New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue with 8k keys and RSA while testing MariaDB #2904
Comments
@grooverdan, can you make sure the following build option |
yes. user_settings.h file: Occurs both clang-8.0.0/gcc-9.3.1. I verified the same app->sigData memory address that is allocated is the same address that being freed. Also tested against wolfSSL master branch today with same error. Adding a stop point on munmap_chunk, _int_free, after SendTls13CertificateVerify was reached, showed a free in RsaUnPad_PSS however at a different address. Better stacktrace (against wolfssl master branch) Thread 7 "mysqld" received signal SIGABRT, Aborted. 0x00007ffff7861e35 in raise () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff7861e35 in raise () from /lib64/libc.so.6 #1 0x00007ffff784c895 in abort () from /lib64/libc.so.6 #2 0x00007ffff78a508f in __libc_message () from /lib64/libc.so.6 #3 0x00007ffff78ac40c in malloc_printerr () from /lib64/libc.so.6 #4 0x00007ffff78add6c in _int_free () from /lib64/libc.so.6 #5 0x0000000000d680bb in FreeScv13Args () at /home/dan/repos/mariadb-server-10.4/extra/wolfssl/wolfssl/src/tls13.c:5455 #6 SendTls13CertificateVerify () at /home/dan/repos/mariadb-server-10.4/extra/wolfssl/wolfssl/src/tls13.c:5782 #7 0x0000000000d69a1c in wolfSSL_accept_TLSv13 () at /home/dan/repos/mariadb-server-10.4/extra/wolfssl/wolfssl/src/tls13.c:8605 #8 0x0000000000e448d6 in ssl_handshake_loop (vio=0x20c02a8, ssl=0x7fffd400fd30, func=0xd183b0 ) at /home/dan/repos/mariadb-server-10.4/vio/viossl.c:264 #9 ssl_do (ptr=, vio=0x20c02a8, timeout=, func=0xd183b0 , errptr=0x7ffff16bea58) at /home/dan/repos/mariadb-server-10.4/vio/viossl.c:315 #10 0x000000000064f8ae in parse_client_handshake_packet (mpvio=, buff=, pkt_len=) at /home/dan/repos/mariadb-server-10.4/sql/sql_acl.cc:13019 #11 server_mpvio_read_packet (param=0x7ffff16bf218, buf=0x7ffff16beed0) at /home/dan/repos/mariadb-server-10.4/sql/sql_acl.cc:13365 #12 0x0000000000653ed0 in native_password_authenticate (vio=0x7ffff16bf218, info=0x7ffff16bf230) at /home/dan/repos/mariadb-server-10.4/sql/sql_acl.cc:14048 #13 0x00000000006501f8 in do_auth_once (thd=0x7fffd4000c48, auth_plugin_name=, mpvio=0x7ffff16bf218) at /home/dan/repos/mariadb-server-10.4/sql/sql_acl.cc:13529 #14 0x000000000064dc72 in acl_authenticate (thd=0x7fffd4000c48, com_change_user_pkt_len=0) at /home/dan/repos/mariadb-server-10.4/sql/sql_acl.cc:13672 #15 0x000000000079ca1a in check_connection (thd=0x7fffd4000c48) at /home/dan/repos/mariadb-server-10.4/sql/sql_connect.cc:1080 #16 login_connection (thd=0x7fffd4000c48) at /home/dan/repos/mariadb-server-10.4/sql/sql_connect.cc:1149 #17 0x000000000079d534 in thd_prepare_connection (thd=0x7fffd4000c48) at /home/dan/repos/mariadb-server-10.4/sql/sql_connect.cc:1324 #18 0x000000000079d412 in do_handle_one_connection (connect=) at /home/dan/repos/mariadb-server-10.4/sql/sql_connect.cc:1402 #19 0x000000000079d263 in handle_one_connection (arg=0x216e428) at /home/dan/repos/mariadb-server-10.4/sql/sql_connect.cc:1316 #20 0x0000000000cf6d61 in pfs_spawn_thread (arg=0x20c04a8) at /home/dan/repos/mariadb-server-10.4/storage/perfschema/pfs.cc:1869 #21 0x00007ffff7f774c0 in start_thread () from /lib64/libpthread.so.0 #22 0x00007ffff7926133 in clone () from /lib64/libc.so.6 |
Hi @grooverdan, The problem is one of the following:
Thanks, |
Thanks to #2924 I can produce this with just wolfSSL:
Start client gnutls: gnutls-cli --no-ca-verification --x509keyfile=client-certkey.pem --x509certfile=client-cert.pem -p 11111 localhost -d 5 or openssl: openssl s_client -tls1_3 -connect localhost:11111 -cert client-cert.pem -key client-certkey.pem -debug Resulting server backtrace: munmap_chunk(): invalid pointer Program received signal SIGABRT, Aborted. 0x00007ffff7c27e35 in raise () from /lib64/libc.so.6 (gdb) bt full #0 0x00007ffff7c27e35 in raise () from /lib64/libc.so.6 No symbol table info available. #1 0x00007ffff7c12895 in abort () from /lib64/libc.so.6 No symbol table info available. #2 0x00007ffff7c6b08f in __libc_message () from /lib64/libc.so.6 No symbol table info available. #3 0x00007ffff7c7240c in malloc_printerr () from /lib64/libc.so.6 No symbol table info available. #4 0x00007ffff7c726bc in munmap_chunk () from /lib64/libc.so.6 No symbol table info available. #5 0x00007ffff7facff7 in FreeScv13Args (ssl=0x40a6b0, pArgs=0x7fffffffd760) at src/tls13.c:5556 xp = args = 0x7fffffffd760 args = xp = #6 SendTls13CertificateVerify (ssl=ssl@entry=0x40a6b0) at src/tls13.c:5910 ret = -132 sig = 0x40a858 args = {{output = 0x40b6b0 "\026\003\003\004\b\017", verify = 0x40b6b9 "\b\004\004", idx = 9, sigLen = 1024, sendSz = 1037, length = 1024, sigAlgo = 8 '\b', sigData = 0x40b990 "Z\311\020=+$\030v\354\305\350\307\b}0k\276\060vo7v\321\367\304*2\357W\252\201\353\242U\235-\356", , sigDataSz = 130}} #7 0x00007ffff7fb0036 in wolfSSL_accept_TLSv13 (ssl=ssl@entry=0x40a6b0) at src/tls13.c:8788 No locals. #8 0x00007ffff7fa3bb6 in wolfSSL_accept (ssl=ssl@entry=0x40a6b0) at src/ssl.c:11971 No locals. #9 0x0000000000403cb3 in server_test (args=args@entry=0x7fffffffdae0) at examples/server/server.c:2236 sockfd = 3 clientfd = 4 method = ctx = 0x40a4b0 ssl = 0x40a6b0 msg = "I hear you fa shizzle!" useWebServerMsg = input = "\240\v\333\367\377\177\000\000\220\002", '\000' , "M\204\307\367\377\177\000\000\000\000\000\000\000\000\000\000RJ\307\367\377\177", '\000' , "\002\000\000\000\000\000\000\000\016\000\000\000\000\000\000\200" ch = version = doCliCertCheck = useAnyAddr = port = 11111 usePsk = --Type for more, q to quit, c to continue without paging-- usePskPlus = doDTLS = dtlsUDP = useNtruKey = nonBlocking = fewerPackets = wc_shutdown = resume = resumeCount = loops = cnt = echoData = block = throughput = minDhKeyBits = doListen = 0 ret = err = 0 serverReadyFile = cipherList = useDefCipherList = overrideDateErrors = verifyCert = ourCert = ourKey = ourDhParam = readySignal = argc = argv = buffer = '\000' , "'\000\000\000\000\000\000\000)\000\000\000\000\000\000\000\200\002\000\000\000\000\000\000\240\v\333\367\377\177\000" noPskDheKe = updateKeysIVs = mutualAuth = doDhKeyCheck = onlyKeyShare = useX25519 = exitWithRet = loadCertKeyIntoSSLObj = disallowETM = client = client_len = #10 0x0000000000402586 in main (argc=, argv=) at examples/server/server.c:2555 --Type for more, q to quit, c to continue without paging-- args = {argc = 11, argv = 0x7fffffffdc68, return_code = -1, signal = 0x7fffffffdb10, callbacks = 0x0} ready = {ready = 0, port = 0, srfName = 0x0, mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' , __align = 0}, cond = {__data = {{__wseq = 0, __wseq32 = {__low = 0, __high = 0}}, {__g1_start = 0, __g1_start32 = {__low = 0, __high = 0}}, __g_refs = {0, 0}, __g_size = {0, 0}, __g1_orig_size = 0, __wrefs = 0, __g_signals = {0, 0}}, __size = '\000' , __align = 0}} I haven't looked at the stack size yet. |
Hi @grooverdan, I believe I have a fix for the issue: #2933 Please test the patch and let us know. Thanks, |
fixed. Thanks. |
Thanks @grooverdan and @SparkiDev . Marking this closed. |
Reported by @grooverdan:
Replaces PR #2901.
Discovered while resolving https://jira.mariadb.org/browse/MDEV-22221 / MariaDB/server#1501
Seems to be 8k certificates on the client/server side that doesn't occur on smaller sizes.
the server/client uses data from: https://github.com/MariaDB/server/tree/10.5/mysql-test/std_data
server:
client side is a gnutls based.
I tried reproducing this with
examples/server/server -c /home/dan/repos/mariadb-server-10.4/mysql-test/std_data/server8k-cert.pem -k /home/dan/repos/mariadb-server-10.4/mysql-test/std_data/server8k-key.pem -A /home/dan/repos/mariadb-server-10.4/mysql-test/std_data/cacert.pem -i -d -v 4
however I was unable to generate the same results:
(from https://github.com/MariaDB/server/blob/10.4/mysql-test/main/ssl_8k_key.test)
Appears to be RSA:
This is wolfssl from the v4.3.0-stable tag.
https://gist.github.com/grooverdan/cadb9499c2e3adc0bfbb0d22663155ff
failing that:
Stack Trace:
The text was updated successfully, but these errors were encountered: