RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1139173 - backport: ip -s xfrm state crashes with segfault
Summary: backport: ip -s xfrm state crashes with segfault
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: iproute
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Pavel Šimerda (pavlix)
QA Contact: Jaroslav Aster
URL:
Whiteboard:
Depends On:
Blocks: 1110700 1191021
TreeView+ depends on / blocked
 
Reported: 2014-09-08 10:01 UTC by Jan Tluka
Modified: 2015-11-19 14:39 UTC (History)
7 users (show)

Fixed In Version: iproute-3.10.0-25.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 14:39:18 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2117 0 normal SHIPPED_LIVE iproute bug fix and enhancement update 2015-11-19 11:35:06 UTC

Description Jan Tluka 2014-09-08 10:01:50 UTC 
Description of problem:

When I query the statistics using ip xfrm state the program crashes with following backtrace.

# gdb ip
(gdb) run -s xfrm state
Starting program: /usr/sbin/ip -s xfrm state
src 1.1.1.1 dst 1.1.1.2
	proto esp spi 0x00000001(1) reqid 0(0x00000000) mode tunnel

Program received signal SIGSEGV, Segmentation fault.
0x000000000041eda1 in xfrm_state_info_print ()
(gdb) bt
#0  0x000000000041eda1 in xfrm_state_info_print ()
#1  0x0000000000420e05 in xfrm_state_print ()
#2  0x00000000004304af in rtnl_dump_filter_l ()
#3  0x00000000004306d7 in rtnl_dump_filter ()
#4  0x0000000000405963 in xfrm_state_list_or_deleteall ()
#5  0x0000000000423adb in do_xfrm_state ()
#6  0x0000000000406604 in do_cmd ()
#7  0x00000000004061f2 in main ()


Version-Release number of selected component (if applicable):
# rpm -qa iproute
iproute-3.10.0-13.el7.x86_64
# uname -r
3.10.0-123.el7.x86_64

also tried newer kernel 3.10.0-152.el7.x86_64 and ip crashed as well

How reproducible:
everytime, an entry must exist in SAD

Steps to Reproduce:
1. ip xfrm state add src 1.1.1.1 dst 1.1.1.2 proto esp spi 1 mode tunnel enc des3_ede 0x112233445566778811223344556677881122334455667788
2. ip -s xfrm state
3.

Actual results:
segfault

Expected results:
no segfault

Additional info:
Comment 1 j.vandeville 2014-10-22 07:22:47 UTC 
I've the same problem

ip -s xfrm state
src 192.168.42.40 dst 192.168.42.7
        proto esp spi 0xa77f7409(2810147849) reqid 16385(0x00004001) mode tunnel
Segmentation fault
Comment 3 Pavel Šimerda (pavlix) 2015-04-07 18:09:23 UTC 
Reproduced. From the source code:

__u32 extra_flags = *(__u32 *)RTA_DATA(tb[XFRMA_SA_EXTRA_FLAGS]);

The tb[XFRMA_SA_EXTRA_FLAGS] pointer is NULL which is then dereferenced. The easiest fix would be to check the pointer but I will check upstream first.
Comment 7 Pavel Šimerda (pavlix) 2015-04-28 11:30:35 UTC 
commit 1ed509bb522225050edfa1ed7ddc7255e9a18bd5
Author: Thomas Egerer <thomas.egerer>
Date:   Thu Aug 29 14:00:36 2013 +0200

    ip/xfrm: Fix potential SIGSEGV when printing extra flags
    
    The git-commit dc8867d0, that added support for displaying the
    extra-flags of a state, introduced a potential segfault.
    Trying to show a state without the extra-flag attribute and show_stats
    enabled, would cause the NULL pointer in tb[XFRMA_SA_EXTRA_FLAGS] to be
    dereferenced.
    
    Signed-off-by: Thomas Egerer <thomas.egerer>

diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index 0a3a9fb..411d9d5 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -856,7 +856,7 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
 		if (flags)
 			fprintf(fp, "%x", flags);
 	}
-	if (show_stats > 0 || tb[XFRMA_SA_EXTRA_FLAGS]) {
+	if (show_stats > 0 && tb[XFRMA_SA_EXTRA_FLAGS]) {
 		__u32 extra_flags = *(__u32 *)RTA_DATA(tb[XFRMA_SA_EXTRA_FLAGS]);
 
 		fprintf(fp, "extra_flag ");
Comment 8 Pavel Šimerda (pavlix) 2015-04-28 14:55:52 UTC 
# ip -s xfrm state
src 192.168.10.2 dst 192.168.10.1
        proto esp spi 0x00000001(1) reqid 0(0x00000000) mode transport
        replay-window 0 seq 0x00000000 flag  (0x00000000)
        enc cbc(des3_ede) 0x112233445566778811223344556677881122334455667788 (192 bits)
        sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2015-04-28 13:21:10 use -
        stats:
          replay-window 0 replay 0 failed 0
Comment 12 errata-xmlrpc 2015-11-19 14:39:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2117.html
Note You need to log in before you can comment on or make changes to this bug.