Re: openvpn-2.3.8p1 segv in libcrypto BN_bn2dec on OpenBSD/i386 current Sep 16, 2015

Brent Cook Thu, 17 Sep 2015 16:30:41 -0700
I think this is the right thing to do for now. ok bcook@

On Thu, Sep 17, 2015 at 5:19 PM, Stuart Henderson <st...@openbsd.org> wrote:
> CC'ing tech@.
>
> The last commit to bn_print.c is wrong, it dereferences t while it's still 
> NULL.
>
> Backout diff below.
>
>
> On 2015/09/17 22:42, Mikolaj Kucharski wrote:
>> Hi,
>>
>> Does anyone see this as well? I've just upgraded to:
>>
>> OpenBSD 5.8-current (GENERIC) #1164: Wed Sep 16 21:16:53 MDT 2015
>>     dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
>>
>> and to openvpn-2.3.8 from packages but it segfaulted during connecting
>> by remote client. Then I've recompiled by hand with DEBUG='-g' from
>> ports and now running openvpn-2.3.8p1, but facing the same issue.
>>
>> To be able to get core dump, needed to run openvpn as root, but the same
>> segfault happens when openvpn drops priviliges.
>>
>> Before that I was running snapshot from Aug 13 with packages and I
>> didn't had that problem.
>>
>> Let me know if you need any more info.
>>
>>
>> # /usr/local/sbin/openvpn --cd /etc/openvpn --config server.conf --mtu-test
>> Thu Sep 17 22:16:17 2015 OpenVPN 2.3.8 i386-unknown-openbsd5.8 [SSL 
>> (OpenSSL)] [LZO] [MH] [IPv6] built on Sep 17 2015
>> Thu Sep 17 22:16:17 2015 library versions: LibreSSL 2.3.0, LZO 2.09
>> Thu Sep 17 22:16:17 2015 mlockall call succeeded
>> Thu Sep 17 22:16:17 2015 WARNING: you are using chroot without specifying 
>> user and group -- this may cause the chroot jail to be insecure
>> Thu Sep 17 22:16:22 2015 Diffie-Hellman initialized with 4096 bit key
>> Thu Sep 17 22:16:22 2015 Control Channel Authentication: using 
>> 'certs/hmac.key' as a OpenVPN static key file
>> Thu Sep 17 22:16:22 2015 Outgoing Control Channel Authentication: Using 512 
>> bit message hash 'SHA512' for HMAC authentication
>> Thu Sep 17 22:16:22 2015 Incoming Control Channel Authentication: Using 512 
>> bit message hash 'SHA512' for HMAC authentication
>> Thu Sep 17 22:16:22 2015 Socket Buffers: R=[41600->65536] S=[9216->65536]
>> Thu Sep 17 22:16:22 2015 TUN/TAP device tun2 exists previously, keep at 
>> program end
>> Thu Sep 17 22:16:22 2015 TUN/TAP device /dev/tun2 opened
>> Thu Sep 17 22:16:22 2015 do_ifconfig, tt->ipv6=1, 
>> tt->did_ifconfig_ipv6_setup=1
>> Thu Sep 17 22:16:22 2015 /sbin/ifconfig tun2 192.168.202.1 192.168.202.1 mtu 
>> 1500 netmask 255.255.255.0 up -link0
>> Thu Sep 17 22:16:22 2015 /sbin/ifconfig tun2 inet6 
>> 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1/64
>> Thu Sep 17 22:16:22 2015 
>> add_route_ipv6(2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:/64 -> 
>> 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1 metric 0) dev tun2
>> Thu Sep 17 22:16:22 2015 /sbin/route add -inet6 
>> 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx: -prefixlen 64 
>> 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1
>> route: writing to routing socket: File exists
>> add net 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:: gateway 
>> 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1: File exists
>> Thu Sep 17 22:16:22 2015 ERROR: OpenBSD route add -inet6 command failed: 
>> external program exited with error status: 1
>> Thu Sep 17 22:16:22 2015 /sbin/route add -net 192.168.202.0 192.168.202.1 
>> -netmask 255.255.255.0
>> add net 192.168.202.0: gateway 192.168.202.1
>> Thu Sep 17 22:16:22 2015 chroot to '/var/openvpn' and cd to '/' succeeded
>> Thu Sep 17 22:16:22 2015 UDPv4 link local (bound): [undef]
>> Thu Sep 17 22:16:22 2015 UDPv4 link remote: [undef]
>> Thu Sep 17 22:16:22 2015 MULTI: multi_init called, r=256 v=256
>> Thu Sep 17 22:16:22 2015 IFCONFIG POOL IPv6: (IPv4) size=252, 
>> size_ipv6=65536, netbits=64, 
>> base_ipv6=2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:1000
>> Thu Sep 17 22:16:22 2015 IFCONFIG POOL: base=192.168.202.2 size=252, ipv6=1
>> Thu Sep 17 22:16:22 2015 Initialization Sequence Completed
>> Thu Sep 17 22:16:32 2015 83.xxx.xxx.xxx:48100 TLS: Initial packet from 
>> [AF_INET]83.xxx.xxx.xxx:48100, sid=41b68ea4 12015b6e
>> Segmentation fault (core dumped)
>>
>>
>>
>> (gdb) bt
>> #0  BN_bn2dec (a=0x805e8460) at 
>> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bn/bn_print.c:117
>> #1  0x179a2aa0 in backend_x509_get_serial (cert=0x8308b500, gc=0xcf7d0320) 
>> at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify_openssl.c:229
>> #2  0x179a0345 in verify_cert_set_env (x509_track=<optimized out>, 
>> common_name=<optimized out>, subject=<optimized out>, cert_depth=<optimized 
>> out>, peer_cert=<optimized out>, es=0x78d2d230) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify.c:438
>> #3  verify_cert (session=0x8130a6bc, cert=0x8308b500, cert_depth=0) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify.c:665
>> #4  0x179a2d26 in verify_callback (preverify_ok=1, ctx=0xcf7d05d4) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_verify_openssl.c:84
>> #5  0x05aebfcf in internal_verify (ctx=0xcf7d05d4) at 
>> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/x509/x509_vfy.c:1612
>> #6  0x05aed6b2 in X509_verify_cert (ctx=0xcf7d05d4) at 
>> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/x509/x509_vfy.c:374
>> #7  0x092eab0a in ssl_verify_cert_chain (s=0x87394000, sk=0x847b88c0) at 
>> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_cert.c:452
>> #8  0x092e57d4 in ssl3_get_client_certificate (s=0x87394000) at 
>> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_srvr.c:2385
>> #9  0x092e96e5 in ssl3_accept (s=0x87394000) at 
>> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_srvr.c:447
>> #10 0x092d7f5a in ssl3_read_bytes (s=0x87394000, type=23, buf=0x87395800 "", 
>> len=2048, peek=0) at 
>> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_pkt.c:890
>> #11 0x092d8f96 in ssl3_read_internal (s=0x87394000, buf=0x87395800, 
>> len=2048, peek=0) at 
>> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_lib.c:2743
>> #12 0x092cb208 in SSL_read (s=0x78d2d720, buf=0x87395800, num=2048) at 
>> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_lib.c:957
>> #13 0x092c2736 in ssl_read (b=0x7af2d840, out=0x87395800 "", outl=2048) at 
>> /usr/src/lib/libssl/ssl/../../libssl/src/ssl/bio_ssl.c:156
>> #14 0x05b3e581 in BIO_read (b=0x7af2d840, out=0x87395800, outl=2048) at 
>> /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bio_lib.c:217
>> #15 0x1799cb4f in bio_read (bio=0x7af2d840, buf=0x8130a824, maxlen=2048, 
>> desc=0x37948f3d "tls_read_plaintext") at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl_openssl.c:1098
>> #16 0x17999ee2 in tls_process (multi=0x8130a520, session=0x8130a6bc, 
>> to_link=0x81309e90, to_link_addr=0xcf7d0b40, to_link_socket_info=0x85f054c4, 
>> wakeup=0xcf7d0b84) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl.c:2411
>> #17 0x1799c1e2 in tls_multi_process (multi=0x8130a520, to_link=0x81309e90, 
>> to_link_addr=0x81309c34, to_link_socket_info=0x85f054c4, wakeup=0xcf7d0b84) 
>> at /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/ssl.c:2635
>> #18 0x1793e1f4 in check_tls_dowork (c=0x813096b0) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/forward.c:100
>> #19 0x1793eb38 in check_tls (c=<optimized out>) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/forward-inline.h:41
>> #20 pre_select (c=0x813096b0) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/forward.c:1331
>> #21 0x1795faa6 in multi_process_post (m=0xcf7d0f44, mi=0x81309630, 
>> flags=<optimized out>) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/multi.c:2050
>> #22 0x17961d5a in multi_process_incoming_link (m=0xcf7d0f44, instance=0x0, 
>> mpp_flags=5) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/multi.c:2293
>> #23 0x1795b8ba in multi_process_io_udp (m=<optimized out>) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/mudp.c:173
>> #24 tunnel_server_udp_single_threaded (top=<optimized out>) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/mudp.c:266
>> #25 tunnel_server_udp (top=0xcf7d19b0) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/mudp.c:288
>> #26 0x1795bcfd in tunnel_server (top=0xcf7d19b0) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/multi.c:2875
>> #27 0x1796447c in openvpn_main (argv=<optimized out>, argc=<optimized out>) 
>> at /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/openvpn.c:271
>> #28 main (argc=6, argv=0xcf7d2364) at 
>> /home/ports/obj/openvpn-2.3.8/openvpn-2.3.8/src/openvpn/openvpn.c:342
>> (gdb)
>>
>>
>> --
>> best regards
>> q#
>>
>
> Index: src/crypto/bn/bn_print.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/bn/bn_print.c,v
> retrieving revision 1.25
> diff -u -p -r1.25 bn_print.c
> --- src/crypto/bn/bn_print.c    13 Sep 2015 16:02:11 -0000      1.25
> +++ src/crypto/bn/bn_print.c    17 Sep 2015 22:18:44 -0000
> @@ -1,4 +1,4 @@
> -/* $OpenBSD: bn_print.c,v 1.25 2015/09/13 16:02:11 deraadt Exp $ */
> +/* $OpenBSD: bn_print.c,v 1.24 2015/09/13 15:59:29 deraadt Exp $ */
>  /* Copyright (C) 1995-1998 Eric Young (e...@cryptsoft.com)
>   * All rights reserved.
>   *
> @@ -114,20 +114,6 @@ BN_bn2dec(const BIGNUM *a)
>         BIGNUM *t = NULL;
>         BN_ULONG *bn_data = NULL, *lp;
>
> -       if (BN_is_zero(t)) {
> -               buf = malloc(BN_is_negative(t) + 2);
> -               if (buf == NULL) {
> -                       BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
> -                       goto err;
> -               }
> -               p = buf;
> -               if (BN_is_negative(t))
> -                       *(p++) = '-';
> -               *(p++) = '0';
> -               *(p++) = '\0';
> -               return (buf);
> -       }
> -
>         /* get an upper bound for the length of the decimal integer
>          * num <= (BN_num_bits(a) + 1) * log(2)
>          *     <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1     (rounding 
> error)
> @@ -147,26 +133,31 @@ BN_bn2dec(const BIGNUM *a)
>  #define BUF_REMAIN (num+3 - (size_t)(p - buf))
>         p = buf;
>         lp = bn_data;
> -       if (BN_is_negative(t))
> -               *p++ = '-';
> +       if (BN_is_zero(t)) {
> +               *(p++) = '0';
> +               *(p++) = '\0';
> +       } else {
> +               if (BN_is_negative(t))
> +                       *p++ = '-';
>
> -       i = 0;
> -       while (!BN_is_zero(t)) {
> -               *lp = BN_div_word(t, BN_DEC_CONV);
> -               lp++;
> -       }
> -       lp--;
> -       /* We now have a series of blocks, BN_DEC_NUM chars
> -        * in length, where the last one needs truncation.
> -        * The blocks need to be reversed in order. */
> -       snprintf(p, BUF_REMAIN, BN_DEC_FMT1, *lp);
> -       while (*p)
> -               p++;
> -       while (lp != bn_data) {
> +               i = 0;
> +               while (!BN_is_zero(t)) {
> +                       *lp = BN_div_word(t, BN_DEC_CONV);
> +                       lp++;
> +               }
>                 lp--;
> -               snprintf(p, BUF_REMAIN, BN_DEC_FMT2, *lp);
> +               /* We now have a series of blocks, BN_DEC_NUM chars
> +                * in length, where the last one needs truncation.
> +                * The blocks need to be reversed in order. */
> +               snprintf(p, BUF_REMAIN, BN_DEC_FMT1, *lp);
>                 while (*p)
>                         p++;
> +               while (lp != bn_data) {
> +                       lp--;
> +                       snprintf(p, BUF_REMAIN, BN_DEC_FMT2, *lp);
> +                       while (*p)
> +                               p++;
> +               }
>         }
>         ok = 1;
>
>
Re: openvpn-2.3.8p1 segv in libcrypto BN_bn2dec on OpenBSD/i386 current Sep 16, 2015

Reply via email to
