Bug#1064613: vtun: Segmentation fault with default config

2024-04-22 Thread Bernhard Übelacker 

On Sat, 24 Feb 2024 23:55:18 + =?utf-8?q?Lucas_L=C3=B3pez?= 
 wrote:

I copied the example server file /usr/share/doc/vtun/examples/vtund-server.conf 
into
/etc/vtund.conf and enabled server mode in /etc/default/vtun. When I start the 
service
with systemctl I get the following error on the dmesg log:

[343358.769324] vtund[3002]: segfault at 0 ip 5572cac05e34 sp 
7ffc9a47f610 error 4 in vtund[5572cabff000+b000] likely on CPU 0 (core 0, 
socket 0)
[343358.769342] Code: 24 10 e8 2f 96 ff ff 85 c0 0f 88 0d 01 00 00 48 8b 44 24 10 48 
89 44 24 08 48 85 c0 0f 84 f0 00 00 00 48 89 c3 90 48 8b 6b 18 <66> 44 39 7d 00 
0f 85 d1 00 00 00 48 8b 73 08 4c 89 ef e8 55 97 ff

I checked the config and the manual but I haven't been able to use the package 
due to the segfault.
BTW, the autogenerated systemd unit has the attributes RemainAfterExit=yes, 
SuccessExitStatus=5 6,
so even on failure the unit appears as "active (exited)". Hence it needs a 
"systemctl restart",
"systemctl start" won't do anything which is a bit counterintuitive.



Hello,
I am not the maintainer of vtun, just tried to find some more informations 
about the crash.
I was not able to reproduce it inside a minimal VM, but I think
from the dmesg lines it happened in netlib.c line 156.

This looks like ifa->ifa_addr is no valid pointer but gets dereferenced.
I guess it might be related to the network configuration of this specific host,
maybe containing an interface without having an address assigned.

Kind regards,
Bernhard


148 int getifaddr(struct sockaddr_storage *addr, char * ifname, sa_family_t 
af)
...
154
155  for (ifa = ifas; ifa; ifa = ifa->ifa_next) {
156 if( ifa->ifa_addr->sa_family != af ||
157strcmp(ifname, ifa->ifa_name) )

https://sources.debian.org/src/vtun/3.0.4-2/netlib.c/#L156
https://man7.org/linux/man-pages/man3/getifaddrs.3.html
# 2024-04-22 Trixie/testing amd64 qemu VM

apt update
apt install systemd-coredump mc htop gdb

# with unstable
apt install vtun vtun-dbgsym devscripts
apt build-dep vtun



mkdir /home/benutzer/source/vtun/orig -p
cd/home/benutzer/source/vtun/orig
dget 
https://snapshot.debian.org/archive/debian-debug/20191112T220504Z/pool/main/v/vtun/vtun_3.0.4-2.dsc
dpkg-source -x vtun_3.0.4-2.dsc


cp -a /usr/share/doc/vtun/examples/vtund-server.conf /etc/vtund.conf

cp -a /etc/default/vtun /etc/default/vtun.orig
sed -i 's/# RUN_SERVER=no/RUN_SERVER=yes/g' /etc/default/vtun


wget 
https://snapshot.debian.org/archive/debian/20220514T093947Z/pool/main/v/vtun/vtun_3.0.4-2%2Bb1_amd64.deb
wget 
https://snapshot.debian.org/archive/debian-debug/20220514T091215Z/pool/main/v/vtun/vtun-dbgsym_3.0.4-2%2Bb1_amd64.deb
dpkg -i *.deb

systemctl start vtun.service

-> Could not reproduce the crash




[343358.769324] vtund[3002]: segfault at 0 ip 5572cac05e34 sp 
7ffc9a47f610 error 4 in vtund[5572cabff000+b000] likely on CPU 0 (core 0, 
socket 0)
[343358.769342] Code: 24 10 e8 2f 96 ff ff 85 c0 0f 88 0d 01 00 00 48 8b 44 24 
10 48 89 44 24 08 48 85 c0 0f 84 f0 00 00 00 48 89 c3 90 48 8b 6b 18 <66> 44 39 
7d 00 0f 85 d1 00 00 00 48 8b 73 08 4c 89 ef e8 55 97 ff

# https://wiki.debian.org/InterpretingKernelOutputAtProcessCrash

error 4
0b0100
 *   bit 0 ==0: no page found
 *   bit 1 ==0: read access
 *   bit 2 ==1: user-mode access

 
echo -n "find /b ..., ..., 0x" && \
echo "24 10 e8 2f 96 ff ff 85 c0 0f 88 0d 01 00 00 48 8b 44 24 10 48 89 44 24 
08 48 85 c0 0f 84 f0 00 00 00 48 89 c3 90 48 8b 6b 18 <66> 44 39 7d 00 0f 85 d1 
00 00 00 48 8b 73 08 4c 89 ef e8 55 97 ff" \
 | sed 's/[<>]//g' | sed 's/ /, 0x/g'



gdb -q --pid $(pgrep vtund)
(gdb) pipe info target | grep -E ".text$"
0x55c1fbd0f7f0 - 0x55c1fbd19ba1 is .text
(gdb) find /b 0x55c1fbd0f7f0, 0x55c1fbd19ba1, 0x24, 0x10, 0xe8, 0x2f, 
0x96, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x88, 0x0d, 0x01, 0x00, 0x00, 0x48, 0x8b, 
0x44, 0x24, 0x10, 0x48, 0x89, 0x44, 0x24, 0x08, 0x48, 0x85, 0xc0, 0x0f, 0x84, 
0xf0, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc3, 0x90, 0x48, 0x8b, 0x6b, 0x18, 0x66, 
0x44, 0x39, 0x7d, 0x00, 0x0f, 0x85, 0xd1, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x73, 
0x08, 0x4c, 0x89, 0xef, 0xe8, 0x55, 0x97, 0xff
0x55c1fbd15e0a 
1 pattern found.
(gdb) b * (0x55c1fbd15e0a + 42)
Breakpoint 1 at 0x55c1fbd15e34: file ./netlib.c, line 156.
(gdb) info b
Num Type   Disp Enb AddressWhat
1   breakpoint keep y   0x55c1fbd15e34 in getifaddr at 
./netlib.c:156
(gdb) disassemble /r 0x55c1fbd15e0a, 0x55c1fbd15e0a + 62
Dump of assembler code from 0x55c1fbd15e0a to 0x55c1fbd15e48:
   0x55c1fbd15e0a :   24 10   and$0x10,%al
   0x55c1fbd15e0c :   e8 2f 96 ff ff  call   
0x55c1fbd0f440 
   0x55c1fbd15e11 :   85 c0   test   %eax,%eax
   0x55c1fbd15e13 :   0f 88 0d 01 00 00   js 
0x55c1fbd15f26 
   0x55c1fbd15e19 :   48 8b 44 24 10  mov
0x10(%rsp),%rax
   0x55c1fbd15e1e :   48 89 44 24 08

Bug#1064613: vtun: Segmentation fault with default config

2024-02-24 Thread Lucas López 
Package: vtun
Version: 3.0.4-2+b1
Severity: grave
Justification: renders package unusable
X-Debbugs-Cc: lucaslopez5...@gmail.com

Dear Maintainer,

I copied the example server file /usr/share/doc/vtun/examples/vtund-server.conf 
into
/etc/vtund.conf and enabled server mode in /etc/default/vtun. When I start the 
service
with systemctl I get the following error on the dmesg log:

[343358.769324] vtund[3002]: segfault at 0 ip 5572cac05e34 sp 
7ffc9a47f610 error 4 in vtund[5572cabff000+b000] likely on CPU 0 (core 0, 
socket 0)
[343358.769342] Code: 24 10 e8 2f 96 ff ff 85 c0 0f 88 0d 01 00 00 48 8b 44 24 
10 48 89 44 24 08 48 85 c0 0f 84 f0 00 00 00 48 89 c3 90 48 8b 6b 18 <66> 44 39 
7d 00 0f 85 d1 00 00 00 48 8b 73 08 4c 89 ef e8 55 97 ff

I checked the config and the manual but I haven't been able to use the package 
due to the segfault.
BTW, the autogenerated systemd unit has the attributes RemainAfterExit=yes, 
SuccessExitStatus=5 6,
so even on failure the unit appears as "active (exited)". Hence it needs a 
"systemctl restart",
"systemctl start" won't do anything which is a bit counterintuitive.

Have a nice day.

-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-18-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages vtun depends on:
ii  libc6  2.36-9+deb12u4
ii  liblzo2-2  2.10-2
ii  libssl33.0.11-1~deb12u2
ii  sysvinit-utils [lsb-base]  3.06-4
ii  udev   252.22-1~deb12u1
ii  zlib1g 1:1.2.13.dfsg-1

vtun recommends no packages.

vtun suggests no packages.

-- Configuration Files:
/etc/vtund.conf changed:
options {
  port 5000;# Listen on this port.
  bindaddr { iface lo; };   # Listen only on loopback device.
  # Syslog facility
  syslogdaemon;
  # Path to various programs
  ppp   /usr/sbin/pppd;
  ifconfig  /sbin/ifconfig;
  route /sbin/route;
  firewall  /sbin/ipchains;
  ip/sbin/ip;
}
default {
  compress no;  # Compression is off by default
  speed 0;  # By default maximum speed, NO shaping
}
cobra {
  passwd  Ma&^TU;   # Password
  type  tun;# IP tunnel 
  proto udp;# UDP protocol
  compress  lzo:9;  # LZO compression level 9
  encrypt  yes; # Encryption
  keepalive yes;# Keep connection alive
  up {
# Connection is Up 
# 10.3.0.1 - local, 10.3.0.2 - remote 
ifconfig "%% 10.3.0.1 pointopoint 10.3.0.2 mtu 1450";
  };
}
cobra {
  passwd  Ma&^TU;   # Password
  type  tun;# IP tunnel 
  proto udp;# UDP protocol
  compress  lzo:9;  # LZO compression level 9
  encrypt  yes; # Encryption
  keepalive yes;# Keep connection alive
  up {
# Connection is Up 
# 10.3.0.1 - local, 10.3.0.2 - remote 
ip "link set %% up multicast off mtu 1450";
ip "-family inet addr add 10.3.0.1 peer 10.3.0.2 dev %%";
  };
}
lion {
  passwd  Ma&^TU;   # Password
  type  ether;  # Ethernet tunnel
  device tap0;  # Device tap0 
  proto udp;# UDP protocol
  compress  lzo:1;  # LZO compression level 1 
  encrypt  yes; # Encryption
  stat  yes;# Log connection statistic 
  keepalive yes;# Keep connection alive
  up {  
# Connection is Up 
# Assign IP address 
ifconfig "%% 10.1.0.1 netmask 255.255.255.0";

# Add route to net 10.2.0.0/24  
route "add -net 10.2.0.0 netmask 255.255.255.0 gw 10.1.0.2";
# Enable masquerading for net 10.2.0.0.0/24 
firewall "-A forward -s 10.2.0.0/24 -d 0.0.0.0/0 -j MASQ";
  };
  down {
# Connection is Down
# Shutdown tap device. 
ifconfig "%% down"; 
# Disable masquerading for net 10.2.0.0.0/24 
firewall "-D forward -s 10.2.0.0/24 -d 0.0.0.0/0 -j MASQ";
  };
}
viper { 
  passwd  TTT$bio;  # Password
  compress  yes;# ZLIB compression level 1 
  encrypt  yes; # Encryption
  up {
# Connection is Up (established)
# Assign IP addresses 10.0.0.1 - local, 10.0.0.2 - remote
ppp "10.0.0.1:10.0.0.2 proxyarp";
  };
}
backup {
  passwd OnlyME;# Password
  type pipe;# Pipe tunnel
  speed 256:128;# Shaping speed 256K IN and 128K OUT.
  encrypt yes;  # Encryption
  up {
# Connection is Up 
# Start shell and tar '/etc' directory to 
# the stdout (pipe tunnel). 
program /bin/sh "-c 'tar cf - /etc/*'";
  };
}
sz {
  passwd  OnlyME;   # Password
  type  tty;#