[sr-dev] [kamailio/kamailio] Kamailio 5.2.2 - Segmentation fault in libcrypto.so.1.1 (#1860)

shaunjstokes notifications at github.com
Mon Apr 15 10:26:20 CEST 2019

Not sure if this helps, each crash follows a slightly different path with-in 'modules/tls/tls_server.c' but always crashes in 'aes_ecb_cipher' at 'crypto/evp/e_aes.c:2699'.

Here's our most recent core dump.

(gdb) bt
#0  0x00007f264161d6de in aes_ecb_cipher (ctx=0x7f25f5ad4480, out=0x7f25f6afec90 "", in=0x7f25f5ad4398 "\251\333\023`a>EBi\r\035\216Z\241Z}\200\\\345/-\340{", len=0) at crypto/evp/e_aes.c:2699
#1  0x00007f264162b755 in evp_EncryptDecryptUpdate (ctx=0x7f25f5ad4480, out=0x7f25f6afec90 "", outl=0x7ffc6679a3a4, in=0x7f25f5ad4398 "\251\333\023`a>EBi\r\035\216Z\241Z}\200\\\345/-\340{", inl=16) at crypto/evp/evp_enc.c:333
#2  0x00007f264162b9a0 in EVP_EncryptUpdate (ctx=0x7f25f5ad4480, out=0x7f25f6afec90 "", outl=0x7ffc6679a3a4, in=0x7f25f5ad4398 "\251\333\023`a>EBi\r\035\216Z\241Z}\200\\\345/-\340{", inl=16) at crypto/evp/evp_enc.c:385
#3  0x00007f264162b38e in EVP_CipherUpdate (ctx=0x7f25f5ad4480, out=0x7f25f6afec90 "", outl=0x7ffc6679a3a4, in=0x7f25f5ad4398 "\251\333\023`a>EBi\r\035\216Z\241Z}\200\\\345/-\340{", inl=16) at crypto/evp/evp_enc.c:213
#4  0x00007f2641669a01 in drbg_ctr_generate (drbg=0x7f25f5ad42b0, out=0x7f25f6afec90 "", outlen=32, adin=0x0, adinlen=0) at crypto/rand/drbg_ctr.c:340
#5  0x00007f264166af15 in RAND_DRBG_generate (drbg=0x7f25f5ad42b0, out=0x7f25f6afec90 "", outlen=32, prediction_resistance=0, adin=0x0, adinlen=0) at crypto/rand/drbg_lib.c:638
#6  0x00007f264166b043 in RAND_DRBG_bytes (drbg=0x7f25f5ad42b0, out=0x7f25f6afec90 "", outlen=32) at crypto/rand/drbg_lib.c:679
#7  0x00007f264166b5bc in drbg_bytes (out=0x7f25f6afec90 "", count=32) at crypto/rand/drbg_lib.c:968
#8  0x00007f264166cb2f in RAND_bytes (buf=0x7f25f6afec90 "", num=32) at crypto/rand/rand_lib.c:836
#9  0x00007f26419f0d33 in def_generate_session_id (ssl=0x7f25f6a6c540, id=0x7f25f6afec90 "", id_len=0x7ffc6679a534) at ssl/ssl_sess.c:290
#10 0x00007f26419f0f22 in ssl_generate_session_id (s=0x7f25f6a6c540, ss=0x7f25f6afeb38) at ssl/ssl_sess.c:362
#11 0x00007f26419f113e in ssl_get_new_session (s=0x7f25f6a6c540, session=1) at ssl/ssl_sess.c:418
#12 0x00007f2641a188f0 in tls_early_post_process_client_hello (s=0x7f25f6a6c540) at ssl/statem/statem_srvr.c:1817
#13 0x00007f2641a19900 in tls_post_process_client_hello (s=0x7f25f6a6c540, wst=WORK_MORE_A) at ssl/statem/statem_srvr.c:2222
#14 0x00007f2641a173dc in ossl_statem_server_post_process_message (s=0x7f25f6a6c540, wst=WORK_MORE_A) at ssl/statem/statem_srvr.c:1220
#15 0x00007f2641a03a04 in read_state_machine (s=0x7f25f6a6c540) at ssl/statem/statem.c:664
#16 0x00007f2641a03364 in state_machine (s=0x7f25f6a6c540, server=1) at ssl/statem/statem.c:434
#17 0x00007f2641a02e89 in ossl_statem_accept (s=0x7f25f6a6c540) at ssl/statem/statem.c:255
#18 0x00007f26419e952c in SSL_do_handshake (s=0x7f25f6a6c540) at ssl/ssl_lib.c:3599
#19 0x00007f26419e55f5 in SSL_accept (s=0x7f25f6a6c540) at ssl/ssl_lib.c:1643
#20 0x00007f26360480f2 in tls_accept (c=0x7f25f6aa1010, error=0x7ffc667ba98c) at tls_server.c:422
#21 0x00007f26360515fe in tls_read_f (c=0x7f25f6aa1010, flags=0x7ffc667bacc8) at tls_server.c:1119
#22 0x000055a6ac69fc43 in tcp_read_headers (c=0x7f25f6aa1010, read_flags=0x7ffc667bacc8) at core/tcp_read.c:469
#23 0x000055a6ac6a77e9 in tcp_read_req (con=0x7f25f6aa1010, bytes_read=0x7ffc667baccc, read_flags=0x7ffc667bacc8) at core/tcp_read.c:1496
#24 0x000055a6ac6ac757 in handle_io (fm=0x7f264284c438, events=1, idx=-1) at core/tcp_read.c:1804
#25 0x000055a6ac69a2c0 in io_wait_loop_epoll (h=0x55a6acb783a0 <io_w>, t=2, repeat=0) at core/io_wait.h:1065
#26 0x000055a6ac6ae76a in tcp_receive_loop (unix_sock=86) at core/tcp_read.c:1974
#27 0x000055a6ac561f12 in tcp_init_children () at core/tcp_main.c:4853
#28 0x000055a6ac4994ac in main_loop () at main.c:1745
#29 0x000055a6ac4a046e in main (argc=13, argv=0x7ffc667bb338) at main.c:2696

Here's the disas of aes_ecb_cipher, it was doing a move from memory pointed to in the %rax register plus an offset of 0xf8, to the %rax register.

(gdb) disas aes_ecb_cipher
Dump of assembler code for function aes_ecb_cipher:
   0x00007f264161d67d <+0>:     push   %rbp
   0x00007f264161d67e <+1>:     mov    %rsp,%rbp
   0x00007f264161d681 <+4>:     sub    $0x40,%rsp
   0x00007f264161d685 <+8>:     mov    %rdi,-0x28(%rbp)
   0x00007f264161d689 <+12>:    mov    %rsi,-0x30(%rbp)
   0x00007f264161d68d <+16>:    mov    %rdx,-0x38(%rbp)
   0x00007f264161d691 <+20>:    mov    %rcx,-0x40(%rbp)
   0x00007f264161d695 <+24>:    mov    -0x28(%rbp),%rax
   0x00007f264161d699 <+28>:    mov    %rax,%rdi
   0x00007f264161d69c <+31>:    callq  0x7f264162cf2a <EVP_CIPHER_CTX_block_size>
   0x00007f264161d6a1 <+36>:    cltq
   0x00007f264161d6a3 <+38>:    mov    %rax,-0x10(%rbp)
   0x00007f264161d6a7 <+42>:    mov    -0x28(%rbp),%rax
   0x00007f264161d6ab <+46>:    mov    %rax,%rdi
   0x00007f264161d6ae <+49>:    callq  0x7f264162cfe5 <EVP_CIPHER_CTX_get_cipher_data>
   0x00007f264161d6b3 <+54>:    mov    %rax,-0x18(%rbp)
   0x00007f264161d6b7 <+58>:    mov    -0x40(%rbp),%rax
   0x00007f264161d6bb <+62>:    cmp    -0x10(%rbp),%rax
   0x00007f264161d6bf <+66>:    jae    0x7f264161d6c8 <aes_ecb_cipher+75>
   0x00007f264161d6c1 <+68>:    mov    $0x1,%eax
   0x00007f264161d6c6 <+73>:    jmp    0x7f264161d71b <aes_ecb_cipher+158>
   0x00007f264161d6c8 <+75>:    movq   $0x0,-0x8(%rbp)
   0x00007f264161d6d0 <+83>:    mov    -0x10(%rbp),%rax
   0x00007f264161d6d4 <+87>:    sub    %rax,-0x40(%rbp)
   0x00007f264161d6d8 <+91>:    jmp    0x7f264161d70c <aes_ecb_cipher+143>
   0x00007f264161d6da <+93>:    mov    -0x18(%rbp),%rax
=> 0x00007f264161d6de <+97>:    mov    0xf8(%rax),%rax
   0x00007f264161d6e5 <+104>:   mov    -0x18(%rbp),%rdx
   0x00007f264161d6e9 <+108>:   mov    -0x30(%rbp),%rsi
   0x00007f264161d6ed <+112>:   mov    -0x8(%rbp),%rcx
   0x00007f264161d6f1 <+116>:   add    %rcx,%rsi
   0x00007f264161d6f4 <+119>:   mov    -0x38(%rbp),%rdi
   0x00007f264161d6f8 <+123>:   mov    -0x8(%rbp),%rcx
   0x00007f264161d6fc <+127>:   add    %rdi,%rcx
   0x00007f264161d6ff <+130>:   mov    %rcx,%rdi
   0x00007f264161d702 <+133>:   callq  *%rax
   0x00007f264161d704 <+135>:   mov    -0x10(%rbp),%rax
   0x00007f264161d708 <+139>:   add    %rax,-0x8(%rbp)
   0x00007f264161d70c <+143>:   mov    -0x8(%rbp),%rax
   0x00007f264161d710 <+147>:   cmp    -0x40(%rbp),%rax
   0x00007f264161d714 <+151>:   jbe    0x7f264161d6da <aes_ecb_cipher+93>
   0x00007f264161d716 <+153>:   mov    $0x1,%eax
   0x00007f264161d71b <+158>:   leaveq
   0x00007f264161d71c <+159>:   retq
End of assembler dump.

If we look at the register, the problem is %rax is 0.

(gdb) i r
rax            0x0      0
rbx            0x50     80
rcx            0x10     16
rdx            0x7f25f5ad4398   139801012290456
rsi            0x7f25f6afec90   139801029242000
rdi            0x7f25f5ad4480   139801012290688
rbp            0x7ffc6679a290   0x7ffc6679a290
rsp            0x7ffc6679a250   0x7ffc6679a250
r8             0x10     16
r9             0x0      0
r10            0x0      0
r11            0x202    514
r12            0x55a6ac8570b3   94174347358387
r13            0x40000000       1073741824
r14            0x10000000       268435456
r15            0x6      6
rip            0x7f264161d6de   0x7f264161d6de <aes_ecb_cipher+97>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20190415/7e4a5933/attachment-0001.html>

More information about the sr-dev mailing list