[gnutls-devel] gnutls 3.2.3 segfault in _gnutls_epoch_set_keys

Stefan Bühler stbuehler at lighttpd.net
Fri Aug 2 00:53:26 CEST 2013


I get segfaults with libgnutls28-3.2.3-1:i386 from debian unstable, client is firefox (iceweasel) 22,
TLS1.0, ciphersuite TLS_RSA_WITH_RC4_128_SHA (0x0005).
Usually this happens when I start a second request when another one is already running,
but pausing and resuming a download can trigger it too.

Thread 1 (Thread 0xb73346c0 (LWP 21681)):
#0  0xb5125add in _gnutls_epoch_set_keys () from /usr/lib/i386-linux-gnu/libgnutls.so.28
No symbol table info available.
#1  0xb5125f4b in _gnutls_write_connection_state_init () from /usr/lib/i386-linux-gnu/libgnutls.so.28
No symbol table info available.
#2  0xb5111149 in _gnutls_send_handshake_final () from /usr/lib/i386-linux-gnu/libgnutls.so.28
No symbol table info available.
#3  0xb5114cc7 in gnutls_handshake () from /usr/lib/i386-linux-gnu/libgnutls.so.28
No symbol table info available.

(dbg package is installed, but it somehow didn't contain more source information)

From the disassemble output I gathered that in gnutls_constate.c:327 
params->cipher == NULL, and dereferencing it triggers the segfault:

  if (_gnutls_cipher_priority (session, params->cipher->id) < 0)

(gdb) disassemble
Dump of assembler code for function _gnutls_epoch_set_keys:
   0xb5025a70 <+0>:     push   %ebp
   0xb5025a71 <+1>:     push   %edi
   0xb5025a72 <+2>:     push   %esi
   0xb5025a73 <+3>:     push   %ebx
   0xb5025a74 <+4>:     sub    $0x3c,%esp
   0xb5025a77 <+7>:     mov    0x50(%esp),%esi
   0xb5025a7b <+11>:    call   0xb5005ed0 <__x86.get_pc_thunk.bx>
   0xb5025a80 <+16>:    add    $0xd8580,%ebx
   0xb5025a86 <+22>:    mov    0x54(%esp),%eax
   0xb5025a8a <+26>:    mov    0xd0(%esi),%edi
   0xb5025a90 <+32>:    test   %edi,%edi
   0xb5025a92 <+34>:    je     0xb5025d86 <_gnutls_epoch_set_keys+790>
   0xb5025a98 <+40>:    lea    0x2c(%esp),%edx
   0xb5025a9c <+44>:    movzwl %ax,%eax
   0xb5025a9f <+47>:    mov    %edx,0x8(%esp)
   0xb5025aa3 <+51>:    mov    %eax,0x4(%esp)
   0xb5025aa7 <+55>:    mov    %esi,(%esp)
   0xb5025aaa <+58>:    call   0xb50255b0 <_gnutls_epoch_get>
   0xb5025aaf <+63>:    test   %eax,%eax
   0xb5025ab1 <+65>:    js     0xb5025b78 <_gnutls_epoch_set_keys+264>
   0xb5025ab7 <+71>:    mov    0x2c(%esp),%eax
   0xb5025abb <+75>:    xor    %ebp,%ebp
   0xb5025abd <+77>:    mov    0x4(%eax),%edx
   0xb5025ac0 <+80>:    test   %edx,%edx
   0xb5025ac2 <+82>:    jne    0xb5025b68 <_gnutls_epoch_set_keys+248>
   0xb5025ac8 <+88>:    mov    -0x14(%ebx),%ecx
   0xb5025ace <+94>:    cmpl   $0x3,(%ecx)
   0xb5025ad1 <+97>:    jg     0xb5025da4 <_gnutls_epoch_set_keys+820>
   0xb5025ad7 <+103>:   mov    0x8(%eax),%ebp
   0xb5025ada <+106>:   mov    0xc(%eax),%eax
=> 0xb5025add <+109>:   mov    0x4(%eax),%eax
   0xb5025ae0 <+112>:   mov    %esi,(%esp)
   0xb5025ae3 <+115>:   mov    %eax,0x4(%esp)
   0xb5025ae7 <+119>:   call   0xb50a7e00 <_gnutls_cipher_priority>

(%eax is 0)

I could ofc be doing something wrong in lighttpd2 mod_gnutls, but imho it doesn't look like it.


More information about the Gnutls-devel mailing list