Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1018890

Summary: pluto leaks file descriptors
Product: Red Hat Enterprise Linux 6 Reporter: Philipp Reisner <philipp.reisner>
Component: openswanAssignee: Paul Wouters <pwouters>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.4CC: eparis, lars.ellenberg
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-17 20:07:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Philipp Reisner 2013-10-14 15:42:13 UTC 
Description of problem:


Version-Release number of selected component (if applicable):

2.6.32-20.el6_4.x86_64

How reproducible:

Always


Steps to Reproduce:
1. Establish an IPSec tunnel on a kernel that does not have fips enabled
2. Use lsof or /proc/pid to watch as pluto opens more and more FDs of 
   /proc/sys/crypto/fips_enabled

Actual results:

when pluto hits 1024 FDs, it start to bahave "strange". Sometimes
it crashes with SIGSEGV.

Expected results:

Pluto should close /proc/sys/crypto/fips_enabled after reading the 0 out
of it.

Additional info:

In /var/log/messages you will find lines like these:
Oct 14 11:51:37 xxx kernel: pluto[31031]: segfault at 288 ip 00007f314cd196e3 sp 00007fff34fb9c80 error 4 in pluto[7f314ccc9000+fc000]
Oct 14 12:14:33 xxx kernel: pluto[21862]: segfault at 288 ip 00007fba0a4106e3 sp 00007fff7218b590 error 4 in pluto[7fba0a3c0000+fc000]
Oct 14 12:56:10 xxx kernel: pluto[7841]: segfault at 288 ip 00007f6ffdf956e3 sp 00007fff2d08a4b0 error 4 in pluto[7f6ffdf45000+fc000]
Comment 1 Philipp Reisner 2013-10-14 15:44:27 UTC 
The issue was fixed in pluto upstream. See commit:

commit ef4d0f4a921afe1977a02d97a9bf1b48b8aad85e
Author: Paul Wouters <paul>
Date:   Tue Aug 9 13:26:14 2011 -0400
* Fix closing fd in lib/libopenswan/oswconf.c [Avesh]
Comment 3 Eric Paris 2013-10-15 21:14:33 UTC 
Thank you for filing this report.  I am going to propose this bug for 6.6.  We are way past the time frame where this could be addressed in 6.5.
Comment 4 Lars Ellenberg 2013-10-16 08:27:29 UTC 
(In reply to Eric Paris from comment #3)
> Thank you for filing this report.  I am going to propose this bug for 6.6.
> We are way past the time frame where this could be addressed in 6.5.

Honestly?
That's an "obviously correct oneline patch"...

 ;)

See:
> https://github.com/xelerance/Openswan/commit/ef4d0f4a921afe1977a02d97a9bf1b48b8aad85e
>
> letoams authored 2 years ago 
>
> Author: Paul Wouters <paul>
> Date:   Tue Aug 9 13:26:14 2011 -0400
> 
>     * Fix closing fd in lib/libopenswan/oswconf.c [Avesh]
> 
> diff --git a/lib/libopenswan/oswconf.c b/lib/libopenswan/oswconf.c
> index 38ed558..63a748f 100644
> --- a/lib/libopenswan/oswconf.c
> +++ b/lib/libopenswan/oswconf.c
> @@ -199,42 +199,42 @@ secuPWData *osw_return_nss_password_file_info(void)
>  bool Pluto_IsFIPS(void)
>  {
>       char fips_flag[1];
>       int n;
>       FILE *fd=fopen("/proc/sys/crypto/fips_enabled","r");
>       
>       if(fd!=NULL) {
>  	    n = fread ((void *)fips_flag, 1, 1, fd);
>  		if(n==1) {
>  		    if(fips_flag[0]=='1') {
>  		    fclose(fd);
>  		    return TRUE;
>  		    }
>  		    else {
>  		    openswan_log("Non-fips mode set in /proc/sys/crypto/fips_enabled");
>  		    }
>  		} else {
>  			openswan_log("error in reading /proc/sys/crypto/fips_enabled, returning non-fips mode");
>  		} 
> +     fclose(fd);
>       }
>       else {
>  	openswan_log("Not able to open /proc/sys/crypto/fips_enabled, returning non-fips mode"); 
> -	fclose(fd);
>       }
>  return FALSE;
>  }
...
Comment 5 Eric Paris 2013-10-16 14:39:47 UTC 
I agree it doesn't seem to make sense.  But at this point in the RHEL development cycle the only code changes we can make are to fix regressions between 6.4 and 6.5.  This does not meet that requirement and so must be queued for 6.6.  I apologize for the delay and appreciate the report.
Comment 6 Paul Wouters 2013-10-17 20:07:29 UTC 

*** This bug has been marked as a duplicate of bug 1020322 ***