All of lore.kernel.org
 help / color / mirror / Atom feed
* [meta-oe][sumo][PATCH] strongswan: avoid charon crash
@ 2020-02-20 10:58 Saloni Jain
  0 siblings, 0 replies; only message in thread
From: Saloni Jain @ 2020-02-20 10:58 UTC (permalink / raw)
  To: openembedded-core, Khem Raj
  Cc: Nisha Parrakat, Rahul Taya, Aditya Tayade, Anuj Chougule

[-- Attachment #1: Type: text/plain, Size: 6611 bytes --]

From: Anuj Chougule <Anuj.Chougule@kpit.com>

This is a possible fix to charon that crashed early due to invalid
memory access.
Important frames from Backtraces :
8  0x00007f607246e160 in memcpy (__len=1704, __src=<optimized out>, __dest=<optimized out>)
    at /usr/include/bits/string_fortified.h:34
No locals.
9  memcpy_noop (n=1704, src=<optimized out>, dst=<optimized out>)
    at /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/utils/utils/memory.h:47
        n = 1704
        src = <optimized out>
        dst = <optimized out>
10 chunk_create_clone (ptr=<optimized out>, chunk=...)
    at /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/utils/chunk.c:48
        clone = <optimized out>
11 0x00007f606ebae810 in load_from_blob (blob=..., type=type@entry=CRED_PRIVATE_KEY, subtype=subtype@entry=1,
    subject=subject@entry=0x0, flags=flags@entry=X509_NONE)
    at /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:399
        x = <optimized out>
        cred = 0x0
---Type <return> to continue, or q <return> to quit---
        pgp = false
12 0x00007f606ebaf0e4 in load_from_file (flags=X509_NONE, subject=0x0, subtype=1, type=CRED_PRIVATE_KEY,
    file=0x7f6069d21a20 "/var/opt/public/sps/sps_necema/data/public/IPsec/secureboot_on/IPsec-internal_key.pem")
    at /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:452
        cred = <optimized out>
        chunk = 0x7f6054005430
13 pem_load (type=CRED_PRIVATE_KEY, subtype=1, args=<optimized out>)
    at /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:498
        file = 0x7f6069d21a20 "/var/opt/public/sps/sps_necema/data/public/IPsec/secureboot_on/IPsec-internal_key.pem"
        pem = <optimized out>
        subject = 0x0
        flags = 0

Problem lies in frame 12 & 11.
(gdb) f 12
12 0x00007f606ebaf0e4 in load_from_file (flags=X509_NONE, subject=0x0, subtype=1, type=CRED_PRIVATE_KEY,
    file=0x7f6069d21a20 "/var/opt/public/sps/sps_necema/data/public/IPsec/secureboot_on/IPsec-internal_key.pem")
    at /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:452
452     in /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c
(gdb) info locals
cred = <optimized out>
chunk = 0x7f6054005430
(gdb) print *chunk
$21 = {ptr = 0x7f60728b7000 <error: Cannot access memory at address 0x7f60728b7000>, len = 1704}
(gdb) f 11
11 0x00007f606ebae810 in load_from_blob (blob=..., type=type@entry=CRED_PRIVATE_KEY, subtype=subtype@entry=1, subject=subject@entry=0x0,
    flags=flags@entry=X509_NONE) at /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:399
399     in /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c
(gdb) info args
blob = {ptr = 0x7f60728b7000 <error: Cannot access memory at address 0x7f60728b7000>, len = 140052215328768}
type = CRED_PRIVATE_KEY
subtype = 1
subject = 0x0
flags = X509_NONE
(gdb) print blob
$22 = {ptr = 0x7f60728b7000 <error: Cannot access memory at address 0x7f60728b7000>, len = 140052215328768}

Source code snippet :
static void *load_from_file(char *file, credential_type_t type, int subtype,
                                        identification_t *subject, x509_flag_t flags)
{
        void *cred;
        chunk_t *chunk;

        chunk = chunk_map(file, FALSE);
        if (!chunk)
        {
                DBG1(DBG_LIB, "  opening '%s' failed: %s", file, strerror(errno));
                return NULL;
        }
        cred = load_from_blob(*chunk, type, subtype, subject, flags);
        chunk_unmap(chunk);
        return cred;
}

Local variable chunk is an uninitialised pointer in load_from_file()
(frame 12 above) which is expected to get initialised through
chunk_map() & then passed to load_from_blob() as a parameter.
But somehow, the chunk pointer has not got initialised &
got passed as it is to load_from_blob() in frame 11 above.
As this contains a garbage address, when method load_from_blob()
tried cloning the memory regions through chunk_clone() ->
chunk_create_clone() -> memcpy() -> memcpy_noop(), it crashed with
SIGBUS (frames 10, 9, 8).
It could also be that chunk_map() has a bug which does not memmap()
the full or correct areas.

Upstream-Status: Pending
Tested By: Anuj Chougule <Anuj.Chougule@kpit.com>
Signed-off-by: Anuj Chougule <Anuj.Chougule@kpit.com>
Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com>
---
 .../strongswan/files/fix-charon-crash.patch        | 23 ++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 recipes-support/strongswan/files/fix-charon-crash.patch

diff --git a/recipes-support/strongswan/files/fix-charon-crash.patch b/recipes-support/strongswan/files/fix-charon-crash.patch
new file mode 100644
index 0000000..95e71a2
--- /dev/null
+++ b/recipes-support/strongswan/files/fix-charon-crash.patch
@@ -0,0 +1,23 @@
+strongswan: avoid charon crash
+
+Variable chunk is an uninitialised pointer,which
+is expected to get initialised through method chunk_map()
+& then passed to load_from_blob() as a parameter.
+But somehow, if the chunk pointer did not get initialised & gets
+passed as it is to load_from_blob(), it may lead crash as this
+contains a garbage address.
+
+Signed-off-by: Anuj Chougule <Anuj.Chougule@kpit.com>
+Upstream-Status: Pending
+
+--- a/src/libstrongswan/plugins/pem/pem_builder.c
++++ b/src/libstrongswan/plugins/pem/pem_builder.c
+@@ -441,7 +441,7 @@ static void *load_from_file(char *file, credential_type_t type, int subtype,
+                                                       identification_t *subject, x509_flag_t flags)
+ {
+       void *cred;
+-      chunk_t *chunk;
++      chunk_t *chunk = NULL;
+
+       chunk = chunk_map(file, FALSE);
+       if (!chunk)
--
2.7.4
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

[-- Attachment #2: Type: text/html, Size: 10472 bytes --]

^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2020-02-20 10:58 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-20 10:58 [meta-oe][sumo][PATCH] strongswan: avoid charon crash Saloni Jain

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.