Re: openvpn-2.3.8p1 segv in libcrypto BN_bn2dec on OpenBSD/i386 current Sep 16, 2015
> CC'ing tech@. > > The last commit to bn_print.c is wrong, it dereferences t while it's still > NULL. > > Backout diff below. Argh, sorry about that. This is how it should have been done (diff against 1.25) Index: bn_print.c === RCS file: /OpenBSD/src/lib/libssl/src/crypto/bn/bn_print.c,v retrieving revision 1.25 diff -u -p -r1.25 bn_print.c --- bn_print.c 13 Sep 2015 16:02:11 - 1.25 +++ bn_print.c 18 Sep 2015 09:06:42 - @@ -114,14 +114,14 @@ BN_bn2dec(const BIGNUM *a) BIGNUM *t = NULL; BN_ULONG *bn_data = NULL, *lp; - if (BN_is_zero(t)) { - buf = malloc(BN_is_negative(t) + 2); + if (BN_is_zero(a)) { + buf = malloc(BN_is_negative(a) + 2); if (buf == NULL) { BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE); goto err; } p = buf; - if (BN_is_negative(t)) + if (BN_is_negative(a)) *(p++) = '-'; *(p++) = '0'; *(p++) = '\0';
Re: openvpn-2.3.8p1 segv in libcrypto BN_bn2dec on OpenBSD/i386 current Sep 16, 2015
I think this is the right thing to do for now. ok bcook@ On Thu, Sep 17, 2015 at 5:19 PM, Stuart Henderson wrote: > CC'ing tech@. > > The last commit to bn_print.c is wrong, it dereferences t while it's still > NULL. > > Backout diff below. > > > On 2015/09/17 22:42, Mikolaj Kucharski wrote: >> Hi, >> >> Does anyone see this as well? I've just upgraded to: >> >> OpenBSD 5.8-current (GENERIC) #1164: Wed Sep 16 21:16:53 MDT 2015 >> dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC >> >> and to openvpn-2.3.8 from packages but it segfaulted during connecting >> by remote client. Then I've recompiled by hand with DEBUG='-g' from >> ports and now running openvpn-2.3.8p1, but facing the same issue. >> >> To be able to get core dump, needed to run openvpn as root, but the same >> segfault happens when openvpn drops priviliges. >> >> Before that I was running snapshot from Aug 13 with packages and I >> didn't had that problem. >> >> Let me know if you need any more info. >> >> >> # /usr/local/sbin/openvpn --cd /etc/openvpn --config server.conf --mtu-test >> Thu Sep 17 22:16:17 2015 OpenVPN 2.3.8 i386-unknown-openbsd5.8 [SSL >> (OpenSSL)] [LZO] [MH] [IPv6] built on Sep 17 2015 >> Thu Sep 17 22:16:17 2015 library versions: LibreSSL 2.3.0, LZO 2.09 >> Thu Sep 17 22:16:17 2015 mlockall call succeeded >> Thu Sep 17 22:16:17 2015 WARNING: you are using chroot without specifying >> user and group -- this may cause the chroot jail to be insecure >> Thu Sep 17 22:16:22 2015 Diffie-Hellman initialized with 4096 bit key >> Thu Sep 17 22:16:22 2015 Control Channel Authentication: using >> 'certs/hmac.key' as a OpenVPN static key file >> Thu Sep 17 22:16:22 2015 Outgoing Control Channel Authentication: Using 512 >> bit message hash 'SHA512' for HMAC authentication >> Thu Sep 17 22:16:22 2015 Incoming Control Channel Authentication: Using 512 >> bit message hash 'SHA512' for HMAC authentication >> Thu Sep 17 22:16:22 2015 Socket Buffers: R=[41600->65536] S=[9216->65536] >> Thu Sep 17 22:16:22 2015 TUN/TAP device tun2 exists previously, keep at >> program end >> Thu Sep 17 22:16:22 2015 TUN/TAP device /dev/tun2 opened >> Thu Sep 17 22:16:22 2015 do_ifconfig, tt->ipv6=1, >> tt->did_ifconfig_ipv6_setup=1 >> Thu Sep 17 22:16:22 2015 /sbin/ifconfig tun2 192.168.202.1 192.168.202.1 mtu >> 1500 netmask 255.255.255.0 up -link0 >> Thu Sep 17 22:16:22 2015 /sbin/ifconfig tun2 inet6 >> 2001:::::::1/64 >> Thu Sep 17 22:16:22 2015 >> add_route_ipv6(2001:::::::/64 -> >> 2001:::::::1 metric 0) dev tun2 >> Thu Sep 17 22:16:22 2015 /sbin/route add -inet6 >> 2001::::::: -prefixlen 64 >> 2001:::::::1 >> route: writing to routing socket: File exists >> add net 2001:::::::: gateway >> 2001:::::::1: File exists >> Thu Sep 17 22:16:22 2015 ERROR: OpenBSD route add -inet6 command failed: >> external program exited with error status: 1 >> Thu Sep 17 22:16:22 2015 /sbin/route add -net 192.168.202.0 192.168.202.1 >> -netmask 255.255.255.0 >> add net 192.168.202.0: gateway 192.168.202.1 >> Thu Sep 17 22:16:22 2015 chroot to '/var/openvpn' and cd to '/' succeeded >> Thu Sep 17 22:16:22 2015 UDPv4 link local (bound): [undef] >> Thu Sep 17 22:16:22 2015 UDPv4 link remote: [undef] >> Thu Sep 17 22:16:22 2015 MULTI: multi_init called, r=256 v=256 >> Thu Sep 17 22:16:22 2015 IFCONFIG POOL IPv6: (IPv4) size=252, >> size_ipv6=65536, netbits=64, >> base_ipv6=2001:::::::1000 >> Thu Sep 17 22:16:22 2015 IFCONFIG POOL: base=192.168.202.2 size=252, ipv6=1 >> Thu Sep 17 22:16:22 2015 Initialization Sequence Completed >> Thu Sep 17 22:16:32 2015 83.xxx.xxx.xxx:48100 TLS: Initial packet from >> [AF_INET]83.xxx.xxx.xxx:48100, sid=41b68ea4 12015b6e >> Segmentation fault (core dumped) >> >> >> >> (gdb) bt >> #0 BN_bn2dec (a=0x805e8460) at >> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bn/bn_print.c:117 >> #1 0x179a2aa0 in backend_x509_get_serial (cert=0x8308b500, gc=0xcf7d0320) >> at >> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify_openssl.c:229 >> #2 0x179a0345 in verify_cert_set_env (x509_track=, >> common_name=, subject=, cert_depth=> out>, peer_cert=, es=0x78d2d230) at >> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify.c:438 >> #3 verify_cert (session=0x8130a6bc, cert=0x8308b500, cert_depth=0) at >> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify.c:665 >> #4 0x179a2d26 in verify_callback (preverify_ok=1, ctx=0xcf7d05d4) at >> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify_openssl.c:84 >> #5 0x05aebfcf in internal_verify (ctx=0xcf7d05d4) at >> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/x509/x509_vfy.c:1612 >> #6 0x05aed6b2 in X509_verify_cert (ctx=0xcf7d05d4) at >> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/x509/x509_vf
Re: openvpn-2.3.8p1 segv in libcrypto BN_bn2dec on OpenBSD/i386 current Sep 16, 2015
Hi, On Thu, Sep 17, 2015 at 11:19:59PM +0100, Stuart Henderson wrote: > CC'ing tech@. > > The last commit to bn_print.c is wrong, it dereferences t while it's still > NULL. > > Backout diff below. Thanks Stuart, recompiling libcrypto with your diff fixed the problem. OpenVPN doesn't crash any more. Thanks. -- best regards q#
Re: openvpn-2.3.8p1 segv in libcrypto BN_bn2dec on OpenBSD/i386 current Sep 16, 2015
CC'ing tech@. The last commit to bn_print.c is wrong, it dereferences t while it's still NULL. Backout diff below. On 2015/09/17 22:42, Mikolaj Kucharski wrote: > Hi, > > Does anyone see this as well? I've just upgraded to: > > OpenBSD 5.8-current (GENERIC) #1164: Wed Sep 16 21:16:53 MDT 2015 > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC > > and to openvpn-2.3.8 from packages but it segfaulted during connecting > by remote client. Then I've recompiled by hand with DEBUG='-g' from > ports and now running openvpn-2.3.8p1, but facing the same issue. > > To be able to get core dump, needed to run openvpn as root, but the same > segfault happens when openvpn drops priviliges. > > Before that I was running snapshot from Aug 13 with packages and I > didn't had that problem. > > Let me know if you need any more info. > > > # /usr/local/sbin/openvpn --cd /etc/openvpn --config server.conf --mtu-test > Thu Sep 17 22:16:17 2015 OpenVPN 2.3.8 i386-unknown-openbsd5.8 [SSL > (OpenSSL)] [LZO] [MH] [IPv6] built on Sep 17 2015 > Thu Sep 17 22:16:17 2015 library versions: LibreSSL 2.3.0, LZO 2.09 > Thu Sep 17 22:16:17 2015 mlockall call succeeded > Thu Sep 17 22:16:17 2015 WARNING: you are using chroot without specifying > user and group -- this may cause the chroot jail to be insecure > Thu Sep 17 22:16:22 2015 Diffie-Hellman initialized with 4096 bit key > Thu Sep 17 22:16:22 2015 Control Channel Authentication: using > 'certs/hmac.key' as a OpenVPN static key file > Thu Sep 17 22:16:22 2015 Outgoing Control Channel Authentication: Using 512 > bit message hash 'SHA512' for HMAC authentication > Thu Sep 17 22:16:22 2015 Incoming Control Channel Authentication: Using 512 > bit message hash 'SHA512' for HMAC authentication > Thu Sep 17 22:16:22 2015 Socket Buffers: R=[41600->65536] S=[9216->65536] > Thu Sep 17 22:16:22 2015 TUN/TAP device tun2 exists previously, keep at > program end > Thu Sep 17 22:16:22 2015 TUN/TAP device /dev/tun2 opened > Thu Sep 17 22:16:22 2015 do_ifconfig, tt->ipv6=1, > tt->did_ifconfig_ipv6_setup=1 > Thu Sep 17 22:16:22 2015 /sbin/ifconfig tun2 192.168.202.1 192.168.202.1 mtu > 1500 netmask 255.255.255.0 up -link0 > Thu Sep 17 22:16:22 2015 /sbin/ifconfig tun2 inet6 > 2001:::::::1/64 > Thu Sep 17 22:16:22 2015 > add_route_ipv6(2001:::::::/64 -> > 2001:::::::1 metric 0) dev tun2 > Thu Sep 17 22:16:22 2015 /sbin/route add -inet6 > 2001::::::: -prefixlen 64 > 2001:::::::1 > route: writing to routing socket: File exists > add net 2001:::::::: gateway > 2001:::::::1: File exists > Thu Sep 17 22:16:22 2015 ERROR: OpenBSD route add -inet6 command failed: > external program exited with error status: 1 > Thu Sep 17 22:16:22 2015 /sbin/route add -net 192.168.202.0 192.168.202.1 > -netmask 255.255.255.0 > add net 192.168.202.0: gateway 192.168.202.1 > Thu Sep 17 22:16:22 2015 chroot to '/var/openvpn' and cd to '/' succeeded > Thu Sep 17 22:16:22 2015 UDPv4 link local (bound): [undef] > Thu Sep 17 22:16:22 2015 UDPv4 link remote: [undef] > Thu Sep 17 22:16:22 2015 MULTI: multi_init called, r=256 v=256 > Thu Sep 17 22:16:22 2015 IFCONFIG POOL IPv6: (IPv4) size=252, > size_ipv6=65536, netbits=64, base_ipv6=2001:::::::1000 > Thu Sep 17 22:16:22 2015 IFCONFIG POOL: base=192.168.202.2 size=252, ipv6=1 > Thu Sep 17 22:16:22 2015 Initialization Sequence Completed > Thu Sep 17 22:16:32 2015 83.xxx.xxx.xxx:48100 TLS: Initial packet from > [AF_INET]83.xxx.xxx.xxx:48100, sid=41b68ea4 12015b6e > Segmentation fault (core dumped) > > > > (gdb) bt > #0 BN_bn2dec (a=0x805e8460) at > /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bn/bn_print.c:117 > #1 0x179a2aa0 in backend_x509_get_serial (cert=0x8308b500, gc=0xcf7d0320) at > /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify_openssl.c:229 > #2 0x179a0345 in verify_cert_set_env (x509_track=, > common_name=, subject=, cert_depth= out>, peer_cert=, es=0x78d2d230) at > /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify.c:438 > #3 verify_cert (session=0x8130a6bc, cert=0x8308b500, cert_depth=0) at > /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify.c:665 > #4 0x179a2d26 in verify_callback (preverify_ok=1, ctx=0xcf7d05d4) at > /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify_openssl.c:84 > #5 0x05aebfcf in internal_verify (ctx=0xcf7d05d4) at > /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/x509/x509_vfy.c:1612 > #6 0x05aed6b2 in X509_verify_cert (ctx=0xcf7d05d4) at > /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/x509/x509_vfy.c:374 > #7 0x092eab0a in ssl_verify_cert_chain (s=0x87394000, sk=0x847b88c0) at > /usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_cert.c:452 > #8 0x092e57d4 in ssl3_get_client_certificate (s=0x87394000) at > /
openvpn-2.3.8p1 segv in libcrypto BN_bn2dec on OpenBSD/i386 current Sep 16, 2015
Hi, Does anyone see this as well? I've just upgraded to: OpenBSD 5.8-current (GENERIC) #1164: Wed Sep 16 21:16:53 MDT 2015 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC and to openvpn-2.3.8 from packages but it segfaulted during connecting by remote client. Then I've recompiled by hand with DEBUG='-g' from ports and now running openvpn-2.3.8p1, but facing the same issue. To be able to get core dump, needed to run openvpn as root, but the same segfault happens when openvpn drops priviliges. Before that I was running snapshot from Aug 13 with packages and I didn't had that problem. Let me know if you need any more info. # /usr/local/sbin/openvpn --cd /etc/openvpn --config server.conf --mtu-test Thu Sep 17 22:16:17 2015 OpenVPN 2.3.8 i386-unknown-openbsd5.8 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Sep 17 2015 Thu Sep 17 22:16:17 2015 library versions: LibreSSL 2.3.0, LZO 2.09 Thu Sep 17 22:16:17 2015 mlockall call succeeded Thu Sep 17 22:16:17 2015 WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure Thu Sep 17 22:16:22 2015 Diffie-Hellman initialized with 4096 bit key Thu Sep 17 22:16:22 2015 Control Channel Authentication: using 'certs/hmac.key' as a OpenVPN static key file Thu Sep 17 22:16:22 2015 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Thu Sep 17 22:16:22 2015 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Thu Sep 17 22:16:22 2015 Socket Buffers: R=[41600->65536] S=[9216->65536] Thu Sep 17 22:16:22 2015 TUN/TAP device tun2 exists previously, keep at program end Thu Sep 17 22:16:22 2015 TUN/TAP device /dev/tun2 opened Thu Sep 17 22:16:22 2015 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1 Thu Sep 17 22:16:22 2015 /sbin/ifconfig tun2 192.168.202.1 192.168.202.1 mtu 1500 netmask 255.255.255.0 up -link0 Thu Sep 17 22:16:22 2015 /sbin/ifconfig tun2 inet6 2001:::::::1/64 Thu Sep 17 22:16:22 2015 add_route_ipv6(2001:::::::/64 -> 2001:::::::1 metric 0) dev tun2 Thu Sep 17 22:16:22 2015 /sbin/route add -inet6 2001::::::: -prefixlen 64 2001:::::::1 route: writing to routing socket: File exists add net 2001:::::::: gateway 2001:::::::1: File exists Thu Sep 17 22:16:22 2015 ERROR: OpenBSD route add -inet6 command failed: external program exited with error status: 1 Thu Sep 17 22:16:22 2015 /sbin/route add -net 192.168.202.0 192.168.202.1 -netmask 255.255.255.0 add net 192.168.202.0: gateway 192.168.202.1 Thu Sep 17 22:16:22 2015 chroot to '/var/openvpn' and cd to '/' succeeded Thu Sep 17 22:16:22 2015 UDPv4 link local (bound): [undef] Thu Sep 17 22:16:22 2015 UDPv4 link remote: [undef] Thu Sep 17 22:16:22 2015 MULTI: multi_init called, r=256 v=256 Thu Sep 17 22:16:22 2015 IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=2001:::::::1000 Thu Sep 17 22:16:22 2015 IFCONFIG POOL: base=192.168.202.2 size=252, ipv6=1 Thu Sep 17 22:16:22 2015 Initialization Sequence Completed Thu Sep 17 22:16:32 2015 83.xxx.xxx.xxx:48100 TLS: Initial packet from [AF_INET]83.xxx.xxx.xxx:48100, sid=41b68ea4 12015b6e Segmentation fault (core dumped) (gdb) bt #0 BN_bn2dec (a=0x805e8460) at /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bn/bn_print.c:117 #1 0x179a2aa0 in backend_x509_get_serial (cert=0x8308b500, gc=0xcf7d0320) at /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify_openssl.c:229 #2 0x179a0345 in verify_cert_set_env (x509_track=, common_name=, subject=, cert_depth=, peer_cert=, es=0x78d2d230) at /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify.c:438 #3 verify_cert (session=0x8130a6bc, cert=0x8308b500, cert_depth=0) at /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify.c:665 #4 0x179a2d26 in verify_callback (preverify_ok=1, ctx=0xcf7d05d4) at /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify_openssl.c:84 #5 0x05aebfcf in internal_verify (ctx=0xcf7d05d4) at /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/x509/x509_vfy.c:1612 #6 0x05aed6b2 in X509_verify_cert (ctx=0xcf7d05d4) at /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/x509/x509_vfy.c:374 #7 0x092eab0a in ssl_verify_cert_chain (s=0x87394000, sk=0x847b88c0) at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_cert.c:452 #8 0x092e57d4 in ssl3_get_client_certificate (s=0x87394000) at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_srvr.c:2385 #9 0x092e96e5 in ssl3_accept (s=0x87394000) at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_srvr.c:447 #10 0x092d7f5a in ssl3_read_bytes (s=0x87394000, type=23, buf=0x87395800 "", len=2048, peek=0) at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_pkt.c:890 #11 0x092d8f96 in ssl3_read_inte