Core dump when using raddebug on 3.0.x

[louismunro]

Issue type

• [ X] Defect - Crash or memory corruption.

Defect/Feature description

radiusd crashes when using raddebug with a condition matching on regexp.

How to reproduce issue

1. Install Ubuntu 16.04 server (basic server install) and update all packages.
2. Install libtalloc-dev and libssl-dev
3. Clone FR github repo and checkout 3.0.x HEAD
4. ./configure --enable-developer && make && make install
5. Enable the control socket with rw permissions
6. Enable core dumps in radiusd.conf
7. Set panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log"
8. Start the server with "radiusd -X"
9. In another terminal, start a raddebug session trying to match an attribute using the regexp operator, e.g. "User-Name" with unlang (but will seemingly work for any attribute):
   raddebug -t900 -c '( User-Name =~ /bob/ )'
10. Send a test request:
    radtest -x -t pap bob user localhost:18120 11 testing123

This will crash the server and trigger the panic action.

Output of [radiusd|freeradius] -X showing issue ocurring

... new connection request on command socket
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Ready to process requests
radmin> debug condition
Ready to process requests
 ... shutting down socket command file /usr/local/var/run/radiusd/radiusd.sock
Ready to process requests
 ... new connection request on command socket
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Ready to process requests
radmin> debug file radmin.debug.14873
Ready to process requests
radmin> show debug file
Ready to process requests
 ... shutting down socket command file /usr/local/var/run/radiusd/radiusd.sock
Ready to process requests
 ... new connection request on command socket
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Ready to process requests
radmin> debug file radmin.debug.14873
Ready to process requests
radmin> show config security.group
Ready to process requests
 ... shutting down socket command file /usr/local/var/run/radiusd/radiusd.sock
Ready to process requests
 ... new connection request on command socket
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Ready to process requests
radmin> debug condition "( User-Name =~ /bob/ )"
Ready to process requests
 ... shutting down socket command file /usr/local/var/run/radiusd/radiusd.sock
Ready to process requests
ASSERT FAILED src/main/evaluate.c[606]: 0
CAUGHT SIGNAL: Aborted
Backtrace of last 16 frames:
/usr/local/lib/libfreeradius-radius.so(fr_fault+0x12c)[0x7fb0a02283ab]
/usr/local/lib/libfreeradius-server.so(rad_assert_fail+0x46)[0x7fb0a048d045]
/usr/local/lib/libfreeradius-server.so(+0x12dba)[0x7fb0a047adba]
/usr/local/lib/libfreeradius-server.so(radius_evaluate_map+0x15b)[0x7fb0a047af5e]
/usr/local/lib/libfreeradius-server.so(radius_evaluate_cond+0x96)[0x7fb0a047b191]
radiusd[0x43fc87]
radiusd[0x4406a9]
radiusd[0x43f45d]
radiusd(request_receive+0x7ee)[0x440fc4]
radiusd[0x41950e]
radiusd[0x44857e]
/usr/local/lib/libfreeradius-radius.so(fr_event_loop+0x651)[0x7fb0a0252019]
radiusd(radius_event_process+0x26)[0x44a52f]
radiusd(main+0xc90)[0x433c24]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fb09ef42830]
radiusd(_start+0x29)[0x40eb79]
Calling: gdb -silent -x /usr/local/etc/raddb/panic.gdb radiusd 14870 2>&1 | tee /usr/local/var/log/radius/gdb-radiusd-14870.log
Reading symbols from radiusd...done.
Attaching to program: /usr/local/sbin/radiusd, process 14870
Reading symbols from /usr/local/lib/libfreeradius-server.so...done.
Reading symbols from /usr/local/lib/libfreeradius-radius.so...done.
Reading symbols from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libssl.so.1.0.0...(no debugging symbols found)...done.
Reading symbols from /usr/lib/x86_64-linux-gnu/libtalloc.so.2...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libdl.so.2...Reading symbols from /usr/lib/debug//lib/x86_64-linux-gnu/libdl-2.23.so...done.
done.
Reading symbols from /lib/x86_64-linux-gnu/libpthread.so.0...Reading symbols from /usr/lib/debug/.build-id/b7/7847cc9cacbca3b5753d0d25a32e5795afe75b.debug...done.
done.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Reading symbols from /lib/x86_64-linux-gnu/libcrypt.so.1...Reading symbols from /usr/lib/debug//lib/x86_64-linux-gnu/libcrypt-2.23.so...done.
done.
Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...Reading symbols from /usr/lib/debug//lib/x86_64-linux-gnu/libc-2.23.so...done.
done.
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug//lib/x86_64-linux-gnu/ld-2.23.so...done.
done.
Reading symbols from /lib/x86_64-linux-gnu/libgcc_s.so.1...Reading symbols from /usr/lib/debug//lib/x86_64-linux-gnu/libgcc_s.so.1...done.
done.
Reading symbols from /usr/local/lib/rlm_always.so...done.
Reading symbols from /usr/local/lib/rlm_attr_filter.so...done.
Reading symbols from /usr/local/lib/rlm_cache.so...done.
Reading symbols from /usr/local/lib/rlm_chap.so...done.
Reading symbols from /usr/local/lib/rlm_detail.so...done.
Reading symbols from /usr/local/lib/rlm_digest.so...done.
Reading symbols from /usr/local/lib/rlm_dhcp.so...done.
Reading symbols from /usr/local/lib/libfreeradius-dhcp.so...done.
Reading symbols from /usr/local/lib/rlm_dynamic_clients.so...done.
Reading symbols from /usr/local/lib/rlm_eap.so...done.
Reading symbols from /usr/local/lib/libfreeradius-eap.so...done.
Reading symbols from /usr/local/lib/rlm_exec.so...done.
Reading symbols from /usr/local/lib/rlm_expiration.so...done.
Reading symbols from /usr/local/lib/rlm_expr.so...done.
Reading symbols from /usr/local/lib/rlm_files.so...done.
Reading symbols from /usr/local/lib/rlm_linelog.so...done.
Reading symbols from /usr/local/lib/rlm_logintime.so...done.
Reading symbols from /usr/local/lib/rlm_mschap.so...done.
Reading symbols from /usr/local/lib/rlm_pap.so...done.
Reading symbols from /usr/local/lib/rlm_passwd.so...done.
Reading symbols from /usr/local/lib/rlm_preprocess.so...done.
Reading symbols from /usr/local/lib/rlm_radutmp.so...done.
Reading symbols from /usr/local/lib/rlm_realm.so...done.
Reading symbols from /usr/local/lib/rlm_replicate.so...done.
Reading symbols from /usr/local/lib/rlm_soh.so...done.
Reading symbols from /usr/local/lib/rlm_unix.so...done.
Reading symbols from /usr/local/lib/rlm_unpack.so...done.
Reading symbols from /usr/local/lib/rlm_utf8.so...done.
Reading symbols from /usr/local/lib/rlm_cache_rbtree.so...done.
Reading symbols from /usr/local/lib/rlm_eap_md5.so...done.
Reading symbols from /usr/local/lib/rlm_eap_leap.so...done.
Reading symbols from /usr/local/lib/rlm_eap_gtc.so...done.
Reading symbols from /usr/local/lib/rlm_eap_tls.so...done.
Reading symbols from /usr/local/lib/rlm_eap_ttls.so...done.
Reading symbols from /usr/local/lib/rlm_eap_peap.so...done.
Reading symbols from /usr/local/lib/rlm_eap_mschapv2.so...done.
Reading symbols from /lib/x86_64-linux-gnu/libnss_files.so.2...Reading symbols from /usr/lib/debug//lib/x86_64-linux-gnu/libnss_files-2.23.so...done.
done.
0x00007fb09efed64a in __GI___waitpid (pid=14898, stat_loc=stat_loc@entry=0x7ffe7f4f50c0, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:29
29  ../sysdeps/unix/sysv/linux/waitpid.c: No such file or directory.
resultvar = 18446744073709551104
pid = 14898
stat_loc = 0x7ffe7f4f50c0
options = 0

Thread 1 (Thread 0x7fb0a08be740 (LWP 14870)):
#0  0x00007fb09efed64a in __GI___waitpid (pid=14898, stat_loc=stat_loc@entry=0x7ffe7f4f50c0, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:29
        resultvar = 18446744073709551104
#1  0x00007fb09ef66fab in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:148
        __result = <optimized out>
        _buffer = {__routine = 0x7fb09ef672a0 <cancel_handler>, __arg = 0x7ffe7f4f509c, __canceltype = 0, __prev = 0x0}
        _avail = 1
        status = 2135906448
        save = <optimized out>
        pid = 14898
        sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, sa_mask = {__val = {65536, 0 <repeats 15 times>}}, sa_flags = 0, sa_restorer = 0x1}
        omask = {__val = {0, 140396563942024, 140731034325504, 140396582403359, 4774451407313060418, 4774451407313060418, 2676586395008836901, 2676586395008836901, 0, 0, 0, 0, 18446744073709551360, 0,
            18446744073709551615, 18446744073709551615}}
#2  0x00007fb0a02285bc in fr_fault (sig=6) at src/lib/debug.c:725
        disable = false
        cmd = "gdb -silent -x /usr/local/etc/raddb/panic.gdb radiusd 14870 2>&1 | tee /usr/local/var/log/radius/gdb-radiusd-14870.log", '\000' <repeats 413 times>
        out = 0x7ffe7f4f56e2 ".log"
        left = 418
        ret = 55
        p = 0x7fb0a04663ac <panic_action+108> ".log"
        q = 0x0
        code = 0
#3  0x00007fb0a048d045 in rad_assert_fail (file=0x7fb0a049a4f8 "src/main/evaluate.c", line=606, expr=0x7fb0a049a865 "0") at src/main/util.c:557
No locals.
#4  0x00007fb0a047adba in cond_normalise_and_cmp (request=0x2293160, c=0x2292a20, lhs_type=PW_TYPE_STRING, lhs_enumv=0x1fe8c70, lhs=0x2293440, lhs_len=3) at src/main/evaluate.c:606
        map = 0x2292ba0
        cast = 0x0
        cast_type = PW_TYPE_STRING
        rcode = 0
        rhs_type = PW_TYPE_INVALID
        rhs_enumv = 0x0
        rhs = 0x0
        rhs_len = 6582955728264977243
        lhs_cast = {strvalue = 0x7fb0a08be740 "@狠\260\177", octets = 0x7fb0a08be740 "@狠\260\177", integer = 2693523264, ipaddr = {s_addr = 2693523264}, date = 2693523264, filter = {140396584494912,
            4254544, 140731034327616, 140396580090556}, ifid = "@狠\260\177\000", ipv6addr = {__in6_u = {__u6_addr8 = "@狠\260\177\000\000P\353@\000\000\000\000", __u6_addr16 = {59200, 41099, 32688,
                0, 60240, 64, 0, 0}, __u6_addr32 = {2693523264, 32688, 4254544, 0}}}, ipv6prefix = "@狠\260\177\000\000P\353@\000\000\000\000\000@Z", byte = 64 '@', ushort = 59200,
          ether = "@狠\260\177", sinteger = -1601444032, integer64 = 140396584494912, ipv4prefix = "@狠\260\177", ptr = 0x7fb0a08be740}
        rhs_cast = {strvalue = 0x2292c30 "\003", octets = 0x2292c30 "\003", integer = 36252720, ipaddr = {s_addr = 36252720}, date = 36252720, filter = {36252720, 36254048, 140731034327696,
            140731034327668}, ifid = "0,)\002\000\000\000", ipv6addr = {__in6_u = {__u6_addr8 = "0,)\002\000\000\000\000`1)\002\000\000\000", __u6_addr16 = {11312, 553, 0, 0, 12640, 553, 0, 0},
              __u6_addr32 = {36252720, 0, 36254048, 0}}}, ipv6prefix = "0,)\002\000\000\000\000`1)\002\000\000\000\000\220Z", byte = 48 '0', ushort = 11312, ether = "0,)\002\000", sinteger = 36252720,
          integer64 = 36252720, ipv4prefix = "0,)\002\000", ptr = 0x2292c30}
        lhs_cast_buff = 0x0
        rhs_cast_buff = 0x0
        escape = 0x0
#5  0x00007fb0a047af5e in radius_evaluate_map (request=0x2293160, modreturn=2, depth=0, c=0x2292a20) at src/main/evaluate.c:665
        vp = 0x2293410
        cursor = {first = 0x2293028, found = 0x2293410, last = 0x0, current = 0x2293410, next = 0x2293530}
        rcode = 0
        map = 0x2292ba0
#6  0x00007fb0a047b191 in radius_evaluate_cond (request=0x2293160, modreturn=2, depth=0, c=0x2292a20) at src/main/evaluate.c:750
        rcode = -1
#7  0x000000000043fc87 in request_pre_handler (request=0x2293160, action=1) at src/main/process.c:1235
        rcode = 0
#8  0x00000000004406a9 in request_running (request=0x2293160, action=1) at src/main/process.c:1515
        __FUNCTION__ = "request_running"
#9  0x000000000043f45d in request_queue_or_run (request=0x2293160, process=0x4405d0 <request_running>) at src/main/process.c:1015
No locals.
#10 0x0000000000440fc4 in request_receive (ctx=0x2292f50, listener=0x22918f0, packet=0x2292fb0, client=0x2190690, fun=0x40fbad <rad_authenticate>) at src/main/process.c:1783
        count = 0
        packet_p = 0x0
        request = 0x2293160
        now = {tv_sec = 1466951184, tv_usec = 804322}
        sock = 0x2291a40
#11 0x000000000041950e in auth_socket_recv (listener=0x22918f0) at src/main/listen.c:1587
        rcode = 73
        code = 1
        src_port = 36236
        packet = 0x2292fb0
        fun = 0x40fbad <rad_authenticate>
        client = 0x2190690
        src_ipaddr = {af = 2, ipaddr = {ip4addr = {s_addr = 16777343}, ip6addr = {__in6_u = {__u6_addr8 = "\177\000\000\001", '\000' <repeats 11 times>, __u6_addr16 = {127, 256, 0, 0, 0, 0, 0, 0},
                __u6_addr32 = {16777343, 0, 0, 0}}}}, prefix = 32 ' ', scope = 0}
        ctx = 0x2292f50
#12 0x000000000044857e in event_socket_handler (xel=0x22194f0, fd=12, ctx=0x22918f0) at src/main/process.c:4569
        listener = 0x22918f0
#13 0x00007fb0a0252019 in fr_event_loop (el=0x22194f0) at src/lib/event.c:641
        ef = 0x22195b8
        i = 6
        rcode = 1
        when = {tv_sec = 0, tv_usec = 0}
        wake = 0x0
        maxfd = 15
        read_fds = {fds_bits = {4096, 0 <repeats 15 times>}}
        master_fds = {fds_bits = {32672, 0 <repeats 15 times>}}
#14 0x000000000044a52f in radius_event_process () at src/main/process.c:5634
No locals.
#15 0x0000000000433c24 in main (argc=2, argv=0x7ffe7f4f6148) at src/main/radiusd.c:585
        rcode = 0
        status = 0
        argval = -1
        spawn_flag = false
        display_version = false
        flag = 0
        from_child = {-1, -1}
        p = 0x0
        state = 0x683b00 <global_state>
        autofree = 0x1fbf5f0
A debugging session is active.

    Inferior 1 [process 14870] will be detached.

Quit anyway? (y or n) [answered Y; input not from terminal]
Panic action exited with 0
_EXIT(0) CALLED src/lib/debug.c[743]

Full backtrace from LLDB or GDB

See above. Will be glad to provide bt if this is not sufficient.

[louismunro]

FWIW, also seems to affect debian 8 (jessie) and CentOS 7.

[mcnewton]

This isn't the full solution, but it's probably in the right area. Fixing one hack with another hack...

https://github.com/mcnewton/freeradius-server/commits/30x-regex-struct

(this is the reason: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/main/evaluate.c#L711 TMPL_TYPE_REGEX is no longer permitted.)

[alandekok]

The simple fix is to do pass2 compilation in command.c.