iked segmentation fault

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

iked segmentation fault

Ralf Horstmann-2
>Synopsis: iked segmentation fault
>Category: system
>Environment:
        System      : OpenBSD 5.5
        Details     : OpenBSD 5.5 (GENERIC) #276: Wed Mar  5 09:57:06 MST 2014
                         [hidden email]:/usr/src/sys/arch/i386/compile/GENERIC

        Architecture: OpenBSD.i386
        Machine     : i386

>Description:
        When connecting with Strongswan on Android to iked using ikectl
        generated keys/certificates, the ikev2 sub process of iked crashes
        fairly reproducible with segmentation fault (~ 90% of cases).
       
        Attaching gdb to the ikev2 sub process I get this backtrace:
       
        Program received signal SIGSEGV, Segmentation fault.
        bcopy () at /usr/src/lib/libc/arch/i386/string/bcopy.S:88
        88      /usr/src/lib/libc/arch/i386/string/bcopy.S: No such file or directory.
                in /usr/src/lib/libc/arch/i386/string/bcopy.S
        (gdb) bt
        #0  bcopy () at /usr/src/lib/libc/arch/i386/string/bcopy.S:88
        #1  0x160b5626 in modp_create_shared () from /root/iked
        #2  0x160b4f3d in dh_create_shared () from /root/iked
        #3  0x160bb2fa in ikev2_sa_keys () from /root/iked
        #4  0x160c22e0 in ikev2_resp_recv () from /root/iked
        #5  0x160c3431 in ikev2_recv () from /root/iked
        #6  0x160c5da7 in ikev2_msg_cb () from /root/iked
        #7  0x096ed3c2 in event_base_loop (base=0x81715000, flags=0) at /usr/src/lib/libevent/event.c:402
        #8  0x096ed789 in event_loop (flags=0) at /usr/src/lib/libevent/event.c:478
        #9  0x096ed7ae in event_dispatch () at /usr/src/lib/libevent/event.c:416
        #10 0x160d429b in proc_run () from /root/iked
        #11 0x160c38a6 in ikev2 () from /root/iked
        #12 0x160d4502 in proc_init () from /root/iked
        #13 0x160b745a in main () from /root/iked

        (gdb) info reg
        eax            0x81717601       -2123270655
        ecx            0x3fffe6c0       1073735360
        edx            0xffffffff       -1
        ebx            0x360b4440       906708032
        esp            0xcfbbdbe4       0xcfbbdbe4
        ebp            0xcfbbdc18       0xcfbbdc18
        esi            0x81710ffc       -2123296772
        edi            0x817110fd       -2123296515
        eip            0x8f1543 0x8f1543
        eflags         0x210686 2164358
        cs             0x2b     43
        ss             0x33     51
        ds             0x33     51
        es             0x33     51
        fs             0x5b     91
        gs             0x63     99
       
        (gdb) disass
        ...
        0x008f1538 <bcopy+48>:  mov    %edx,%ecx
        0x008f153a <bcopy+50>:  shr    $0x2,%ecx
        0x008f153d <bcopy+53>:  sub    $0x3,%esi
        0x008f1540 <bcopy+56>:  sub    $0x3,%edi
        0x008f1543 <bcopy+59>:  repz movsl %ds:(%esi),%es:(%edi)
       
        Looks like bcopy got called with len = -1.

>Fix:

The diff is against -current, the code is the same as in 5.5:

Index: dh.c
===================================================================
RCS file: /usr/cvs/openbsd/src/sbin/iked/dh.c,v
retrieving revision 1.14
diff -u -r1.14 dh.c
--- dh.c        27 Aug 2014 10:28:57 -0000      1.14
+++ dh.c        12 Oct 2014 14:11:07 -0000
@@ -472,7 +472,7 @@

        ret = DH_compute_key(secret, ex, group->dh);
        BN_clear_free(ex);
-       if (!ret)
+       if (ret <= 0)
                return (-1);

        /* add zero padding */

Please note that isakmpd has the same code and might be affected
as well.


OpenBSD 5.5 (GENERIC) #276: Wed Mar  5 09:57:06 MST 2014
    [hidden email]:/usr/src/sys/arch/i386/compile/GENERIC
RTC BIOS diagnostic error 80<clock_battery>
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 499 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
real mem  = 267943936 (255MB)
avail mem = 251260928 (239MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/10/07, BIOS32 rev. 0 @ 0xfceb2
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe0000/0xa800
cpu0 at mainbus0: (uniprocessor)
mtrr: K6-family MTRR support (2 registers)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x31
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, address 00:0d:b9:12:74:70
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034
vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address 00:0d:b9:12:74:71
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034
vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address 00:0d:b9:12:74:72
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034
glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 3579545Hz timer, watchdog, gpio, i2c
gpio0 at glxpcib0: 32 pins
iic0 at glxpcib0
maxtmp0 at iic0 addr 0x4c: lm86
pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <CF CARD 1GB>
wd0: 1-sector PIO, LBA, 967MB, 1981728 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 15, version 1.0, legacy support
ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
nvram: invalid checksum
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a swap on wd0b dump on wd0b
clock: unknown CMOS layout
WARNING: clock time much less than file system time
WARNING: using file system time
WARNING: CHECK AND RESET THE DATE!