[hybrid] Segfault when DH param file missing

Michael Wobst wobst.michael at web.de
Sun Sep 1 08:13:52 EDT 2019 

Holla Dom,

thanks for pointing this out. The issue should be fixed now in latest
git. Support for GnuTLS <3.6 is planned to be dropped in the second
quarter next year.

Cheers,
Michael



Dominic Hargreaves schrieb:
> The problem arises if ssl_dh_param_file is either not specified or is
> missing. This only became a problem when EDH ciphers were
> specified, as per the config file comment:
>
> "DH parameters are required when using ciphers with EDH (ephemeral
> Diffie-Hellman) key exchange."
>
> It seems a check for a valid file should be added before the call to
> gnutls_certificate_set_dh_params.
>
> Longer term, if the minimum supported version of GnuTLS can be changed to
> 3.6.0, that function could be eliminated as it's now marked as
> deprecated/unnecessary:
>
> https://manpages.debian.org/buster/gnutls-doc/gnutls_certificate_set_dh_params.3.en.html
>
> Thanks,
> Dominic.
>
> On Tue, Jul 23, 2019 at 09:55:30PM +0100, Dominic Hargreaves wrote:
>> Hello,
>>
>> Does this ring a bell with anyone? Afraid I won't be able to dig
>> into this for a few days.
>>
>> Thanks,
>> Dominic.
>>
>> ----- Forwarded message from devel at sumpfralle.de -----
>>
>> Date: Tue, 23 Jul 2019 01:16:09 +0200
>> From: devel at sumpfralle.de
>> To: submit at bugs.debian.org
>> Subject: Bug#932774: ircd-hybrid: Segfault in libgmp.so.10.3.2
>> Reply-To: devel at sumpfralle.de, 932774 at bugs.debian.org
>>
>> Source: ircd-hybrid
>> Version: 1:8.2.24+dfsg.1-1
>> Severity: normal
>>
>> Dear Maintainer,
>>
>> after upgrading a host from Stretch to Buster, ircd-hybrid fails to
>> start:
>>
>>    irc at example:~$ ircd-hybrid -foreground
>>    ircd: version hybrid-1:8.2.24+dfsg.1-1(20180404_8492)
>>    ircd: pid 32127
>>    ircd: running in foreground mode from /usr
>>    Segmentation fault
>>
>>
>> gdb shows the following output:
>>
>>    irc at example:~$ gdb --args ircd-hybrid -foreground
>>    GNU gdb (Debian 8.2.1-2) 8.2.1
>>    Copyright (C) 2018 Free Software Foundation, Inc.
>>    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>>    This is free software: you are free to change and redistribute it.
>>    There is NO WARRANTY, to the extent permitted by law.
>>    Type "show copying" and "show warranty" for details.
>>    This GDB was configured as "x86_64-linux-gnu".
>>    Type "show configuration" for configuration details.
>>    For bug reporting instructions, please see:
>>    <http://www.gnu.org/software/gdb/bugs/>.
>>    Find the GDB manual and other documentation resources online at:
>>        <http://www.gnu.org/software/gdb/documentation/>.
>>
>>    For help, type "help".
>>    Type "apropos word" to search for commands related to "word"...
>>    Reading symbols from ircd-hybrid...(no debugging symbols found)...done.
>>    (gdb) run
>>    Starting program: /usr/sbin/ircd-hybrid -foreground
>>    [Thread debugging using libthread_db enabled]
>>    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
>>    ircd: version hybrid-1:8.2.24+dfsg.1-1(20180404_8492)
>>    ircd: pid 28120
>>    ircd: running in foreground mode from /usr
>>
>>    Program received signal SIGSEGV, Segmentation fault.
>>    0x00007ffff765a5f0 in __gmpz_sizeinbase () from /usr/lib/x86_64-linux-gnu/libgmp.so.10
>>    (gdb) bt
>>    #0  0x00007ffff765a5f0 in __gmpz_sizeinbase () from /usr/lib/x86_64-linux-gnu/libgmp.so.10
>>    #1  0x00007ffff7f3acce in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
>>    #2  0x00007ffff7e6e1b4 in gnutls_certificate_set_dh_params () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
>>    #3  0x00005555555778f3 in tls_new_cred ()
>>    #4  0x0000555555566bfd in read_conf_files ()
>>    #5  0x000055555555efc4 in main ()
>>
>>
>> ltrace shows the following at the end of its run:
>>
>>    calloc(1, 32)                                                                                     = 0x558d1fc9f3a0
>>    gnutls_global_init(0, 1265, 40, 0)                                                                = 0
>>    gnutls_certificate_allocate_credentials(0x558d1fc9f3a0, 0, 0x7f3c4f66a620, 0)                     = 0
>>    gnutls_priority_init(0x558d1fc9f3a8, 0x558d1dbc7748, 0, 0x558d1fca8a00)                           = 0
>>    gnutls_certificate_set_x509_key_file(0x558d1fc9f3d0, 0x558d1fca0490, 0x558d1fca0450, 1)           = 0
>>    gnutls_dh_params_init(0x558d1fc9f3b0, 0, 0, 0)                                                    = 0
>>    gnutls_certificate_set_dh_params(0x558d1fc9f3d0, 0x558d1fc897c0, 24, 0 <no return ...>
>>    --- SIGSEGV (Segmentation fault) ---
>>    +++ killed by SIGSEGV +++
>>
>>
>> The kernel log contains the following:
>>
>>    ircd-hybrid[32122]: segfault at 4 ip 00007f5548d1b5f0 sp 00007ffc4241e6a8 error 4 in libgmp.so.10.3.2[7f5548d02000+5e000]
>>
>>
>> I took a quick look at "gnutls_certificate_set_dh_params".  Its manpage
>> [1] describes this function as deprecated for quite some time.  I do not
>> know, whether this is relevant.
>>
>> Thank you for your time!
>>
>> Cheers,
>> Lars
>>
>>
>> [1] https://manpages.debian.org/buster/gnutls-doc/gnutls_certificate_set_dh_params.3.en.html
>>
>>
>> ----- End forwarded message -----
>>
>

More information about the hybrid mailing list