[OE-core] [meta-oe][master][PATCH] strongswan: avoid charon crash

Khem Raj raj.khem at gmail.com
Thu Feb 20 22:02:31 UTC 2020 

On Thu, 2020-02-20 at 10:26 +0000, Saloni Jain wrote:
> From: Anuj Chougule <Anuj.Chougule at kpit.com>
> 
> This is a possible fix to charon that crashed early due to invalid
> memory access.
> Important frames from Backtraces :
> 8  0x00007f607246e160 in memcpy (__len=1704, __src=<optimized out>,
> __dest=<optimized out>)
>     at /usr/include/bits/string_fortified.h:34
> No locals.
> 9  memcpy_noop (n=1704, src=<optimized out>, dst=<optimized out>)
>     at /usr/src/debug/strongswan/5.7.2-r0/strongswan-
> 5.7.2/src/libstrongswan/utils/utils/memory.h:47
>         n = 1704
>         src = <optimized out>
>         dst = <optimized out>
> 10 chunk_create_clone (ptr=<optimized out>, chunk=...)
>     at /usr/src/debug/strongswan/5.7.2-r0/strongswan-
> 5.7.2/src/libstrongswan/utils/chunk.c:48
>         clone = <optimized out>
> 11 0x00007f606ebae810 in load_from_blob (blob=..., type=type at entry=CR
> ED_PRIVATE_KEY, subtype=subtype at entry=1,
>     subject=subject at entry=0x0, flags=flags at entry=X509_NONE)
>     at /usr/src/debug/strongswan/5.7.2-r0/strongswan-
> 5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:399
>         x = <optimized out>
>         cred = 0x0
> ---Type <return> to continue, or q <return> to quit---
>         pgp = false
> 12 0x00007f606ebaf0e4 in load_from_file (flags=X509_NONE,
> subject=0x0, subtype=1, type=CRED_PRIVATE_KEY,
>     file=0x7f6069d21a20
> "/var/opt/public/sps/sps_necema/data/public/IPsec/secureboot_on/IPsec
> -internal_key.pem")
>     at /usr/src/debug/strongswan/5.7.2-r0/strongswan-
> 5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:452
>         cred = <optimized out>
>         chunk = 0x7f6054005430
> 13 pem_load (type=CRED_PRIVATE_KEY, subtype=1, args=<optimized out>)
>     at /usr/src/debug/strongswan/5.7.2-r0/strongswan-
> 5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:498
>         file = 0x7f6069d21a20
> "/var/opt/public/sps/sps_necema/data/public/IPsec/secureboot_on/IPsec
> -internal_key.pem"
>         pem = <optimized out>
>         subject = 0x0
>         flags = 0
> 
> Problem lies in frame 12 & 11.
> (gdb) f 12
> 12 0x00007f606ebaf0e4 in load_from_file (flags=X509_NONE,
> subject=0x0, subtype=1, type=CRED_PRIVATE_KEY,
>     file=0x7f6069d21a20
> "/var/opt/public/sps/sps_necema/data/public/IPsec/secureboot_on/IPsec
> -internal_key.pem")
>     at /usr/src/debug/strongswan/5.7.2-r0/strongswan-
> 5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:452
> 452     in /usr/src/debug/strongswan/5.7.2-r0/strongswan-
> 5.7.2/src/libstrongswan/plugins/pem/pem_builder.c
> (gdb) info locals
> cred = <optimized out>
> chunk = 0x7f6054005430
> (gdb) print *chunk
> $21 = {ptr = 0x7f60728b7000 <error: Cannot access memory at address
> 0x7f60728b7000>, len = 1704}
> (gdb) f 11
> 11 0x00007f606ebae810 in load_from_blob (blob=..., type=type at entry=CR
> ED_PRIVATE_KEY, subtype=subtype at entry=1, subject=subject at entry=0x0,
>     flags=flags at entry=X509_NONE) at /usr/src/debug/strongswan/5.7.2-
> r0/strongswan-5.7.2/src/libstrongswan/plugins/pem/pem_builder.c:399
> 399     in /usr/src/debug/strongswan/5.7.2-r0/strongswan-
> 5.7.2/src/libstrongswan/plugins/pem/pem_builder.c
> (gdb) info args
> blob = {ptr = 0x7f60728b7000 <error: Cannot access memory at address
> 0x7f60728b7000>, len = 140052215328768}
> type = CRED_PRIVATE_KEY
> subtype = 1
> subject = 0x0
> flags = X509_NONE
> (gdb) print blob
> $22 = {ptr = 0x7f60728b7000 <error: Cannot access memory at address
> 0x7f60728b7000>, len = 140052215328768}
> 
> Source code snippet :
> static void *load_from_file(char *file, credential_type_t type, int
> subtype,
>                                         identification_t *subject,
> x509_flag_t flags)
> {
>         void *cred;
>         chunk_t *chunk;
> 
>         chunk = chunk_map(file, FALSE);
>         if (!chunk)
>         {
>                 DBG1(DBG_LIB, "  opening '%s' failed: %s", file,
> strerror(errno));
>                 return NULL;
>         }
>         cred = load_from_blob(*chunk, type, subtype, subject, flags);
>         chunk_unmap(chunk);
>         return cred;
> }
> 
> Local variable chunk is an uninitialised pointer in load_from_file()
> (frame 12 above) which is expected to get initialised through
> chunk_map() & then passed to load_from_blob() as a parameter.
> But somehow, the chunk pointer has not got initialised &
> got passed as it is to load_from_blob() in frame 11 above.
> As this contains a garbage address, when method load_from_blob()
> tried cloning the memory regions through chunk_clone() ->
> chunk_create_clone() -> memcpy() -> memcpy_noop(), it crashed with
> SIGBUS (frames 10, 9, 8).
> It could also be that chunk_map() has a bug which does not memmap()
> the full or correct areas.
> 
> Upstream-Status: Pending
> Tested By: Anuj Chougule <Anuj.Chougule at kpit.com>
> Signed-off-by: Anuj Chougule <Anuj.Chougule at kpit.com>
> Signed-off-by: Saloni Jain <Saloni.Jain at kpit.com>
> ---
>  .../strongswan/files/fix-charon-crash.patch        | 23
> ++++++++++++++++++++++
>  1 file changed, 23 insertions(+)
>  create mode 100644 recipes-support/strongswan/files/fix-charon-
> crash.patch
> 
> diff --git a/recipes-support/strongswan/files/fix-charon-crash.patch
> b/recipes-support/strongswan/files/fix-charon-crash.patch
> new file mode 100644
> index 0000000..95e71a2
> --- /dev/null
> +++ b/recipes-support/strongswan/files/fix-charon-crash.patch
> @@ -0,0 +1,23 @@
> +strongswan: avoid charon crash
> +
> +Variable chunk is an uninitialised pointer,which
> +is expected to get initialised through method chunk_map()
> +& then passed to load_from_blob() as a parameter.
> +But somehow, if the chunk pointer did not get initialised & gets
> +passed as it is to load_from_blob(), it may lead crash as this
> +contains a garbage address.
> +
> +Signed-off-by: Anuj Chougule <Anuj.Chougule at kpit.com>
> +Upstream-Status: Pending
> +
> +--- a/src/libstrongswan/plugins/pem/pem_builder.c
> ++++ b/src/libstrongswan/plugins/pem/pem_builder.c
> +@@ -441,7 +441,7 @@ static void *load_from_file(char *file,
> credential_type_t type, int subtype,
> +                                                      
> identification_t *subject, x509_flag_t flags)
> + {
> +       void *cred;
> +-      chunk_t *chunk;
> ++      chunk_t *chunk = NULL;
> +

I wonder if chunk_map has issues where it returns invalid values, I
would rather check chunk_map and see what is it doing.

> +       chunk = chunk_map(file, FALSE);
> +       if (!chunk)
> --
> 2.7.4
> This message contains information that may be privileged or
> confidential and is the property of the KPIT Technologies Ltd. It is
> intended only for the person to whom it is addressed. If you are not
> the intended recipient, you are not authorized to read, print, retain
> copy, disseminate, distribute, or use this message or any part
> thereof. If you receive this message in error, please notify the
> sender immediately and delete all copies of this message. KPIT
> Technologies Ltd. does not accept any liability for virus infected
> mails.

More information about the Openembedded-core mailing list