[Swan] Libreswan 3.29 segfault in ikev2.c ikev2_process_packet()

Wed Nov 6 16:31:53 UTC 2019

I'd start by going through the logs looking for messages that pertain
to the IKE SA '#533497'.  Presumably it was deleted, but its child
#533502 was somehow missed.

On Wed, 6 Nov 2019 at 10:40, Alan Szlosek <alan at redoxengine.com> wrote:
>
> Hi libreswan,
>
> We're running libreswan 3.29 on Ubuntu with Linux kernel 4.15 and had a segfault due to a null pointer dereference in the ikev2.c code. Can you work with me to determine what caused it?
>
> We saw this in the logs just before the crash:
>
>     EXPECTATION FAILED: child state #533502 missing parent state #533497 (in get_ike_sa() at state.c:461)

> I ran gdb against the crash dump, here's the output:
>
> GNU gdb (Ubuntu 8.1-0ubuntu3.1) 8.1.0.20180409-git
> Copyright (C) 2018 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu".
> Type "show configuration" for configuration details.
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>.
> Find the GDB manual and other documentation resources online at:
> <http://www.gnu.org/software/gdb/documentation/>.
> For help, type "help".
> Type "apropos word" to search for commands related to "word"...
> Reading symbols from /usr/lib/ipsec/pluto...Reading symbols from /usr/lib/debug/.build-id/07/90d482ffd48ee4a7e01a43395d54c7df1747e1.debug...done.
> done.
> [New LWP 4703]
> [New LWP 4713]
> [New LWP 4708]
> [New LWP 4714]
> [New LWP 4707]
> [New LWP 4712]
> [New LWP 4711]
> [New LWP 4715]
> [New LWP 4709]
> [New LWP 4716]
> [New LWP 4710]
> [New LWP 4720]
> [New LWP 4717]
> [New LWP 4718]
> [New LWP 4719]
> [New LWP 4721]
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> Core was generated by `/usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x000055b4c756dfe5 in ikev2_process_packet (mdp=mdp at entry=0x7fffa7286f00) at ./programs/pluto/ikev2.c:1736
>
> warning: Source file is more recent than executable.
> 1736 if (md->hdr.isa_msgid > ike->sa.st_v2_msgids.initiator.sent) {
> [Current thread is 1 (Thread 0x7f4ad6e80900 (LWP 4703))]
> (gdb) where
> #0  0x000055b4c756dfe5 in ikev2_process_packet (mdp=mdp at entry=0x7fffa7286f00) at ./programs/pluto/ikev2.c:1736
> #1  0x000055b4c7592428 in process_packet (mdp=mdp at entry=0x7fffa7286f00) at ./programs/pluto/demux.c:387
> #2  0x000055b4c759263f in process_md (mdp=mdp at entry=0x7fffa7286f00) at ./programs/pluto/demux.c:442
> #3  0x000055b4c7592ba6 in comm_handle (ifp=<optimized out>) at ./programs/pluto/demux.c:483
> #4  comm_handle_cb (fd=<optimized out>, event=<optimized out>, arg=<optimized out>) at ./programs/pluto/demux.c:492
> #5  0x00007f4ad49d88f8 in ?? () from /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6
> #6  0x00007f4ad49d933f in event_base_loop () from /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6
> #7  0x000055b4c754ece4 in call_server () at ./programs/pluto/server.c:1378
> #8  0x000055b4c750c973 in main (argc=<optimized out>, argv=<optimized out>) at ./programs/pluto/plutomain.c:1789
>
> # I BELIEVE THE FOLLOWING SHOWS THAT THE ike VAR CONTAINS A NULL POINTER.
> # And as you know, dereferencing a null pointer is one of the possible causes of segfaults.
> (gdb) p md
> $1 = (struct msg_digest *) 0x55b4c8390758
> (gdb) p ike
> $2 = (struct ike_sa *) 0x0
> (gdb) p st->st_serialno
> $6 = 533502
>
>
>
> I verified that st->st_serialno contains the expected value of 533502 (which was mentioned in the log output).
>
> What else should I check?
>
> Thanks in advance.
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan