Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#714 closed Bug / Defect (notabug)

segfault in openvpn-polarssl (2.3.11) on openwrt (DD, 49831)

Reported by: krzee king Owned by:
Priority: minor Milestone:
Component: Generic / unclassified Version: OpenVPN 2.3.11 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description (last modified by krzee king)

root@OpenWrt:/etc/openvpn# openvpn server.conf

Mon Jul 25 09:15:04 2016 us=463243 OpenVPN 2.3.11 mips-openwrt-linux-gnu [SSL (PolarSSL)] [LZO] [EPOLL] [MH] [IPv6]
Mon Jul 25 09:15:04 2016 us=464103 library versions: PolarSSL 1.3.16, LZO 2.09
Mon Jul 25 09:15:04 2016 us=465734 WARNING: --keepalive option is missing from server config
Mon Jul 25 09:15:04 2016 us=467722 Diffie-Hellman initialized with 4096 bit key
Segmentation fault

but i dont have a crash if i do:

/usr/sbin/openvpn --secret /etc/openvpn/failover.key --float --dev tun41  --port 1197 --ifconfig 10.0.21.1 10.0.21.2 --keepalive 5 45 --comp-lzo no

root@OpenWrt:/etc/openvpn# cat server.conf

port 1194
proto udp
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh4096.pem
server 10.8.10.0 255.255.255.0
verb 9

strace:

open("ca.crt", O_RDONLY|O_LARGEFILE)    = 3
_llseek(3, 0, [2269], SEEK_END)         = 0
_llseek(3, 0, [2269], SEEK_CUR)         = 0
_llseek(3, 0, [0], SEEK_SET)            = 0
readv(3, [{"-----BEGIN CERTIFICATE-----\nMIIG"..., 2268}, {"\n", 1024}], 2) = 2269
close(3)                                = 0
clock_gettime(CLOCK_REALTIME, {1469436902, 619553104}) = 0
clock_gettime(CLOCK_REALTIME, {1469436902, 620658045}) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0} ---
+++ killed by SIGSEGV +++
Segmentation faul

Note, I'm using 4096 bit keys but i tested the following keys as well:
ca.crt + client.crt + client.key
from https://sourceforge.net/p/openvpn-gui/openvpn/ci/master/tree/sample/sample-keys/

Change History (10)

comment:1 Changed 8 years ago by krzee king

Description: modified (diff)

comment:2 Changed 8 years ago by krzee king

Description: modified (diff)

comment:3 Changed 8 years ago by Steffan Karger

Would it be possible to extract the config.h of polarssl as built on the box? Maybe this is reproducible with a similarly configured polarssl.

comment:4 Changed 8 years ago by krzee king

unfortunately no.
openwrt uses opkg which uses .ipk files which are binaries

all i can really say is where it came from:

root@OpenWrt:/etc/vpn# opkg install openvpn-polarssl
Installing openvpn-polarssl (2.3.11-1) to root...
Downloading http://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/packages/base/openvpn-polarssl_2.3.11-1_ar71xx.ipk.
Installing kmod-tun (4.4.14-1) to root...
Downloading http://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/packages/kernel/kmod-tun_4.4.14-1_ar71xx.ipk.
Installing liblzo (2.09-1) to root...
Downloading http://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/packages/base/liblzo_2.09-1_ar71xx.ipk.
Installing libpolarssl (1.3.17-1) to root...
Downloading http://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/packages/base/libpolarssl_1.3.17-1_ar71xx.ipk.

I would be happy to test an ipk from you and take the problem to them if yours works... would that work?

comment:5 Changed 8 years ago by Steffan Karger

I dove into the openwrt git, and it seems they disable polarssl's version reporting:

@@ -2160,8 +2160,8 @@
  * Module:  library/version.c
  *
  * This module provides run-time version information.
- */
 #define POLARSSL_VERSION_C
+ */

(See https://github.com/openwrt/openwrt/blob/master/package/libs/polarssl/patches/200-reduce_config.patch)

However, OpenVPN calls mbedtls_version_get_number(), which is now no longer available. I think run time version checking is very useful, so don't like the idea of making that optional in the OpenVPN code. So openwrt should either path their openvpn package to deal with their polarssl config, or just enable POLARSSL_VERSION_C. (How many bytes can three tiny functions possibly cost?)

Version 0, edited 8 years ago by Steffan Karger (next)

comment:6 Changed 8 years ago by Gert Döring

Why is it SIGSEGV'ing, instead of being killed by ld.so with "symbol not found"??

comment:7 Changed 8 years ago by krzee king

nice, want to test it?
i have a different version of the router as well (841 v11) that has a bug in trunk where it mounts the ramdisk instead of the overlay, so while it forgets everything on reboot i do get a lot more storage to work with :D
that means that now I can install gdb, but unfortunately I do not have debug symbols.
If you could provide an ipk to test, i can test if it still crashes, and if it does i can use gdb now (assuming the test ipk comes with debug symbols)

comment:8 Changed 8 years ago by Steffan Karger

Gert is right, this does not have to do with the runtime version checking. They made the required changes for that in OpenVPN too.

Unfortunately I'm not able to build ipkg packages. Maybe the openwrt maintainer can build one with debug symbols for you?

As soon as someone provides me with a stack strace, I'll look into it.

comment:9 Changed 8 years ago by krzee king

Resolution: notabug
Status: newclosed

sounds like this problem has nothing to do with us, and lives completely in openwrt. If I figure out anything more I will update this for completeness sake. Thank you for the offer to help if we can get a stack trace, I will let you know if I find a way.

comment:10 Changed 8 years ago by krzee king

from their dev chan (thank you dangole):

<dangole> https://bugs.lede-project.org/index.php?do=details&task_id=33
<dangole> ah, it's the cipher-suite which needs to be specified explicitely when using polarssl
<dangole> see
<dangole> https://git.lede-project.org/?p=source.git;a=commit;h=f98f4601de762251c4644047786affd34d5fb10c
<dangole> krzee: probably mirko should back-port the fix above for OpenWrt's Chaos Calmer release

So it seems that they have a bug in openvpn-polarssl that is only triggered when not manually specifying --tls-cipher
I will test this and report back.

Note: See TracTickets for help on using tickets.