1092840 – Glusterd crashes and core-dumps when starting a volume in FIPS mode.

Bug 1092840 - Glusterd crashes and core-dumps when starting a volume in FIPS mode.

Summary: Glusterd crashes and core-dumps when starting a volume in FIPS mode.

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	GlusterFS
Classification:	Community
Component:	core
Sub Component:
Version:	mainline
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Kaushal
QA Contact:
Docs Contact:
URL:	http://supercolony.gluster.org/piperm...
Whiteboard:
Depends On:
Blocks:	1459708 1459709
TreeView+	depends on / blocked

Reported:	2014-04-30 05:30 UTC by Kaushal
Modified:	2021-06-10 10:44 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1459708 1459709 (view as bug list)
Environment:
Last Closed:	2018-10-08 03:26:02 UTC
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	https://github.com/gluster glusterfs issues 230	0	None	None	None	2017-06-08 10:23:42 UTC

Description Kaushal 2014-04-30 05:30:45 UTC

Description of problem:
When a system is running in FIPS mode, attempting to start volume will cause glusterd to crash and coredump. This is the backtrace that was obtained when I tried this on FIPS enabled rhel-6.5 machine.

(gdb) bt
#0  0x00007f8741f2a925 in raise () from /lib64/libc.so.6
#1  0x00007f8741f2c105 in abort () from /lib64/libc.so.6
#2  0x00007f87422f3ebf in OpenSSLDie () from /usr/lib64/libcrypto.so.10
#3  0x00007f87422fa619 in MD5_Init () from /usr/lib64/libcrypto.so.10
#4  0x00007f87422fa9ea in MD5 () from /usr/lib64/libcrypto.so.10
#5  0x00007f874391c91c in md5_wrapper (data=<value optimized out>, len=<value optimized out>, md5=0x23057d0 "") at common-utils.c:68
#6  0x00007f873e8beb72 in glusterd_set_socket_filepath (sock_filepath=0x2306860 "/var/lib/glusterd/vols/test/run/10.70.42.171-export-test", sockpath=0x230c9d0 "", len=4096) at glusterd-utils.c:1222
#7  0x00007f873e8bedf8 in glusterd_set_brick_socket_filepath (volinfo=0xfffffffffdcf87a1, brickinfo=0x7f8728003400, sockpath=0x230c9d0 "", len=4096) at glusterd-utils.c:1251
#8  0x00007f873e8c54a9 in glusterd_volume_start_glusterfs (volinfo=0x7f8728000f70, brickinfo=0x7f870000c000, wait=_gf_true) at glusterd-utils.c:1417
#9  0x00007f873e8c6f29 in glusterd_brick_start (volinfo=0x7f8728000f70, brickinfo=0x7f8728003400, wait=_gf_true) at glusterd-utils.c:4698
#10 0x00007f873e901a8d in glusterd_op_start_volume (dict=<value optimized out>, op_errstr=<value optimized out>) at glusterd-volume-ops.c:1746
#11 0x00007f873e8b071b in glusterd_op_commit_perform (op=GD_OP_START_VOLUME, dict=0x7f8740b3025c, op_errstr=0x2311868, rsp_dict=0x7f8740b3048c) at glusterd-op-sm.c:4170
#12 0x00007f873e90d93e in gd_commit_op_phase (peers=0x210e6e0, op=GD_OP_START_VOLUME, op_ctx=0x7f8740b301d0, req_dict=0x7f8740b3025c, op_errstr=0x2311868, npeers=0) at glusterd-syncop.c:980
#13 0x00007f873e90f632 in gd_sync_task_begin (op_ctx=0x7f8740b301d0, req=0x2101c6c) at glusterd-syncop.c:1260
#14 0x00007f873e90f76b in glusterd_op_begin_synctask (req=0x2101c6c, op=<value optimized out>, dict=0x7f8740b301d0) at glusterd-syncop.c:1294
#15 0x00007f873e902cc6 in __glusterd_handle_cli_start_volume (req=0x2101c6c) at glusterd-volume-ops.c:255
#16 0x00007f873e896f7f in glusterd_big_locked_handler (req=0x2101c6c, actor_fn=0x7f873e902b10 <__glusterd_handle_cli_start_volume>) at glusterd-handler.c:77
#17 0x00007f874393d8e2 in synctask_wrap (old_task=<value optimized out>) at syncop.c:293
#18 0x00007f8741f3bbf0 in ?? () from /lib64/libc.so.6
#19 0x0000000000000000 in ?? ()


Version-Release number of selected component (if applicable):
glusterfs-v3.5.0

How reproducible:
Always.

Steps to Reproduce:
1. Start up the system in FIPS mode
2. Create and try to start a volume.

Actual results:
Glusterd crashes with the above backtrace.

Expected results:
Glusterd shouldn't be crashing.

Additional info:
This is happening because glusterd is using MD5 to calculate a hash when building brick socket file path. MD5 is not a FIPS compliant hash algorithm, and openssl will die when an attempt to use MD5 is made in FIPS mode.

This was originally observed and reported on the gluster-users mailing list. The mail thread can be viewed at http://supercolony.gluster.org/pipermail/gluster-users/2014-April/040060.html.

Comment 1 Yaniv Kaul 2018-07-23 12:19:23 UTC

That code should have been removed by:
commit 5aca4cf569f19d235662c4fbaa04df21e5fd46c2
Author: Kotresh HR <khiremat>
Date:   Tue Dec 19 00:05:05 2017 -0500

    fips: Replace md5sum usage to enable fips support
    
    md5sum is not fips compliant. Using xxhash64 instead of
    md5sum for socket file generation in glusterd and
    changelog to enable fips support.
    
    NOTE: md5sum is 128 bit hash. xxhash used is 64 bit.
    
    Updates: #230
    Change-Id: I1bf2ea05905b9151cd29fa951f903685ab0dc84c
    Signed-off-by: Kotresh HR <khiremat>


Is it still an issue?

Comment 2 Nigel Babu 2018-10-08 03:26:02 UTC

I believe Glusterd no-longer crashes with FIPS mode turned on, however, there are a couple of bugs with the implementation we're working through to solve.

I am going to close this bug in the belief that all is well now. This was tracked as a Github issue and the patches are all in this issue: https://github.com/gluster/glusterfs/issues/230

Note You need to log in before you can comment on or make changes to this bug.