[mod_gnutls-devel] Segfault in 0.8.1 test 24 on i386
Brian Morton
rokclimb15 at gmail.com
Mon Jan 2 23:42:58 CET 2017
Hi mod_gnutls dev team,
I've been working on diagnosing this FTBFS bug in Ubuntu
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1597450.
Mod_gnutls fails to build on i386 due to some string format issues fixed in
0.8.1. Once those simple issues are fixed, test 24 fails due to a segfault
in Apache. This seems to be true whether using Debian/Ubuntu sources or the
latest from mod_gnutls. The crash appears to be due to a buffer overflow.
Backtrace indicates several libs are involved including gnutls, softhsm2,
and p11-kit. The issue very likely is within one of those libraries rather
than mod_gnutls, but I'm trying to nail it down further so I thought I'd
start here.
I've been working on it for some time but I've reached the limit of my
ability to diagnose the issue. I've managed to attach gdb to Apache during
the test and can traverse the stack to observe execution, but I can't spot
the issue. Running Apache with -X (no forking) gives a similar crash, but
with GCC SSP being triggered. I also cannot break at the right point to
observe the stack canary being overwritten since my breakpoint is unloaded
by gdb due to module unload.
Could anyone please point me in the right direction on how to track this
down? I'm interested in learning more about using gdb to debug these types
of tricky memory issues. I've attached the full backtrace.
Thanks,
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170102/43e104e1/attachment-0001.html>
-------------- next part --------------
bmorton at ubuntu:~/apache-crash4$ gdb /usr/sbin/apache2 CoreDump
GNU gdb (Ubuntu 7.12-0ubuntu3) 7.12
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/apache2...Reading symbols from /usr/lib/debug//us r/sbin/apache2...done.
done.
[New LWP 9005]
warning: Unexpected size of section `.reg-xstate/9005' in core file.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/sbin/apache2 -f /home/bmorton/mod-gnutls-0.8.0/test/ tests/24_pkcs11_cert/a'.
Program terminated with signal SIGSEGV, Segmentation fault.
warning: Unexpected size of section `.reg-xstate/9005' in core file.
#0 0xb7136747 in proxy_C_DecryptVerifyUpdate (
self=0xb64cb9f0 <std::unique_ptr<MutexFactory, std::default_delete<MutexFact ory> >::get() const+28>, handle=2175480616,
enc_part=0xbfa945e8 "\bF\251\277øL\266\244\261T\266\330.\253\201\030F\251\27 7̴L\266\060\243\252\201(3\253\201\030F\251\277´L\266\244\261T\266\234\253T\266\07 0F\251\277\363\264L\266\070\003\252\201\234\253T\266HF\251\277\342\264L\266\---T ype <return> to continue, or q <return> to quit---
244\261T\266\234\253T\266XF\251\277\342\267L\266\070\003\252\201\001",
enc_part_len=3058480322,
part=0xb64cb968 <std::_Head_base<0u, MutexFactory*, false>::_M_head(std::_He ad_base<0u, MutexFactory*, false> const&)+8> "\005\064\362\a",
part_len=0x46505845) at p11-kit/proxy.c:1452
1452 p11-kit/proxy.c: No such file or directory.
(gdb) bt full
#0 0xb7136747 in proxy_C_DecryptVerifyUpdate (self=0xb64cb9f0 <std::unique_ptr<MutexFactory, std::default_delete<MutexFactory> >::get() const+28>, handle=2175480616,
enc_part=0xbfa945e8 "\bF\251\277øL\266\244\261T\266\330.\253\201\030F\251\277̴L\266\060\243\252\201(3\253\201\030F\251\277´L\266\244\261T\266\234\253T\266\070F\251\277\363\264L\266\070\003\252\201\234\253T\266HF\251\277\342\264L\266\244\261T\266\234\253T\266XF\251\277\342\267L\266\070\003\252\201\001", enc_part_len=3058480322,
part=0xb64cb968 <std::_Head_base<0u, MutexFactory*, false>::_M_head(std::_Head_base<0u, MutexFactory*, false> const&)+8> "\005\064\362\a", part_len=0x46505845) at p11-kit/proxy.c:1452
state = 0x1
map = {wrap_slot = 2175480616, real_slot = 3059002268, funcs = 0xbfa94608}
rv = 3058481387
#1 0xb64cb4cc in Mutex::~Mutex (this=0x81aa0338, __in_chrg=<optimized out>) at MutexFactory.cpp:53
No locals.
#2 0xb64cb4f3 in Mutex::~Mutex (this=0x81aa0338, __in_chrg=<optimized out>) at MutexFactory.cpp:55
No locals.
#3 0xb64cb7e2 in MutexFactory::recycleMutex (this=0x81aaa330, mutex=0x81aa0338) at MutexFactory.cpp:130
No locals.
#4 0xb64eaea2 in HandleManager::~HandleManager (this=0x81ab32e8, __in_chrg=<optimized out>) at HandleManager.cpp:60
No locals.
#5 0xb64eaeef in HandleManager::~HandleManager (this=0x81ab32e8, __in_chrg=<optimized out>) at HandleManager.cpp:61
No locals.
#6 0xb649a4da in SoftHSM::~SoftHSM (this=0x81aaa310, __in_chrg=<optimized out>) at SoftHSM.cpp:335
No locals.
#7 0xb649a5bd in SoftHSM::~SoftHSM (this=0x81aaa310, __in_chrg=<optimized out>) at SoftHSM.cpp:340
No locals.
#8 0xb64c21b2 in std::default_delete<SoftHSM>::operator() (this=0xb654b1b0 <SoftHSM::instance>, __ptr=0x81aaa310) at /usr/include/c++/6/bits/unique_ptr.h:76
No locals.
#9 0xb64c1a61 in std::unique_ptr<SoftHSM, std::default_delete<SoftHSM> >::~unique_ptr (this=0xb654b1b0 <SoftHSM::instance>, __in_chrg=<optimized out>) at /usr/include/c++/6/bits/unique_ptr.h:239
__ptr = @0xb654b1b0: 0x81aaa310
#10 0xb74daaab in __run_exit_handlers (status=0, listp=0xb76623dc <__exit_funcs>, run_list_atexit=true, run_dtors=true) at exit.c:83
atfct = <optimized out>
onfct = <optimized out>
cxafct = <optimized out>
f = <optimized out>
#11 0xb74dab11 in __GI_exit (status=0) at exit.c:105
No locals.
#12 0xb76a765f in apr_proc_detach (daemonize=1) at ./threadproc/unix/procsup.c:32
x = <optimized out>
#13 0xb7409d3f in worker_pre_config (pconf=0xb775d018, plog=0xb741b018, ptemp=0xb7417018) at worker.c:2151
no_detach = 0
debug = <optimized out>
foreground = <optimized out>
rv = <optimized out>
userdata_key = 0xb740cf26 "mpm_worker_module"
#14 0x80131f9f in ap_run_pre_config (pconf=0xb775d018, plog=0xb741b018, ptemp=0xb7417018) at config.c:89
pHook = <optimized out>
n = 3
rv = 0
#15 0x8010fd70 in main (argc=<optimized out>, argv=<optimized out>) at main.c:739
c = 102 'f'
showcompile = <optimized out>
showdirectives = <optimized out>
confname = <optimized out>
def_server_root = <optimized out>
temp_error_log = <optimized out>
error = <optimized out>
pconf = <optimized out>
plog = 0xb741b018
ptemp = 0xb7417018
pcommands = 0xb7421018
opt = 0xb74210b8
rv = <optimized out>
mod = <optimized out>
opt_arg = 0xbfa95ac2 "/home/bmorton/mod-gnutls-0.8.0/test/tests/24_pkcs11_cert/apache.conf"
signal_server = <optimized out>
rc = <optimized out>
More information about the mod_gnutls-devel
mailing list