Bug 1139173 - backport: ip -s xfrm state crashes with segfault
Summary: backport: ip -s xfrm state crashes with segfault
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: iproute
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Pavel Šimerda (pavlix)
QA Contact: Jaroslav Aster
URL:
Whiteboard:
Depends On:
Blocks: 1110700 1191021
TreeView+ depends on / blocked
 
Reported: 2014-09-08 10:01 UTC by Jan Tluka
Modified: 2015-11-19 14:39 UTC (History)
7 users (show)

Fixed In Version: iproute-3.10.0-25.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 14:39:18 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2117 normal SHIPPED_LIVE iproute bug fix and enhancement update 2015-11-19 11:35:06 UTC

Description Jan Tluka 2014-09-08 10:01:50 UTC
Description of problem:

When I query the statistics using ip xfrm state the program crashes with following backtrace.

# gdb ip
(gdb) run -s xfrm state
Starting program: /usr/sbin/ip -s xfrm state
src 1.1.1.1 dst 1.1.1.2
	proto esp spi 0x00000001(1) reqid 0(0x00000000) mode tunnel

Program received signal SIGSEGV, Segmentation fault.
0x000000000041eda1 in xfrm_state_info_print ()
(gdb) bt
#0  0x000000000041eda1 in xfrm_state_info_print ()
#1  0x0000000000420e05 in xfrm_state_print ()
#2  0x00000000004304af in rtnl_dump_filter_l ()
#3  0x00000000004306d7 in rtnl_dump_filter ()
#4  0x0000000000405963 in xfrm_state_list_or_deleteall ()
#5  0x0000000000423adb in do_xfrm_state ()
#6  0x0000000000406604 in do_cmd ()
#7  0x00000000004061f2 in main ()


Version-Release number of selected component (if applicable):
# rpm -qa iproute
iproute-3.10.0-13.el7.x86_64
# uname -r
3.10.0-123.el7.x86_64

also tried newer kernel 3.10.0-152.el7.x86_64 and ip crashed as well

How reproducible:
everytime, an entry must exist in SAD

Steps to Reproduce:
1. ip xfrm state add src 1.1.1.1 dst 1.1.1.2 proto esp spi 1 mode tunnel enc des3_ede 0x112233445566778811223344556677881122334455667788
2. ip -s xfrm state
3.

Actual results:
segfault

Expected results:
no segfault

Additional info:

Comment 1 j.vandeville 2014-10-22 07:22:47 UTC
I've the same problem

ip -s xfrm state
src 192.168.42.40 dst 192.168.42.7
        proto esp spi 0xa77f7409(2810147849) reqid 16385(0x00004001) mode tunnel
Segmentation fault

Comment 3 Pavel Šimerda (pavlix) 2015-04-07 18:09:23 UTC
Reproduced. From the source code:

__u32 extra_flags = *(__u32 *)RTA_DATA(tb[XFRMA_SA_EXTRA_FLAGS]);

The tb[XFRMA_SA_EXTRA_FLAGS] pointer is NULL which is then dereferenced. The easiest fix would be to check the pointer but I will check upstream first.

Comment 7 Pavel Šimerda (pavlix) 2015-04-28 11:30:35 UTC
commit 1ed509bb522225050edfa1ed7ddc7255e9a18bd5
Author: Thomas Egerer <thomas.egerer@secunet.com>
Date:   Thu Aug 29 14:00:36 2013 +0200

    ip/xfrm: Fix potential SIGSEGV when printing extra flags
    
    The git-commit dc8867d0, that added support for displaying the
    extra-flags of a state, introduced a potential segfault.
    Trying to show a state without the extra-flag attribute and show_stats
    enabled, would cause the NULL pointer in tb[XFRMA_SA_EXTRA_FLAGS] to be
    dereferenced.
    
    Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>

diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index 0a3a9fb..411d9d5 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -856,7 +856,7 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
 		if (flags)
 			fprintf(fp, "%x", flags);
 	}
-	if (show_stats > 0 || tb[XFRMA_SA_EXTRA_FLAGS]) {
+	if (show_stats > 0 && tb[XFRMA_SA_EXTRA_FLAGS]) {
 		__u32 extra_flags = *(__u32 *)RTA_DATA(tb[XFRMA_SA_EXTRA_FLAGS]);
 
 		fprintf(fp, "extra_flag ");

Comment 8 Pavel Šimerda (pavlix) 2015-04-28 14:55:52 UTC
# ip -s xfrm state
src 192.168.10.2 dst 192.168.10.1
        proto esp spi 0x00000001(1) reqid 0(0x00000000) mode transport
        replay-window 0 seq 0x00000000 flag  (0x00000000)
        enc cbc(des3_ede) 0x112233445566778811223344556677881122334455667788 (192 bits)
        sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2015-04-28 13:21:10 use -
        stats:
          replay-window 0 replay 0 failed 0

Comment 12 errata-xmlrpc 2015-11-19 14:39:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2117.html


Note You need to log in before you can comment on or make changes to this bug.