[gnutls-devel] GnuTLS | Segfaults on verify callout in _gnutls_trust_list_get_issuer (#1374)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue May 24 11:52:19 CEST 2022



Tobias Heider created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1374



This issue was originally reported in the Ubuntu bug tracker, I am forwarding it here since it looks like it might be an upstream GnuTLS bug. [Original report](https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1974214).

> We are experiencing segfaults in exim since upgrading from impish (4.94.2-7ubuntu2 with libgnutls30 3.7.1-5ubuntu1) to jammy (4.95-4ubuntu2 with libgnutls30 3.7.3-4ubuntu1), in _gnutls_trust_list_get_issuer, seemingly in the sender/recipient verify callout during message submission.
>
> Typically the initial attempt to submit a message crashes an exim child thread, but the same message is accepted when the sender retries.
>
> gdb backtrace:
```
Thread 2.1 "exim4" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fe2f844d080 (LWP 29278)]
0x00007fe2f8f3eb2b in _gnutls_trust_list_get_issuer (flags=<optimised out>, issuer=<optimised out>, cert=<optimised out>, list=<optimised out>) at x509/../../../lib/x509/verify-high.c:1026
1026 x509/../../../lib/x509/verify-high.c: No such file or directory.
(gdb) bt
#0 0x00007fe2f8f3eb2b in _gnutls_trust_list_get_issuer (flags=<optimised out>, issuer=<optimised out>, cert=<optimised out>,
    list=<optimised out>) at x509/../../../lib/x509/verify-high.c:1026
#1 gnutls_x509_trust_list_get_issuer (list=list at entry=0x55ef6bd9c260, cert=0x55ef6bd9be20, issuer=issuer at entry=0x7ffc82dba510,
    flags=flags at entry=16) at x509/../../../lib/x509/verify-high.c:1129
#2 0x00007fe2f8f3f679 in gnutls_x509_trust_list_verify_crt2 (list=0x55ef6bd9c260, cert_list=0x7ffc82dba5c0,
    cert_list_size=<optimised out>, data=<optimised out>, elements=<optimised out>, flags=33554432, voutput=0x7ffc82dba888, func=0x0)
    at x509/../../../lib/x509/verify-high.c:1522
#3 0x00007fe2f8ed7516 in _gnutls_x509_cert_verify_peers (status=0x7ffc82dba888, elements=0, data=0x0, session=0x55ef6c0c1150)
    at ../../lib/cert-session.c:597
#4 gnutls_certificate_verify_peers (session=0x55ef6c0c1150, data=data at entry=0x0, elements=elements at entry=0,
    status=status at entry=0x7ffc82dba888) at ../../lib/cert-session.c:776
#5 0x00007fe2f8ed8000 in gnutls_certificate_verify_peers2 (session=<optimised out>, status=status at entry=0x7ffc82dba888)
    at ../../lib/cert-session.c:653
#6 0x000055ef6b7698ef in verify_certificate (state=<optimised out>, errstr=0x7ffc82dbaa20)
    at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/tls-gnu.c:2519
#7 0x000055ef6b7a5d7b in tls_client_start.constprop.0 (cctx=cctx at entry=0x55ef6be0e688, conn_args=conn_args at entry=0x55ef6bdfe5f8,
    tlsp=0x55ef6b7f59c0 <tls_out>, errstr=errstr at entry=0x7ffc82dbaa20, cookie=<optimised out>)
    at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/tls-gnu.c:3593
#8 0x000055ef6b78b0ef in smtp_setup_conn (sx=0x55ef6bdfe5e8, suppress_tls=<optimised out>) at transports/smtp.c:2673
#9 0x000055ef6b776350 in do_callout (pm_mailfrom=<optimised out>, se_mailfrom=<optimised out>, options=<optimised out>,
    callout_connect=<optimised out>, callout_overall=<optimised out>, callout=<optimised out>, tf=0x7ffc82dbbc10,
    host_list=<optimised out>, addr=0x7ffc82dbbdd0)
    at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/verify.c:677
#10 verify_address (vaddr=<optimised out>, fp=<optimised out>, options=<optimised out>, callout=<optimised out>,
    callout_overall=<optimised out>, callout_connect=<optimised out>, se_mailfrom=<optimised out>, pm_mailfrom=<optimised out>,
    routed=<optimised out>) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/verify.c:1947
#11 0x000055ef6b6f1660 in acl_verify (where=where at entry=0, addr=addr at entry=0x7ffc82dbc5e0,
    arg=0x55ef6babc2b8 "recipient/defer_ok/callout=30s,defer_ok,use_postmaster", user_msgptr=user_msgptr at entry=0x7ffc82dbca50,
    log_msgptr=log_msgptr at entry=0x7ffc82dbca58, basic_errno=basic_errno at entry=0x7ffc82dbc38c)
    at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/acl.c:2168
#12 0x000055ef6b6f479e in acl_check_condition (level=<optimised out>, basic_errno=0x7ffc82dbc38c, log_msgptr=<optimised out>,
    user_msgptr=<optimised out>, epp=<synthetic pointer>, addr=<optimised out>, where=<optimised out>, cb=0x55ef6babc298,
    verb=<optimised out>) at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/acl.c:3838
#13 acl_check_internal (where=where at entry=0, addr=addr at entry=0x7ffc82dbc5e0, s=s at entry=0x55ef6bab9990 "acl_check_rcpt",
    user_msgptr=user_msgptr at entry=0x7ffc82dbca50, log_msgptr=log_msgptr at entry=0x7ffc82dbca58)
    at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/acl.c:4225
#14 0x000055ef6b6f7b9e in acl_check (where=0, recipient=<optimised out>, s=0x55ef6bab9990 "acl_check_rcpt",
    user_msgptr=0x7ffc82dbca50, log_msgptr=0x7ffc82dbca58)
    at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/acl.c:4539
#15 0x000055ef6b75c2fd in smtp_setup_msg () at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/smtp_in.c:5283
#16 0x000055ef6b6e5cda in handle_smtp_call (accepted=0x7ffc82dbceb0, accept_socket=<optimised out>,
    listen_socket_count=<optimised out>, listen_sockets=<optimised out>)
    at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/daemon.c:551
#17 daemon_go () at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/daemon.c:2594
#18 main (argc=<optimised out>, cargv=<optimised out>)
    at /build/exim4-sMcKLv/exim4-4.95/b-exim4-daemon-light/build-Linux-x86_64/exim.c:4947
```

A similar issue has been discussed on the [exim4 mailing list](https://lists.exim.org/lurker/message/20211008.224037.c1fee944.gl.html), but I couldn't find a corresponding upstream bug report. It looks like #1277 might be related but the reported version already contains the fix for that.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1374
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220524/c435d806/attachment-0001.html>


More information about the Gnutls-devel mailing list