bt
#0  0x00007f203fb62b35 in raise () from /lib64/libc.so.6
#1  0x00007f203fb64111 in abort () from /lib64/libc.so.6
#2  0x00000000004014f6 in segv_handler (signal=<optimized out>) at charon.c:183
#3  <signal handler called>
#4  memwipe_inline (n=<optimized out>, ptr=<optimized out>) at utils/utils.h:411
#5  memwipe_noinline (ptr=0x0, n=139776064641392) at utils/utils.c:109
#6  0x00007f203878635d in memwipe (n=<optimized out>, ptr=<optimized out>) at ../../../../src/libstrongswan/utils/utils.h:432
#7  query_sa (this=0x6394d0, src=<optimized out>, dst=0x673610, spi=305546929, protocol=50 '2', mark=<optimized out>, bytes=0x7f2026ae5ce0, packets=0x7f2026ae5cd8)
    at kernel_netlink_ipsec.c:1685
#8  0x00007f2040566e6b in update_usebytes (inbound=<optimized out>, this=<optimized out>) at sa/child_sa.c:432
#9  get_usestats (this=0x66a080, inbound=true, time=0x7f2026ae5d30, bytes=0x0, packets=0x0) at sa/child_sa.c:530
#10 0x00007f2040567e31 in get_use_time (this=<optimized out>, inbound=true) at sa/ike_sa.c:288
#11 0x00007f204056a27d in send_dpd (this=0x66be40) at sa/ike_sa.c:594
#12 0x00007f204056466f in execute (this=<optimized out>) at processing/jobs/send_dpd_job.c:57
#13 0x00007f20409e7fab in process_jobs (worker=0x6614a0) at processing/processor.c:219
#14 0x00007f20409ea678 in thread_main (this=0x6614d0) at threading/thread.c:309
#15 0x00007f20400b27b6 in start_thread () from /lib64/libpthread.so.0
#16 0x00007f203fc09c5d in clone () from /lib64/libc.so.6
#17 0x0000000000000000 in ?? ()


(gdb) bt full
#0  0x00007f203fb62b35 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f203fb64111 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00000000004014f6 in segv_handler (signal=<optimized out>) at charon.c:183
        backtrace = 0x674e60
#3  <signal handler called>
No symbol table info available.
#4  memwipe_inline (n=<optimized out>, ptr=<optimized out>) at utils/utils.h:411
        c = 0x66be40 " <at> \211V <at> \177"
        m = 139776064641384
        i = 8
#5  memwipe_noinline (ptr=0x0, n=139776064641392) at utils/utils.c:109
No locals.
#6  0x00007f203878635d in memwipe (n=<optimized out>, ptr=<optimized out>) at ../../../../src/libstrongswan/utils/utils.h:432
No locals.
#7  query_sa (this=0x6394d0, src=<optimized out>, dst=0x673610, spi=305546929, protocol=50 '2', mark=<optimized out>, bytes=0x7f2026ae5ce0, packets=0x7f2026ae5cd8)
    at kernel_netlink_ipsec.c:1685
        request = "(\000\000\000\022\000\001\000H\002\000\000\342\063\000\000-\352\000\000\000\000\000\000\000\000\000\000\001\002\020\001\022\066F\261\n\000\062", '\000' <repeats 984 times>
        out = 0x7f2026ae5968
        hdr = <optimized out>
        sa_id = <optimized out>
        sa = 0x8
        status = FAILED
        len = 139776064641392
#8  0x00007f2040566e6b in update_usebytes (inbound=<optimized out>, this=<optimized out>) at sa/child_sa.c:432
No locals.
#9  get_usestats (this=0x66a080, inbound=true, time=0x7f2026ae5d30, bytes=0x0, packets=0x0) at sa/child_sa.c:530
No locals.
#10 0x00007f2040567e31 in get_use_time (this=<optimized out>, inbound=true) at sa/ike_sa.c:288
        enumerator = 0x66e550
        child_sa = 0x66a080
        use_time = 2757
        current = 0
#11 0x00007f204056a27d in send_dpd (this=0x66be40) at sa/ike_sa.c:594
        last_in = <optimized out>
        diff = <optimized out>
        delay = 30
        task_queued = false
#12 0x00007f204056466f in execute (this=<optimized out>) at processing/jobs/send_dpd_job.c:57
        ike_sa = <optimized out>
#13 0x00007f20409e7fab in process_jobs (worker=0x6614a0) at processing/processor.c:219
        requeue = {type = JOB_REQUEUE_TYPE_NONE, schedule = JOB_SCHEDULE, time = {rel = 0, abs = {tv_sec = 0, tv_usec = 0}}}
        i = 1
        reserved = 2
        idle = <optimized out>
        this = 0x60a4f0
#14 0x00007f20409ea678 in thread_main (this=0x6614d0) at threading/thread.c:309
        __cancel_buf = {__cancel_jmp_buf = {{__cancel_jmp_buf = {0, 609407318156031082, 139776490195072, 139776064643072, 140735743592080, 8388608, -705585307852557206,
                -705502153799846806}, __mask_was_saved = 0}}, __pad = {0x7f2026ae5f70, 0x0, 0x0, 0x0}}
        not_first_call = <optimized out>
        res = <optimized out>
#15 0x00007f20400b27b6 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#16 0x00007f203fc09c5d in clone () from /lib64/libc.so.6
<div><div dir="ltr">
<div>
<div>Hi,<br><br>
</div>I experienced some crashes when using strongswan 5.0.4.<br>
</div>The problem seems to be pretty straightforward, and based on the code, it could also affect update_sa.<br><div><div>
<div>
<div>
<br><br>
</div>
<div>The call trace is as follows:<br>
</div>
<div>...<br>Core was generated by `/usr/lib64/ipsec/charon --use-syslog'.<br>Program terminated with signal 6, Aborted.<br><br>(gdb) bt<br>#0&nbsp; 0x00007f203fb62b35 in raise () from /lib64/libc.so.6<br>
#1&nbsp; 0x00007f203fb64111 in abort () from /lib64/libc.so.6<br>#2&nbsp; 0x00000000004014f6 in segv_handler (signal=&lt;optimized out&gt;) at charon.c:183<br>#3&nbsp; &lt;signal handler called&gt;<br>#4&nbsp; memwipe_inline (n=&lt;optimized out&gt;, ptr=&lt;optimized out&gt;) at utils/utils.h:411<br>#5&nbsp; memwipe_noinline (ptr=0x0, n=139776064641392) at utils/utils.c:109<br>#6&nbsp; 0x00007f203878635d in memwipe (n=&lt;optimized out&gt;, ptr=&lt;optimized out&gt;) at ../../../../src/libstrongswan/utils/utils.h:432<br>
#7&nbsp; query_sa (this=0x6394d0, src=&lt;optimized out&gt;, dst=0x673610, spi=305546929, protocol=50 '2', mark=&lt;optimized out&gt;, bytes=0x7f2026ae5ce0, packets=0x7f2026ae5cd8)<br>&nbsp;&nbsp;&nbsp; at kernel_netlink_ipsec.c:1685<br>
#8&nbsp; 0x00007f2040566e6b in update_usebytes (inbound=&lt;optimized out&gt;, this=&lt;optimized out&gt;) at sa/child_sa.c:432<br>#9&nbsp; get_usestats (this=0x66a080, inbound=true, time=0x7f2026ae5d30, bytes=0x0, packets=0x0) at sa/child_sa.c:530<br>
#10 0x00007f2040567e31 in get_use_time (this=&lt;optimized out&gt;, inbound=true) at sa/ike_sa.c:288<br>#11 0x00007f204056a27d in send_dpd (this=0x66be40) at sa/ike_sa.c:594<br>#12 0x00007f204056466f in execute (this=&lt;optimized out&gt;) at processing/jobs/send_dpd_job.c:57<br>
#13 0x00007f20409e7fab in process_jobs (worker=0x6614a0) at processing/processor.c:219<br>#14 0x00007f20409ea678 in thread_main (this=0x6614d0) at threading/thread.c:309<br>#15 0x00007f20400b27b6 in start_thread () from /lib64/libpthread.so.0<br>
#16 0x00007f203fc09c5d in clone () from /lib64/libc.so.6<br>#17 0x0000000000000000 in ?? ()<br><br><br>(gdb) bt full<br>#0&nbsp; 0x00007f203fb62b35 in raise () from /lib64/libc.so.6<br>No symbol table info available.<br>#1&nbsp; 0x00007f203fb64111 in abort () from /lib64/libc.so.6<br>
No symbol table info available.<br>#2&nbsp; 0x00000000004014f6 in segv_handler (signal=&lt;optimized out&gt;) at charon.c:183<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; backtrace = 0x674e60<br>#3&nbsp; &lt;signal handler called&gt;<br>No symbol table info available.<br>
#4&nbsp; memwipe_inline (n=&lt;optimized out&gt;, ptr=&lt;optimized out&gt;) at utils/utils.h:411<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; c = 0x66be40 " <at> \211V <at>  \177"<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; m = 139776064641384<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; i = 8<br>#5&nbsp; memwipe_noinline (ptr=0x0, n=139776064641392) at utils/utils.c:109<br>
No locals.<br>#6&nbsp; 0x00007f203878635d in memwipe (n=&lt;optimized out&gt;, ptr=&lt;optimized out&gt;) at ../../../../src/libstrongswan/utils/utils.h:432<br>No locals.<br>#7&nbsp; query_sa (this=0x6394d0, src=&lt;optimized out&gt;, dst=0x673610, spi=305546929, protocol=50 '2', mark=&lt;optimized out&gt;, bytes=0x7f2026ae5ce0, packets=0x7f2026ae5cd8)<br>
&nbsp;&nbsp;&nbsp; at kernel_netlink_ipsec.c:1685<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; request = "(\000\000\000\022\000\001\000H\002\000\000\342\063\000\000-\352\000\000\000\000\000\000\000\000\000\000\001\002\020\001\022\066F\261\n\000\062", '\000' &lt;repeats 984 times&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; out = 0x7f2026ae5968<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hdr = &lt;optimized out&gt;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sa_id = &lt;optimized out&gt;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sa = 0x8<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; status = FAILED<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; len = 139776064641392<br>#8&nbsp; 0x00007f2040566e6b in update_usebytes (inbound=&lt;optimized out&gt;, this=&lt;optimized out&gt;) at sa/child_sa.c:432<br>
No locals.<br>#9&nbsp; get_usestats (this=0x66a080, inbound=true, time=0x7f2026ae5d30, bytes=0x0, packets=0x0) at sa/child_sa.c:530<br>No locals.<br>#10 0x00007f2040567e31 in get_use_time (this=&lt;optimized out&gt;, inbound=true) at sa/ike_sa.c:288<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; enumerator = 0x66e550<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; child_sa = 0x66a080<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; use_time = 2757<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; current = 0<br>#11 0x00007f204056a27d in send_dpd (this=0x66be40) at sa/ike_sa.c:594<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; last_in = &lt;optimized out&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; diff = &lt;optimized out&gt;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; delay = 30<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; task_queued = false<br>#12 0x00007f204056466f in execute (this=&lt;optimized out&gt;) at processing/jobs/send_dpd_job.c:57<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ike_sa = &lt;optimized out&gt;<br>
#13 0x00007f20409e7fab in process_jobs (worker=0x6614a0) at processing/processor.c:219<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; requeue = {type = JOB_REQUEUE_TYPE_NONE, schedule = JOB_SCHEDULE, time = {rel = 0, abs = {tv_sec = 0, tv_usec = 0}}}<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; i = 1<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; reserved = 2<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; idle = &lt;optimized out&gt;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; this = 0x60a4f0<br>#14 0x00007f20409ea678 in thread_main (this=0x6614d0) at threading/thread.c:309<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; __cancel_buf = {__cancel_jmp_buf = {{__cancel_jmp_buf = {0, 609407318156031082, 139776490195072, 139776064643072, 140735743592080, 8388608, -705585307852557206,<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -705502153799846806}, __mask_was_saved = 0}}, __pad = {0x7f2026ae5f70, 0x0, 0x0, 0x0}}<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; not_first_call = &lt;optimized out&gt;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; res = &lt;optimized out&gt;<br>#15 0x00007f20400b27b6 in start_thread () from /lib64/libpthread.so.0<br>
No symbol table info available.<br>#16 0x00007f203fc09c5d in clone () from /lib64/libc.so.6<br>
</div>
</div>
</div></div>
</div></div>
Tobias Brunner | 27 May 18:48 2013

Re: strongSwan 5.0.4: crash in method memwipe_inline (called by query_sa)

Hi Zoltan,

> #2  0x00000000004014f6 in segv_handler (signal=<optimized out>) at
> charon.c:183
> #3  <signal handler called>
> #4  memwipe_inline (n=<optimized out>, ptr=<optimized out>) at
> utils/utils.h:411
> *#5  memwipe_noinline (ptr=0x0, n=139776064641392) at utils/utils.c:109*

We should probably check for NULL in memwipe().  The patch at [1] fixes
this.

Regards,
Tobias

[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=c480b5f4

Zoltan Lugossy | 27 May 20:38 2013
Picon

Re: strongSwan 5.0.4: crash in method memwipe_inline (called by query_sa)

Hi Tobias,

Thanks a lot.

BR,
/Zoltan

2013.05.27. 18:48, "Tobias Brunner" <tobias-jzJueiEJWxp8fCCB1iTX4w@public.gmane.org> ezt írta:
Hi Zoltan,

> #2  0x00000000004014f6 in segv_handler (signal=<optimized out>) at
> charon.c:183
> #3  <signal handler called>
> #4  memwipe_inline (n=<optimized out>, ptr=<optimized out>) at
> utils/utils.h:411
> *#5  memwipe_noinline (ptr=0x0, n=139776064641392) at utils/utils.c:109*

We should probably check for NULL in memwipe().  The patch at [1] fixes
this.

Regards,
Tobias

[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=c480b5f4
<div>
<p dir="ltr">Hi Tobias,</p>
<p dir="ltr">Thanks a lot.</p>
<p dir="ltr">BR,<br>
/Zoltan</p>
<div class="gmail_quote">2013.05.27. 18:48, "Tobias Brunner" &lt;<a href="mailto:tobias@...">tobias@...</a>&gt; ezt &iacute;rta:<br type="attribution"><blockquote class="gmail_quote">
Hi Zoltan,<br><br>
&gt; #2 &nbsp;0x00000000004014f6 in segv_handler (signal=&lt;optimized out&gt;) at<br>
&gt; charon.c:183<br>
&gt; #3 &nbsp;&lt;signal handler called&gt;<br>
&gt; #4 &nbsp;memwipe_inline (n=&lt;optimized out&gt;, ptr=&lt;optimized out&gt;) at<br>
&gt; utils/utils.h:411<br>
&gt; *#5 &nbsp;memwipe_noinline (ptr=0x0, n=139776064641392) at utils/utils.c:109*<br><br>
We should probably check for NULL in memwipe(). &nbsp;The patch at [1] fixes<br>
this.<br><br>
Regards,<br>
Tobias<br><br>
[1] <a href="http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=c480b5f4" target="_blank">http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=c480b5f4</a><br>
</blockquote>
</div>
</div>

Gmane