(do not try this at home)
Something, in the current set of updates for fedora 28 is causing
pluto to run out of memory
- on testing.libreswan.org, and after a suspicious pause, mprotect()
failed with ENOMEM
- having upgraded a local VM, I'm now seeing it locally - but killed by OOM.
Given the list of things upgraded and the backtrace, my prime suspect
is nss :-) See below.
--
If you really want to try this at home; then this is a sketch for what
to do to downgrade:
$ make kvm-uninstall # deletes all domains bar clone
$ make kvmsh-clone # domain won't actually print 'clone#'
clone# dnf downgrade nss # or dnf upgrade nss
clone# poweroff
$ make kvm-install ...
--
Installed:
openssl-pkcs11.x86_64 0.4.8-2.fc28
Upgraded:
cpp.x86_64 8.2.1-5.fc28
elfutils.x86_64 0.174-5.fc28
elfutils-libelf.x86_64 0.174-5.fc28
elfutils-libelf-devel.x86_64 0.174-5.fc28
elfutils-libs.x86_64 0.174-5.fc28
gcc.x86_64 8.2.1-5.fc28
gcc-gdb-plugin.x86_64 8.2.1-5.fc28
git.x86_64 2.17.2-2.fc28
git-core.x86_64 2.17.2-2.fc28
git-core-doc.noarch 2.17.2-2.fc28
glibc.x86_64 2.27-35.fc28
glibc-all-langpacks.x86_64 2.27-35.fc28
glibc-common.x86_64 2.27-35.fc28
glibc-devel.x86_64 2.27-35.fc28
glibc-headers.x86_64 2.27-35.fc28
libcurl.x86_64 7.59.0-9.fc28
libcurl-devel.x86_64 7.59.0-9.fc28
libgcc.x86_64 8.2.1-5.fc28
libgomp.x86_64 8.2.1-5.fc28
libssh.x86_64 0.8.5-1.fc28
nsd.x86_64 4.1.24-2.fc28
nss.x86_64 3.40.1-1.0.fc28
nss-devel.x86_64 3.40.1-1.0.fc28
nss-softokn.x86_64 3.40.1-1.0.fc28
nss-softokn-devel.x86_64 3.40.1-1.0.fc28
nss-softokn-freebl.x86_64 3.40.1-1.0.fc28
nss-softokn-freebl-devel.x86_64 3.40.1-1.0.fc28
nss-sysinit.x86_64 3.40.1-1.0.fc28
nss-tools.x86_64 3.40.1-1.0.fc28
nss-util.x86_64 3.40.1-1.0.fc28
nss-util-devel.x86_64 3.40.1-1.0.fc28
openssl.x86_64 1:1.1.0i-1.fc28
openssl-devel.x86_64 1:1.1.0i-1.fc28
openssl-libs.x86_64 1:1.1.0i-1.fc28
pam.x86_64 1.3.1-8.fc28
pam-devel.x86_64 1.3.1-8.fc28
perl-Git.noarch 2.17.2-2.fc28
valgrind.x86_64 1:3.14.0-1.fc28
vim-common.x86_64 2:8.1.549-1.fc28
vim-enhanced.x86_64 2:8.1.549-1.fc28
vim-minimal.x86_64 2:8.1.549-1.fc28
and here's a stack dump:
(gdb) print errno
$3 = 12
(gdb) print strerror(errno)
$4 = 0x7ffff4dbc9ce "Cannot allocate memory"(gdb) bt
#0 mprotectFailed () at page.c:144
#1 0x00007ffff4ffd4d9 in Page_AllowAccess
(address=address@entry=0x7fffde264000, size=<optimized out>) at
page.c:151
#2 0x00007ffff4ffcffb in memalign (alignment=<optimized out>,
userSize=<optimized out>) at efence.c:662
#3 0x00007ffff4ffd394 in calloc (nelem=<optimized out>,
elsize=<optimized out>) at efence.c:965
#4 0x00007fffec9494fc in _asn1_copy_structure3 () from /lib64/libtasn1.so.6
#5 0x00007fffec946819 in _asn1_append_sequence_set () from /lib64/libtasn1.so.6
#6 0x00007fffec945ac9 in asn1_der_decoding2 () from /lib64/libtasn1.so.6
#7 0x00007fffec945ddb in asn1_der_decoding () from /lib64/libtasn1.so.6
#8 0x00007fffecb6c7c8 in p11_asn1_decode () from
/usr/lib64/pkcs11/p11-kit-trust.so
#9 0x00007fffecb5c864 in decode_or_get_asn1.isra () from
/usr/lib64/pkcs11/p11-kit-trust.so
#10 0x00007fffecb5d596 in certificate_populate () from
/usr/lib64/pkcs11/p11-kit-trust.so
#11 0x00007fffecb5c293 in build_for_schema () from
/usr/lib64/pkcs11/p11-kit-trust.so
#12 0x00007fffecb5f24d in p11_builder_build () from
/usr/lib64/pkcs11/p11-kit-trust.so
#13 0x00007fffecb61c58 in index_build () from /usr/lib64/pkcs11/p11-kit-trust.so
#14 0x00007fffecb62a35 in p11_index_take () from
/usr/lib64/pkcs11/p11-kit-trust.so
#15 0x00007fffecb63066 in index_replacev () from
/usr/lib64/pkcs11/p11-kit-trust.so
#16 0x00007fffecb63368 in p11_index_replace_all () from
/usr/lib64/pkcs11/p11-kit-trust.so
#17 0x00007fffecb6af25 in loader_load_file () from
/usr/lib64/pkcs11/p11-kit-trust.so
#18 0x00007fffecb6b04e in loader_load_if_file () from
/usr/lib64/pkcs11/p11-kit-trust.so
#19 0x00007fffecb6b1c1 in loader_load_path () from
/usr/lib64/pkcs11/p11-kit-trust.so
#20 0x00007fffecb6bbd0 in p11_token_load () from
/usr/lib64/pkcs11/p11-kit-trust.so
#21 0x00007fffecb66d55 in sys_C_FindObjectsInit () from
/usr/lib64/pkcs11/p11-kit-trust.so
#22 0x00007fffecfc2dc6 in proxy_C_FindObjectsInit () from
/lib64/p11-kit-proxy.so
#23 0x00007fffecfebe68 in binding_C_FindObjectsInit () from
/lib64/p11-kit-proxy.so
#24 0x00007fffecd92e35 in ffi_closure_unix64_inner () from /lib64/libffi.so.6
#25 0x00007fffecd931a6 in ffi_closure_unix64 () from /lib64/libffi.so.6
#26 0x00007ffff6b05e11 in pk11_FindObjectByTemplate
(slot=slot@entry=0x7fffec74dca0,
theTemplate=theTemplate@entry=0x7fffffffe3d0, tsize=tsize@entry=1) at
pk11obj.c:1799
#27 0x00007ffff6b13fb7 in pk11_isRootSlot (slot=0x7fffec74dca0) at
pk11slot.c:1416
#28 PK11_InitSlot (mod=mod@entry=0x7fffed314e20, slotID=<optimized
out>, slot=0x7fffec74dca0) at pk11slot.c:1481
#29 0x00007ffff6afbbaf in secmod_LoadPKCS11Module
(mod=mod@entry=0x7fffed314e20,
oldModule=oldModule@entry=0x7fffffffe580) at pk11load.c:563
#30 0x00007ffff6b08f7d in SECMOD_LoadModule (modulespec=0x7fffed341fd0
"name=\"p11-kit-proxy\" library=\"p11-kit-proxy.so\"",
parent=0x7fffed30ee20, recurse=1) at pk11pars.c:1826
#31 0x00007ffff6b090b8 in SECMOD_LoadModule (
modulespec=modulespec@entry=0x7ffff6ba7df0 "name=\"Policy File\"
parameters=\"configdir='sql:/etc/crypto-policies/back-ends'
secmod='nss.config'
flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\"
NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOn"...,
parent=parent@entry=0x7fffef10ae20, recurse=recurse@entry=1) at
pk11pars.c:1862
#32 0x00007ffff6ad42bd in nss_Init
(configdir=configdir@entry=0x7fffeef06fe8 "sql:/etc/ipsec.d",
certPrefix=certPrefix@entry=0x555555684496 "",
keyPrefix=keyPrefix@entry=0x555555684496 "",
secmodName=secmodName@entry=0x555555682aed "secmod.db",
updateDir=updateDir@entry=0x7ffff6ba82cd "",
updCertPrefix=updCertPrefix@entry=0x7ffff6ba82cd "",
updKeyPrefix=<optimized out>,
updateID=<optimized out>, updateName=<optimized out>,
initContextPtr=<optimized out>, initParams=<optimized out>,
readOnly=<optimized out>, noCertDB=<optimized out>, noModDB=<optimized
out>,
forceOpen=<optimized out>, noRootInit=<optimized out>,
optimizeSpace=<optimized out>, noSingleThreadedModules=<optimized
out>, allowAlreadyInitializedModules=<optimized out>,
dontFinalizeModules=<optimized out>) at nssinit.c:712
#33 0x00007ffff6ad4786 in NSS_Initialize
(configdir=configdir@entry=0x7fffeef06fe8 "sql:/etc/ipsec.d",
certPrefix=certPrefix@entry=0x555555684496 "",
keyPrefix=keyPrefix@entry=0x555555684496 "",
secmodName=secmodName@entry=0x555555682aed "secmod.db",
flags=<optimized out>) at nssinit.c:889
#34 0x0000555555616659 in lsw_nss_setup (configdir=<optimized out>,
setup_flags=<optimized out>, get_password=0x555555616b20
<lsw_nss_get_password>, err=0x7fffffffe8b0 "\353\362\206%")
at /source/lib/libswan/lswnss.c:58
#35 0x000055555557468c in pluto_init_nss (nssdir=0x7fffef21cfe8
"/etc/ipsec.d") at /source/programs/pluto/plutomain.c:406
#36 main (argc=5, argv=<optimized out>) at
/source/programs/pluto/plutomain.c:1592
and running 'dnf downgrade nss' made the problem go away:
Running transaction
Preparing :
1/1
Downgrading : nss-sysinit-3.36.0-1.0.fc28.x86_64
1/8
Downgrading : nss-3.36.0-1.0.fc28.x86_64
2/8
Running scriptlet: nss-3.36.0-1.0.fc28.x86_64
2/8
Downgrading : nss-tools-3.36.0-1.0.fc28.x86_64
3/8
Downgrading : nss-devel-3.36.0-1.0.fc28.x86_64
4/8
Erasing : nss-tools-3.40.1-1.0.fc28.x86_64
5/8
Erasing : nss-devel-3.40.1-1.0.fc28.x86_64
6/8
Erasing : nss-3.40.1-1.0.fc28.x86_64
7/8
Running scriptlet: nss-3.40.1-1.0.fc28.x86_64
7/8
Setting system policy to LEGACY
Erasing : nss-sysinit-3.40.1-1.0.fc28.x86_64
8/8
Running scriptlet: nss-sysinit-3.40.1-1.0.fc28.x86_64
8/8
Verifying : nss-3.36.0-1.0.fc28.x86_64
1/8
Verifying : nss-tools-3.36.0-1.0.fc28.x86_64
2/8
Verifying : nss-devel-3.36.0-1.0.fc28.x86_64
3/8
Verifying : nss-sysinit-3.36.0-1.0.fc28.x86_64
4/8
Verifying : nss-devel-3.40.1-1.0.fc28.x86_64
5/8
Verifying : nss-tools-3.40.1-1.0.fc28.x86_64
6/8
Verifying : nss-sysinit-3.40.1-1.0.fc28.x86_64
7/8
Verifying : nss-3.40.1-1.0.fc28.x86_64
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev
