-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segfault in check_session_buf_not_used #449
Comments
Thanks a lot for the crash dump. Someone else reported crashes on the openvpn-devel mailing list, but he had no crashdump yet (but a log file, hinting at "this happens if a TLS (re)negotiation expires, possibly because the other side is not answering").
|
I am not entirely sure what happens but it might be that we get called with already freed key states. Are you able to patch OpenVPN with this patch?
|
Just deployed a build with that patch in it, will let you know! |
So far so good -- but there hasn't been a ton of people connected over the weekend. I think the real test will come Monday. |
Yeah, had another couple core dumps this morning, but frustratingly apport didn't capture them because i hadnt moved the old one out of /var/crash. I'll wait for one more to happen, but then i've got to downgrade because our dev vpn is also where our development happens. |
Alright, here's the latest one. Wish i knew what caused it so i could reproduce it, alas i've downgraded.
|
Is this unmodified 2.6.7 or with the |
thats with 2.6.7 with S_UNDEF patch applied yeah. |
When a key_state is in S_UNDEF the send_reliable is not initialised. So checking it might access invalid memory or null pointers. Github: fixes OpenVPN/openvpn#449 Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac [[email protected]: add check for !send_reliable and message] Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg27401.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit a903ebe)
Add two patches cherry-picked from upstream Git repository: OpenVPN 2.6.7 regressed and experienced crashes in some situations, OpenVPN/openvpn#449 Reported by: Vladimir Druzenko (vvd@) Reported by: Patrick Cable (upstream) Obtained from: OpenVPN/openvpn@b90ec6d Also, some typos in the documentation are fixed, Obtained from: OpenVPN/openvpn@457f468 Bump PORTREVISION. PR: 275055 MFH: 2023Q4
Related to: PR: 275055 Security: 2fe004f5-83fd-11ee-9f5d-31909fb2f495 Security: CVE-2023-46849 Security: CVE-2023-46850 This specifically documents < 2.6.7_1 in order to collect the regression fix for OpenVPN/openvpn#449 which was a bug newly introduced into 2.6.7.
Add two patches cherry-picked from upstream Git repository: OpenVPN 2.6.7 regressed and experienced crashes in some situations, OpenVPN/openvpn#449 Reported by: Vladimir Druzenko (vvd@) Reported by: Patrick Cable (upstream) Obtained from: OpenVPN/openvpn@b90ec6d Also, some typos in the documentation are fixed, Obtained from: OpenVPN/openvpn@457f468 Bump PORTREVISION. PR: 275055 MFH: 2023Q4 (cherry picked from commit 8d2e9d9)
Add two patches cherry-picked from upstream Git repository: OpenVPN 2.6.7 regressed and experienced crashes in some situations, OpenVPN/openvpn#449 Reported by: Vladimir Druzenko (vvd@) Reported by: Patrick Cable (upstream) Obtained from: OpenVPN/openvpn@b90ec6d Also, some typos in the documentation are fixed, Obtained from: OpenVPN/openvpn@457f468 Bump PORTREVISION. PR: 275055 MFH: 2023Q4 (cherry picked from commit 8d2e9d9)
Could you re-test with 2.6.8 please? We're reasonably sure that we've fixed the issue - at least the way we could reproduce is fully gone. |
Is this the real issue? The for loop here is using
|
That is a good catch. Fortunatily i is always between 0 and 2 and ks->send_reliable->size is (when it is defined) always 6 (TLS_RELIABLE_N_SEND_BUFFERS). So while the check is stupid with j, it at least is not crashing or anything similar. |
No, that's just broken code... the crash-causing issue (that we could track down) was that ks->send_reliable can be NULL, which wasn't checked in 2.6.7. But the one you found need fixing as well as it renders the whole check a bit useless (it should never trigger, but if the check is not checking correctly in the first place, this ensures it never will...) |
Thanks, I submitted PR #463 for this fix. |
Just to check back in -- i've been running 2.6.8 for a while without issue which is a good sign. |
The inner loop used i instead of j when iterating through the buffers. Since i is always between 0 and 2 and ks->send_reliable->size is (when it is defined) always 6 (TLS_RELIABLE_N_SEND_BUFFERS) this does not cause an index of out bounds. So while the check was not doing anything really useful with i instead of j, at least it was not crashing or anything similar. Noticed-By: Jon Williams (braindead-bf) on Github issue #449 Change-Id: Ia3d5b4946138df322ebcd9e9e77d04328dacbc5d Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Frank Lichtenheld <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg27576.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 59551b9)
The inner loop used i instead of j when iterating through the buffers. Since i is always between 0 and 2 and ks->send_reliable->size is (when it is defined) always 6 (TLS_RELIABLE_N_SEND_BUFFERS) this does not cause an index of out bounds. So while the check was not doing anything really useful with i instead of j, at least it was not crashing or anything similar. Noticed-By: Jon Williams (braindead-bf) on Github issue #449 Change-Id: Ia3d5b4946138df322ebcd9e9e77d04328dacbc5d Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Frank Lichtenheld <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg27576.html Signed-off-by: Gert Doering <[email protected]>
So thanks for all the testing and feedback. I have now committed & pushed the fix for the i/j loop variable confusion, and I think this can now be closed for good. Such a haunted function. |
Likely related to the use-after-free fix (#400, #417)
Describe the bug
I'm getting an occasional segfault with my OpenVPN server. There's nothing obvious in the logs that's setting this off yet but I'm now running the OpenVPN server with
--verb 4
to see if I get any extra information before it happens.To Reproduce
Not clear yet.
Expected behavior
The OpenVPN process doesn't segfault.
Version information (please complete the following information):
Additional context
The text was updated successfully, but these errors were encountered: