mech_eap 0.9 corrupts memory in gss_init_sec_context leading to later segfault
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Project Moonshot |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I *think* this is caused be creating a card with no issuer using moonshot-ui, but not 100% sure.
I can't find any symbols, but it's reproducable on the VM I have running, so can get a new backtrace if someone points me to symbols.
root@debian:~# gdb ssh
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://
Reading symbols from /usr/bin/ssh...(no debugging symbols found)...done.
(gdb) run -vv localhost
Starting program: /usr/bin/ssh -vv localhost
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-
OpenSSH_5.9p1 Debian-5+moonshot5, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: permanently_
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5+moonshot5
debug1: match: OpenSSH_5.9p1 Debian-5+moonshot5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-
debug2: kex_parse_kexinit: <email address hidden>,<email address hidden>,<email address hidden>
debug2: kex_parse_kexinit: aes128-
debug2: kex_parse_kexinit: aes128-
debug2: kex_parse_kexinit: hmac-md5,
debug2: kex_parse_kexinit: hmac-md5,
debug2: kex_parse_kexinit: none,<email address hidden>,zlib
debug2: kex_parse_kexinit: none,<email address hidden>,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-
debug2: kex_parse_kexinit: ssh-rsa,
debug2: kex_parse_kexinit: aes128-
debug2: kex_parse_kexinit: aes128-
debug2: kex_parse_kexinit: hmac-md5,
debug2: kex_parse_kexinit: hmac-md5,
debug2: kex_parse_kexinit: none,<email address hidden>
debug2: kex_parse_kexinit: none,<email address hidden>
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_
debug1: expecting SSH2_MSG_
debug1: Server host key: ECDSA 4b:83:16:
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in /root/.
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug2: key: /root/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug2: we sent a gssapi-with-mic packet, wait for reply
Program received signal SIGSEGV, Segmentation fault.
0xb7c8e21a in ?? () from /lib/i386-
(gdb) bt full
#0 0xb7c8e21a in ?? () from /lib/i386-
No symbol table info available.
#1 0xb7c90475 in ?? () from /lib/i386-
No symbol table info available.
#2 0xb7c933bc in ?? () from /lib/i386-
No symbol table info available.
#3 0xb7c938ed in realloc () from /lib/i386-
No symbol table info available.
#4 0xb7e24df4 in ?? () from /usr/lib/
No symbol table info available.
#5 0xb7e255b2 in CRYPTO_realloc () from /usr/lib/
No symbol table info available.
#6 0xb7ea0329 in lh_insert () from /usr/lib/
No symbol table info available.
#7 0xb7ea2dba in ?? () from /usr/lib/
No symbol table info available.
#8 0xb7ea25ef in ?? () from /usr/lib/
No symbol table info available.
#9 0xb7e60624 in ERR_load_BN_strings () from /usr/lib/
No symbol table info available.
#10 0xb7ea4149 in ERR_load_
No symbol table info available.
#11 0xb6a4add4 in SSL_load_
No symbol table info available.
#12 0xb7a9f668 in tls_init () from /usr/lib/
No symbol table info available.
#13 0xb7a94388 in eap_peer_sm_init () from /usr/lib/
No symbol table info available.
#14 0xb7a69ccf in ?? () from /usr/lib/
No symbol table info available.
#15 0xb7a75f8d in gssEapSmStep () from /usr/lib/
No symbol table info available.
#16 0xb7a6a858 in gssEapInitSecCo
No symbol table info available.
#17 0xb7a6ac52 in gss_init_
No symbol table info available.
#18 0xb7d915a6 in gss_init_
No symbol table info available.
#19 0x80045804 in ?? ()
No symbol table info available.
#20 0x80017ba4 in ?? ()
No symbol table info available.
#21 0x80019d46 in ?? ()
No symbol table info available.
#22 0x8003c919 in ?? ()
No symbol table info available.
#23 0x800196e9 in ?? ()
No symbol table info available.
#24 0x800151a9 in ?? ()
No symbol table info available.
#25 0x800091cb in main ()
No symbol table info available.
summary: |
- Segfault on LiveCD + mech_eap 0.9 corrupts memory in gss_init_sec_context leading to later + segfault |
Changed in moonshot: | |
status: | New → Fix Released |
Better Backtrace:
#0 malloc_consolidate (av=<optimized out>) at malloc.c:5153
unsorted_ bin = 0xb7d7d3f0
first_ unsorted = 0x80074258 consolidate"
victim_ index = <optimized out>
remainder_ size = <optimized out>
remainder_ size = <optimized out> _libc_realloc (oldmem=0x80072688, bytes=1024) at malloc.c:3821 entry=0xb7f3d6c 9 "lhash.c", line=line@ entry=347) at mem.c:346 entry=0x8007416 0, data=data@ entry=0xb7f902a 8) at lhash.c:187 0xb7f90240) at err.c:676 entry=0xb7f9024 0) at err.c:684 crypto_ strings () at err_all.c:115 error_strings () at ssl_err2.c:66 i386-linux- gnu/gss/ mech_eap. so
fb = 0xb7d7d3cc
maxfb = 0xb7d7d3ec
p = 0x74736f68
nextp = 0x74736f68
nextchunk = 0x800a38b0
size = 24
nextsize = 48
prevsize = <optimized out>
bck = <optimized out>
fwd = 0x800772b0
__func__ = "malloc_
#1 0xb7c90475 in _int_malloc (av=<optimized out>, bytes=<optimized out>) at malloc.c:4373
nb = 1032
idx = <optimized out>
bin = <optimized out>
victim = <optimized out>
size = <optimized out>
remainder = <optimized out>
block = <optimized out>
bit = <optimized out>
map = <optimized out>
fwd = <optimized out>
bck = <optimized out>
errstr = <optimized out>
__func__ = "_int_malloc"
#2 0xb7c933bc in _int_realloc (av=<optimized out>, oldp=0x80072680, oldsize=520, nb=1032) at malloc.c:5290
nextsize = <optimized out>
newp = <optimized out>
newsize = <optimized out>
newmem = 0x208
next = 0x80072888
remainder = <optimized out>
bck = <optimized out>
fwd = 0x10
copysize = <optimized out>
ncopies = 16
s = <optimized out>
errstr = <optimized out>
__func__ = "_int_realloc"
#3 0xb7c938ed in *__GI__
ar_ptr = 0xb7d7d3c0
nb = 1032
newp = <optimized out>
oldp = 0x80072680
oldsize = 520
__func__ = "__libc_realloc"
#4 0xb7e24df4 in default_realloc_ex (str=0x80072688, num=1024, file=0xb7f3d6c9 "lhash.c", line=347) at mem.c:86
No locals.
#5 0xb7e255b2 in CRYPTO_realloc (str=0x80072688, num=num@entry=1024, file=file@
ret = 0x0
#6 0xb7ea0329 in expand (lh=0x80074160) at lhash.c:346
n2 = 0x80072884
np = <optimized out>
i = <optimized out>
hash = <optimized out>
nni = 128
n = <optimized out>
n1 = <optimized out>
p = 63
j = 256
#7 lh_insert (lh=lh@
hash = <optimized out>
nn = <optimized out>
rn = <optimized out>
ret = <optimized out>
#8 0xb7ea2dba in int_err_set_item (d=0xb7f902a8) at err.c:407
p = <optimized out>
hash = 0x80074160
#9 0xb7ea25ef in err_load_strings (lib=lib@entry=0, str=0xb7f902a8, str@entry=
No locals.
#10 0xb7ea324d in ERR_load_strings (lib=lib@entry=0, str=str@
No locals.
#11 0xb7e60624 in ERR_load_BN_strings () at bn_err.c:147
No locals.
#12 0xb7ea4149 in ERR_load_
No locals.
#13 0xb6a4add4 in SSL_load_
No locals.
#14 0xb7a9f668 in tls_init () from /usr/lib/
No symbol table ...