From: Anuj Chougule <anuj.choug...@kpit.com> This is a possible fix to charon that crashed early due to invalid memory access. Important frames from Backtraces : 8 0x00007f607246e160 in memcpy (__len=1704, __src=<optimized out>, __dest=<optimized out>) at /usr/include/bits/string_fortified.h:34 No locals. 9 memcpy_noop (n=1704, src=<optimized out>, dst=<optimized out>) at /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/utils/utils/memory.h:47 n = 1704 src = <optimized out> dst = <optimized out> 10 chunk_create_clone (ptr=<optimized out>, chunk=...) at /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/utils/chunk.c:48 clone = <optimized out> 11 0x00007f606ebae810 in load_from_blob (blob=..., type=type@entry=CRED_PRIVATE_KEY, subtype=subtype@entry=1, subject=subject@entry=0x0, flags=flags@entry=X509_NONE) at /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:399 x = <optimized out> cred = 0x0 ---Type <return> to continue, or q <return> to quit--- pgp = false 12 0x00007f606ebaf0e4 in load_from_file (flags=X509_NONE, subject=0x0, subtype=1, type=CRED_PRIVATE_KEY, file=0x7f6069d21a20 "/var/opt/public/sps/sps_necema/data/public/IPsec/secureboot_on/IPsec-internal_key.pem") at /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:452 cred = <optimized out> chunk = 0x7f6054005430 13 pem_load (type=CRED_PRIVATE_KEY, subtype=1, args=<optimized out>) at /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:498 file = 0x7f6069d21a20 "/var/opt/public/sps/sps_necema/data/public/IPsec/secureboot_on/IPsec-internal_key.pem" pem = <optimized out> subject = 0x0 flags = 0
Problem lies in frame 12 & 11. (gdb) f 12 12 0x00007f606ebaf0e4 in load_from_file (flags=X509_NONE, subject=0x0, subtype=1, type=CRED_PRIVATE_KEY, file=0x7f6069d21a20 "/var/opt/public/sps/sps_necema/data/public/IPsec/secureboot_on/IPsec-internal_key.pem") at /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:452 452 in /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c (gdb) info locals cred = <optimized out> chunk = 0x7f6054005430 (gdb) print *chunk $21 = {ptr = 0x7f60728b7000 <error: Cannot access memory at address 0x7f60728b7000>, len = 1704} (gdb) f 11 11 0x00007f606ebae810 in load_from_blob (blob=..., type=type@entry=CRED_PRIVATE_KEY, subtype=subtype@entry=1, subject=subject@entry=0x0, flags=flags@entry=X509_NONE) at /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:399 399 in /usr/src/debug/strongswan/5.7.2-r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c (gdb) info args blob = {ptr = 0x7f60728b7000 <error: Cannot access memory at address 0x7f60728b7000>, len = 140052215328768} type = CRED_PRIVATE_KEY subtype = 1 subject = 0x0 flags = X509_NONE (gdb) print blob $22 = {ptr = 0x7f60728b7000 <error: Cannot access memory at address 0x7f60728b7000>, len = 140052215328768} Source code snippet : static void *load_from_file(char *file, credential_type_t type, int subtype, identification_t *subject, x509_flag_t flags) { void *cred; chunk_t *chunk; chunk = chunk_map(file, FALSE); if (!chunk) { DBG1(DBG_LIB, " opening '%s' failed: %s", file, strerror(errno)); return NULL; } cred = load_from_blob(*chunk, type, subtype, subject, flags); chunk_unmap(chunk); return cred; } Local variable chunk is an uninitialised pointer in load_from_file() (frame 12 above) which is expected to get initialised through chunk_map() & then passed to load_from_blob() as a parameter. But somehow, the chunk pointer has not got initialised & got passed as it is to load_from_blob() in frame 11 above. As this contains a garbage address, when method load_from_blob() tried cloning the memory regions through chunk_clone() -> chunk_create_clone() -> memcpy() -> memcpy_noop(), it crashed with SIGBUS (frames 10, 9, 8). It could also be that chunk_map() has a bug which does not memmap() the full or correct areas. Upstream-Status: Pending Tested By: Anuj Chougule <anuj.choug...@kpit.com> Signed-off-by: Anuj Chougule <anuj.choug...@kpit.com> Signed-off-by: Saloni Jain <saloni.j...@kpit.com> --- .../strongswan/files/fix-charon-crash.patch | 23 ++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 recipes-support/strongswan/files/fix-charon-crash.patch diff --git a/recipes-support/strongswan/files/fix-charon-crash.patch b/recipes-support/strongswan/files/fix-charon-crash.patch new file mode 100644 index 0000000..95e71a2 --- /dev/null +++ b/recipes-support/strongswan/files/fix-charon-crash.patch @@ -0,0 +1,23 @@ +strongswan: avoid charon crash + +Variable chunk is an uninitialised pointer,which +is expected to get initialised through method chunk_map() +& then passed to load_from_blob() as a parameter. +But somehow, if the chunk pointer did not get initialised & gets +passed as it is to load_from_blob(), it may lead crash as this +contains a garbage address. + +Signed-off-by: Anuj Chougule <anuj.choug...@kpit.com> +Upstream-Status: Pending + +--- a/src/libstrongswan/plugins/pem/pem_builder.c ++++ b/src/libstrongswan/plugins/pem/pem_builder.c +@@ -441,7 +441,7 @@ static void *load_from_file(char *file, credential_type_t type, int subtype, + identification_t *subject, x509_flag_t flags) + { + void *cred; +- chunk_t *chunk; ++ chunk_t *chunk = NULL; + + chunk = chunk_map(file, FALSE); + if (!chunk) -- 2.7.4 This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
-- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core