Bug 1139173

Summary: backport: ip -s xfrm state crashes with segfault
Product: Red Hat Enterprise Linux 7 Reporter: Jan Tluka <jtluka>
Component: iprouteAssignee: Pavel Šimerda (pavlix) <psimerda>
Status: CLOSED ERRATA QA Contact: Jaroslav Aster <jaster>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.1CC: ebenes, jaster, j.vandeville, ksrot, psimerda, thozza, tis
Target Milestone: rcKeywords: EasyFix
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: iproute-3.10.0-25.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 14:39:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1110700, 1191021    

Description Jan Tluka 2014-09-08 10:01:50 UTC 
Description of problem:

When I query the statistics using ip xfrm state the program crashes with following backtrace.

# gdb ip
(gdb) run -s xfrm state
Starting program: /usr/sbin/ip -s xfrm state
src 1.1.1.1 dst 1.1.1.2
	proto esp spi 0x00000001(1) reqid 0(0x00000000) mode tunnel

Program received signal SIGSEGV, Segmentation fault.
0x000000000041eda1 in xfrm_state_info_print ()
(gdb) bt
#0  0x000000000041eda1 in xfrm_state_info_print ()
#1  0x0000000000420e05 in xfrm_state_print ()
#2  0x00000000004304af in rtnl_dump_filter_l ()
#3  0x00000000004306d7 in rtnl_dump_filter ()
#4  0x0000000000405963 in xfrm_state_list_or_deleteall ()
#5  0x0000000000423adb in do_xfrm_state ()
#6  0x0000000000406604 in do_cmd ()
#7  0x00000000004061f2 in main ()


Version-Release number of selected component (if applicable):
# rpm -qa iproute
iproute-3.10.0-13.el7.x86_64
# uname -r
3.10.0-123.el7.x86_64

also tried newer kernel 3.10.0-152.el7.x86_64 and ip crashed as well

How reproducible:
everytime, an entry must exist in SAD

Steps to Reproduce:
1. ip xfrm state add src 1.1.1.1 dst 1.1.1.2 proto esp spi 1 mode tunnel enc des3_ede 0x112233445566778811223344556677881122334455667788
2. ip -s xfrm state
3.

Actual results:
segfault

Expected results:
no segfault

Additional info:
Comment 1 j.vandeville 2014-10-22 07:22:47 UTC 
I've the same problem

ip -s xfrm state
src 192.168.42.40 dst 192.168.42.7
        proto esp spi 0xa77f7409(2810147849) reqid 16385(0x00004001) mode tunnel
Segmentation fault
Comment 3 Pavel Šimerda (pavlix) 2015-04-07 18:09:23 UTC 
Reproduced. From the source code:

__u32 extra_flags = *(__u32 *)RTA_DATA(tb[XFRMA_SA_EXTRA_FLAGS]);

The tb[XFRMA_SA_EXTRA_FLAGS] pointer is NULL which is then dereferenced. The easiest fix would be to check the pointer but I will check upstream first.
Comment 7 Pavel Šimerda (pavlix) 2015-04-28 11:30:35 UTC 
commit 1ed509bb522225050edfa1ed7ddc7255e9a18bd5
Author: Thomas Egerer <thomas.egerer>
Date:   Thu Aug 29 14:00:36 2013 +0200

    ip/xfrm: Fix potential SIGSEGV when printing extra flags
    
    The git-commit dc8867d0, that added support for displaying the
    extra-flags of a state, introduced a potential segfault.
    Trying to show a state without the extra-flag attribute and show_stats
    enabled, would cause the NULL pointer in tb[XFRMA_SA_EXTRA_FLAGS] to be
    dereferenced.
    
    Signed-off-by: Thomas Egerer <thomas.egerer>

diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index 0a3a9fb..411d9d5 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -856,7 +856,7 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
 		if (flags)
 			fprintf(fp, "%x", flags);
 	}
-	if (show_stats > 0 || tb[XFRMA_SA_EXTRA_FLAGS]) {
+	if (show_stats > 0 && tb[XFRMA_SA_EXTRA_FLAGS]) {
 		__u32 extra_flags = *(__u32 *)RTA_DATA(tb[XFRMA_SA_EXTRA_FLAGS]);
 
 		fprintf(fp, "extra_flag ");
Comment 8 Pavel Šimerda (pavlix) 2015-04-28 14:55:52 UTC 
# ip -s xfrm state
src 192.168.10.2 dst 192.168.10.1
        proto esp spi 0x00000001(1) reqid 0(0x00000000) mode transport
        replay-window 0 seq 0x00000000 flag  (0x00000000)
        enc cbc(des3_ede) 0x112233445566778811223344556677881122334455667788 (192 bits)
        sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2015-04-28 13:21:10 use -
        stats:
          replay-window 0 replay 0 failed 0
Comment 12 errata-xmlrpc 2015-11-19 14:39:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2117.html