[sr-dev] [kamailio/kamailio] Kamailio 5.2.2 - Segmentation fault in libcrypto.so.1.1 (#1860)
shaunjstokes
notifications at github.com
Mon Apr 15 10:26:20 CEST 2019
Not sure if this helps, each crash follows a slightly different path with-in 'modules/tls/tls_server.c' but always crashes in 'aes_ecb_cipher' at 'crypto/evp/e_aes.c:2699'.
Here's our most recent core dump.
(gdb) bt
#0 0x00007f264161d6de in aes_ecb_cipher (ctx=0x7f25f5ad4480, out=0x7f25f6afec90 "", in=0x7f25f5ad4398 "\251\333\023`a>EBi\r\035\216Z\241Z}\200\\\345/-\340{", len=0) at crypto/evp/e_aes.c:2699
#1 0x00007f264162b755 in evp_EncryptDecryptUpdate (ctx=0x7f25f5ad4480, out=0x7f25f6afec90 "", outl=0x7ffc6679a3a4, in=0x7f25f5ad4398 "\251\333\023`a>EBi\r\035\216Z\241Z}\200\\\345/-\340{", inl=16) at crypto/evp/evp_enc.c:333
#2 0x00007f264162b9a0 in EVP_EncryptUpdate (ctx=0x7f25f5ad4480, out=0x7f25f6afec90 "", outl=0x7ffc6679a3a4, in=0x7f25f5ad4398 "\251\333\023`a>EBi\r\035\216Z\241Z}\200\\\345/-\340{", inl=16) at crypto/evp/evp_enc.c:385
#3 0x00007f264162b38e in EVP_CipherUpdate (ctx=0x7f25f5ad4480, out=0x7f25f6afec90 "", outl=0x7ffc6679a3a4, in=0x7f25f5ad4398 "\251\333\023`a>EBi\r\035\216Z\241Z}\200\\\345/-\340{", inl=16) at crypto/evp/evp_enc.c:213
#4 0x00007f2641669a01 in drbg_ctr_generate (drbg=0x7f25f5ad42b0, out=0x7f25f6afec90 "", outlen=32, adin=0x0, adinlen=0) at crypto/rand/drbg_ctr.c:340
#5 0x00007f264166af15 in RAND_DRBG_generate (drbg=0x7f25f5ad42b0, out=0x7f25f6afec90 "", outlen=32, prediction_resistance=0, adin=0x0, adinlen=0) at crypto/rand/drbg_lib.c:638
#6 0x00007f264166b043 in RAND_DRBG_bytes (drbg=0x7f25f5ad42b0, out=0x7f25f6afec90 "", outlen=32) at crypto/rand/drbg_lib.c:679
#7 0x00007f264166b5bc in drbg_bytes (out=0x7f25f6afec90 "", count=32) at crypto/rand/drbg_lib.c:968
#8 0x00007f264166cb2f in RAND_bytes (buf=0x7f25f6afec90 "", num=32) at crypto/rand/rand_lib.c:836
#9 0x00007f26419f0d33 in def_generate_session_id (ssl=0x7f25f6a6c540, id=0x7f25f6afec90 "", id_len=0x7ffc6679a534) at ssl/ssl_sess.c:290
#10 0x00007f26419f0f22 in ssl_generate_session_id (s=0x7f25f6a6c540, ss=0x7f25f6afeb38) at ssl/ssl_sess.c:362
#11 0x00007f26419f113e in ssl_get_new_session (s=0x7f25f6a6c540, session=1) at ssl/ssl_sess.c:418
#12 0x00007f2641a188f0 in tls_early_post_process_client_hello (s=0x7f25f6a6c540) at ssl/statem/statem_srvr.c:1817
#13 0x00007f2641a19900 in tls_post_process_client_hello (s=0x7f25f6a6c540, wst=WORK_MORE_A) at ssl/statem/statem_srvr.c:2222
#14 0x00007f2641a173dc in ossl_statem_server_post_process_message (s=0x7f25f6a6c540, wst=WORK_MORE_A) at ssl/statem/statem_srvr.c:1220
#15 0x00007f2641a03a04 in read_state_machine (s=0x7f25f6a6c540) at ssl/statem/statem.c:664
#16 0x00007f2641a03364 in state_machine (s=0x7f25f6a6c540, server=1) at ssl/statem/statem.c:434
#17 0x00007f2641a02e89 in ossl_statem_accept (s=0x7f25f6a6c540) at ssl/statem/statem.c:255
#18 0x00007f26419e952c in SSL_do_handshake (s=0x7f25f6a6c540) at ssl/ssl_lib.c:3599
#19 0x00007f26419e55f5 in SSL_accept (s=0x7f25f6a6c540) at ssl/ssl_lib.c:1643
#20 0x00007f26360480f2 in tls_accept (c=0x7f25f6aa1010, error=0x7ffc667ba98c) at tls_server.c:422
#21 0x00007f26360515fe in tls_read_f (c=0x7f25f6aa1010, flags=0x7ffc667bacc8) at tls_server.c:1119
#22 0x000055a6ac69fc43 in tcp_read_headers (c=0x7f25f6aa1010, read_flags=0x7ffc667bacc8) at core/tcp_read.c:469
#23 0x000055a6ac6a77e9 in tcp_read_req (con=0x7f25f6aa1010, bytes_read=0x7ffc667baccc, read_flags=0x7ffc667bacc8) at core/tcp_read.c:1496
#24 0x000055a6ac6ac757 in handle_io (fm=0x7f264284c438, events=1, idx=-1) at core/tcp_read.c:1804
#25 0x000055a6ac69a2c0 in io_wait_loop_epoll (h=0x55a6acb783a0 <io_w>, t=2, repeat=0) at core/io_wait.h:1065
#26 0x000055a6ac6ae76a in tcp_receive_loop (unix_sock=86) at core/tcp_read.c:1974
#27 0x000055a6ac561f12 in tcp_init_children () at core/tcp_main.c:4853
#28 0x000055a6ac4994ac in main_loop () at main.c:1745
#29 0x000055a6ac4a046e in main (argc=13, argv=0x7ffc667bb338) at main.c:2696
Here's the disas of aes_ecb_cipher, it was doing a move from memory pointed to in the %rax register plus an offset of 0xf8, to the %rax register.
(gdb) disas aes_ecb_cipher
Dump of assembler code for function aes_ecb_cipher:
0x00007f264161d67d <+0>: push %rbp
0x00007f264161d67e <+1>: mov %rsp,%rbp
0x00007f264161d681 <+4>: sub $0x40,%rsp
0x00007f264161d685 <+8>: mov %rdi,-0x28(%rbp)
0x00007f264161d689 <+12>: mov %rsi,-0x30(%rbp)
0x00007f264161d68d <+16>: mov %rdx,-0x38(%rbp)
0x00007f264161d691 <+20>: mov %rcx,-0x40(%rbp)
0x00007f264161d695 <+24>: mov -0x28(%rbp),%rax
0x00007f264161d699 <+28>: mov %rax,%rdi
0x00007f264161d69c <+31>: callq 0x7f264162cf2a <EVP_CIPHER_CTX_block_size>
0x00007f264161d6a1 <+36>: cltq
0x00007f264161d6a3 <+38>: mov %rax,-0x10(%rbp)
0x00007f264161d6a7 <+42>: mov -0x28(%rbp),%rax
0x00007f264161d6ab <+46>: mov %rax,%rdi
0x00007f264161d6ae <+49>: callq 0x7f264162cfe5 <EVP_CIPHER_CTX_get_cipher_data>
0x00007f264161d6b3 <+54>: mov %rax,-0x18(%rbp)
0x00007f264161d6b7 <+58>: mov -0x40(%rbp),%rax
0x00007f264161d6bb <+62>: cmp -0x10(%rbp),%rax
0x00007f264161d6bf <+66>: jae 0x7f264161d6c8 <aes_ecb_cipher+75>
0x00007f264161d6c1 <+68>: mov $0x1,%eax
0x00007f264161d6c6 <+73>: jmp 0x7f264161d71b <aes_ecb_cipher+158>
0x00007f264161d6c8 <+75>: movq $0x0,-0x8(%rbp)
0x00007f264161d6d0 <+83>: mov -0x10(%rbp),%rax
0x00007f264161d6d4 <+87>: sub %rax,-0x40(%rbp)
0x00007f264161d6d8 <+91>: jmp 0x7f264161d70c <aes_ecb_cipher+143>
0x00007f264161d6da <+93>: mov -0x18(%rbp),%rax
=> 0x00007f264161d6de <+97>: mov 0xf8(%rax),%rax
0x00007f264161d6e5 <+104>: mov -0x18(%rbp),%rdx
0x00007f264161d6e9 <+108>: mov -0x30(%rbp),%rsi
0x00007f264161d6ed <+112>: mov -0x8(%rbp),%rcx
0x00007f264161d6f1 <+116>: add %rcx,%rsi
0x00007f264161d6f4 <+119>: mov -0x38(%rbp),%rdi
0x00007f264161d6f8 <+123>: mov -0x8(%rbp),%rcx
0x00007f264161d6fc <+127>: add %rdi,%rcx
0x00007f264161d6ff <+130>: mov %rcx,%rdi
0x00007f264161d702 <+133>: callq *%rax
0x00007f264161d704 <+135>: mov -0x10(%rbp),%rax
0x00007f264161d708 <+139>: add %rax,-0x8(%rbp)
0x00007f264161d70c <+143>: mov -0x8(%rbp),%rax
0x00007f264161d710 <+147>: cmp -0x40(%rbp),%rax
0x00007f264161d714 <+151>: jbe 0x7f264161d6da <aes_ecb_cipher+93>
0x00007f264161d716 <+153>: mov $0x1,%eax
0x00007f264161d71b <+158>: leaveq
0x00007f264161d71c <+159>: retq
End of assembler dump.
If we look at the register, the problem is %rax is 0.
(gdb) i r
rax 0x0 0
rbx 0x50 80
rcx 0x10 16
rdx 0x7f25f5ad4398 139801012290456
rsi 0x7f25f6afec90 139801029242000
rdi 0x7f25f5ad4480 139801012290688
rbp 0x7ffc6679a290 0x7ffc6679a290
rsp 0x7ffc6679a250 0x7ffc6679a250
r8 0x10 16
r9 0x0 0
r10 0x0 0
r11 0x202 514
r12 0x55a6ac8570b3 94174347358387
r13 0x40000000 1073741824
r14 0x10000000 268435456
r15 0x6 6
rip 0x7f264161d6de 0x7f264161d6de <aes_ecb_cipher+97>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/1860#issuecomment-483156808
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20190415/7e4a5933/attachment-0001.html>
More information about the sr-dev
mailing list