some crashes on using DSA keys

Miroslav Kratochvil exa.exa at gmail.com
Mon Apr 20 12:54:59 CEST 2009


Hi there,

today i wanted to experiment with some weird key combinations (I dont
realize why now..). I was trying to use DSA keys in combination with
some RSA, and came to a crash in GnuTLS library core. I'm posting some
logs and a backtrace below.
As the error was "glibc detected double free or stack corruption", my
research led me to a strange method of handling sexp's in
lib/pk-libgcrpt.c, see code here:

(around line 510:)

  gcry_sexp_release (s_sig);    //1 - well lets release those things
  gcry_sexp_release (s_hash);
  gcry_sexp_release (s_pkey);

  if (rc != 0)
    {
      gnutls_assert ();   //2 - assert in log sais that we failed
      ret = GNUTLS_E_PK_SIG_VERIFY_FAILED;
      goto cleanup;   //3- and go to cleanup
    }

  return 0;

cleanup:   //4 - here
  _gnutls_mpi_release (&hash);
  _gnutls_mpi_release (&tmp[0]);
  _gnutls_mpi_release (&tmp[1]);   //5 - those 3 are released ok
  if (s_sig)
    gcry_sexp_release (s_sig); // 6 - releasing s_sig again
                                          // becuse s_sig still != 0
  if (s_hash)  //7 - (same here)
    gcry_sexp_release (s_hash);
  if (s_pkey)
    gcry_sexp_release (s_pkey);

  return ret;
}

In my opinion, this seems as a simple but hard-to-see bug. Kick me if
I'm wrong (and explain why, please.)

Solution is simple, you add a line just below the 3
gcry_sexp_releases, something like this:
s_sig=s_hash=s_pkey=0;

I'm sorry if this is already fixed in gnutls above 2.6.5, but I didn't
have much time to investigate yet. The same for complete debugging
backtrace; I will probably generate both of them later this day.

Thanks for any comment on this,
Mirek Kratochvil


----------
As I promised above, output of my program with loglevel 10 and the
glibc backtrace follows. Sorry for be big post.

.... stuff that leads to invocation of gnutls_handshake is not here here....

Mon Apr 20 12:52:06 2009: (info) in
`/home/exa/work/cloudvpn/src/comm.cpp' line 145:	gnutls (7): 0010 - c6
ea a9 6b 96 be d7 44 e6 f9 45 00 0a 30 08 02

Mon Apr 20 12:52:06 2009: (info) in
`/home/exa/work/cloudvpn/src/comm.cpp' line 145:	gnutls (7): 0011 - 02
2c 96 02 02 34 53

Mon Apr 20 12:52:06 2009: (info) in
`/home/exa/work/cloudvpn/src/comm.cpp' line 145:	gnutls (7): RB: Have
5 bytes into buffer. Adding 279 bytes.

Mon Apr 20 12:52:06 2009: (info) in
`/home/exa/work/cloudvpn/src/comm.cpp' line 145:	gnutls (7): RB:
Requested 284 bytes

Mon Apr 20 12:52:06 2009: (info) in
`/home/exa/work/cloudvpn/src/comm.cpp' line 145:	gnutls (2): ASSERT:
gnutls_cipher.c:204

Mon Apr 20 12:52:06 2009: (info) in
`/home/exa/work/cloudvpn/src/comm.cpp' line 145:	gnutls (4):
REC[6943b0]: Decrypted Packet[2] Handshake(22) with length: 279

Mon Apr 20 12:52:06 2009: (info) in
`/home/exa/work/cloudvpn/src/comm.cpp' line 145:	gnutls (6): BUF[HSK]:
Inserted 279 bytes of Data(22)

Mon Apr 20 12:52:06 2009: (info) in
`/home/exa/work/cloudvpn/src/comm.cpp' line 145:	gnutls (6):
BUF[REC][HD]: Read 1 bytes of Data(22)

Mon Apr 20 12:52:06 2009: (info) in
`/home/exa/work/cloudvpn/src/comm.cpp' line 145:	gnutls (6):
BUF[REC][HD]: Read 3 bytes of Data(22)

Mon Apr 20 12:52:06 2009: (info) in
`/home/exa/work/cloudvpn/src/comm.cpp' line 145:	gnutls (3):
HSK[6943b0]: SERVER KEY EXCHANGE was received [279 bytes]

Mon Apr 20 12:52:06 2009: (info) in
`/home/exa/work/cloudvpn/src/comm.cpp' line 145:	gnutls (6):
BUF[REC][HD]: Read 275 bytes of Data(22)

Mon Apr 20 12:52:06 2009: (info) in
`/home/exa/work/cloudvpn/src/comm.cpp' line 145:	gnutls (6): BUF[HSK]:
Peeked 1338 bytes of Data

Mon Apr 20 12:52:06 2009: (info) in
`/home/exa/work/cloudvpn/src/comm.cpp' line 145:	gnutls (6): BUF[HSK]:
Emptied buffer

Mon Apr 20 12:52:06 2009: (info) in
`/home/exa/work/cloudvpn/src/comm.cpp' line 145:	gnutls (6): BUF[HSK]:
Inserted 4 bytes of Data

Mon Apr 20 12:52:06 2009: (info) in
`/home/exa/work/cloudvpn/src/comm.cpp' line 145:	gnutls (6): BUF[HSK]:
Inserted 275 bytes of Data

Mon Apr 20 12:52:06 2009: (info) in
`/home/exa/work/cloudvpn/src/comm.cpp' line 145:	gnutls (2): ASSERT:
pk-libgcrypt.c:517

*** glibc detected *** ./cloudvpn: double free or corruption (!prev):
0x00000000006a5c20 ***
======= Backtrace: =========
/lib/libc.so.6[0x7ffc17c4319d]
/lib/libc.so.6(cfree+0x76)[0x7ffc17c44be6]
/usr/lib/libgcrypt.so.11[0x7ffc17965a46]
/usr/lib/libgcrypt.so.11[0x7ffc17967861]
/usr/lib/libgnutls.so.26[0x7ffc186f9175]
/usr/lib/libgnutls.so.26(_gnutls_dsa_verify+0x47)[0x7ffc186e92e7]
/usr/lib/libgnutls.so.26[0x7ffc186efaf1]
/usr/lib/libgnutls.so.26(_gnutls_verify_sig_params+0x138)[0x7ffc186efcd8]
/usr/lib/libgnutls.so.26[0x7ffc186f089d]
/usr/lib/libgnutls.so.26(_gnutls_recv_server_kx_message+0x75)[0x7ffc186e0e45]
/usr/lib/libgnutls.so.26(_gnutls_handshake_client+0x376)[0x7ffc186de086]
/usr/lib/libgnutls.so.26(gnutls_handshake+0xdb)[0x7ffc186de6fb]
./cloudvpn(_ZN10connection15try_ssl_connectEv+0x1c)[0x439cb8]
./cloudvpn(_ZN10connection11poll_simpleEv+0x48)[0x43aaaa]
./cloudvpn(_ZN10connection10poll_writeEv+0x15)[0x43ab01]
./cloudvpn[0x435385]
./cloudvpn(_Z19poll_wait_for_eventi+0x1f2)[0x4355e6]
./cloudvpn(_Z12run_cloudvpniPPc+0x2fe)[0x434c12]
./cloudvpn(main+0x1b)[0x437403]
/lib/libc.so.6(__libc_start_main+0xf4)[0x7ffc17bf04a4]
./cloudvpn(__gxx_personality_v0+0x179)[0x426309]
======= Memory map: ========
00400000-00459000 r-xp 00000000 16:03 5078611
  /home/exa/work/cloudvpn/cloudvpn
00658000-00659000 r--p 00058000 16:03 5078611
  /home/exa/work/cloudvpn/cloudvpn
00659000-0065a000 rw-p 00059000 16:03 5078611
  /home/exa/work/cloudvpn/cloudvpn
0065a000-006bf000 rw-p 0065a000 00:00 0                                  [heap]
7ffc10000000-7ffc10021000 rw-p 7ffc10000000 00:00 0
7ffc10021000-7ffc14000000 ---p 7ffc10021000 00:00 0
7ffc17648000-7ffc1764b000 r-xp 00000000 16:03 5078044
  /usr/lib64/libgpg-error.so.0.4.0
7ffc1764b000-7ffc1774a000 ---p 00003000 16:03 5078044
  /usr/lib64/libgpg-error.so.0.4.0
7ffc1774a000-7ffc1774b000 rw-p 00002000 16:03 5078044
  /usr/lib64/libgpg-error.so.0.4.0
7ffc1774b000-7ffc1775a000 r-xp 00000000 16:03 5391683
  /usr/lib64/libtasn1.so.3.0.14
7ffc1775a000-7ffc17959000 ---p 0000f000 16:03 5391683
  /usr/lib64/libtasn1.so.3.0.14
7ffc17959000-7ffc1795a000 r--p 0000e000 16:03 5391683
  /usr/lib64/libtasn1.so.3.0.14
7ffc1795a000-7ffc1795b000 rw-p 0000f000 16:03 5391683
  /usr/lib64/libtasn1.so.3.0.14
7ffc1795b000-7ffc179ce000 r-xp 00000000 16:03 7503463
  /usr/lib64/libgcrypt.so.11.5.2
7ffc179ce000-7ffc17bce000 ---p 00073000 16:03 7503463
  /usr/lib64/libgcrypt.so.11.5.2
7ffc17bce000-7ffc17bcf000 r--p 00073000 16:03 7503463
  /usr/lib64/libgcrypt.so.11.5.2
7ffc17bcf000-7ffc17bd2000 rw-p 00074000 16:03 7503463
  /usr/lib64/libgcrypt.so.11.5.2
7ffc17bd2000-7ffc17d11000 r-xp 00000000 16:03 5910771
  /lib64/libc-2.8.so
7ffc17d11000-7ffc17f10000 ---p 0013f000 16:03 5910771
  /lib64/libc-2.8.so
7ffc17f10000-7ffc17f14000 r--p 0013e000 16:03 5910771
  /lib64/libc-2.8.so
7ffc17f14000-7ffc17f15000 rw-p 00142000 16:03 5910771
  /lib64/libc-2.8.so
7ffc17f15000-7ffc17f1a000 rw-p 7ffc17f15000 00:00 0
7ffc17f1a000-7ffc17f27000 r-xp 00000000 16:03 5908018
  /lib64/libgcc_s.so.1
7ffc17f27000-7ffc18126000 ---p 0000d000 16:03 5908018
  /lib64/libgcc_s.so.1
7ffc18126000-7ffc18127000 r--p 0000c000 16:03 5908018
  /lib64/libgcc_s.so.1
7ffc18127000-7ffc18128000 rw-p 0000d000 16:03 5908018
  /lib64/libgcc_s.so.1
7ffc18128000-7ffc181a8000 r-xp 00000000 16:03 5910826
  /lib64/libm-2.8.so
7ffc181a8000-7ffc183a7000 ---p 00080000 16:03 5910826
  /lib64/libm-2.8.so
7ffc183a7000-7ffc183a8000 r--p 0007f000 16:03 5910826           Aborted





More information about the Gnutls-devel mailing list