1323215 – gnutls-serv --http crashes with client certificates with NSS client

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1323215 - gnutls-serv --http crashes with client certificates with NSS client

Summary: gnutls-serv --http crashes with client certificates with NSS client

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	gnutls
Sub Component:
Version:	6.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Nikos Mavrogiannopoulos
QA Contact:	Alicja Kario
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1339222 1343211
TreeView+	depends on / blocked

Reported:	2016-04-01 14:45 UTC by Alicja Kario
Modified:	2017-03-21 09:03 UTC (History)
CC List:	1 user (show)
Fixed In Version:	gnutls-2.12.23-1.el6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-21 09:03:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Certificates (30.11 KB, application/x-gzip) 2016-04-01 14:45 UTC, Alicja Kario	no flags	Details
Nikos proposed patch (9.46 KB, patch) 2016-04-01 14:47 UTC, Alicja Kario	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:0574	0	normal	SHIPPED_LIVE	Moderate: gnutls security, bug fix, and enhancement update	2017-03-21 12:23:04 UTC

Description Alicja Kario 2016-04-01 14:45:39 UTC

Created attachment 1142600 [details]
Certificates

Description of problem:
When gnutls-serv is configured to request client certificates and work as an HTTP server, connections from NSS with client certificates cause the server to crash.

Version-Release number of selected component (if applicable):
gnutls-2.8.5-19.el6_7.x86_64

How reproducible:
always

Steps to Reproduce:
1. tar xzf certs.tar.gz
2. valgrind gnutls-serv --http -p 4433 --priority NORMAL:+VERS-TLS1.2 --x509keyfile rsa-server/key.pem --x509certfile <(cat 'rsa-server/cert.pem' 'rsa-ca/cert.pem') --x509cafile <(cat ca/cert.pem rsa-ca/cert.pem) --require-cert

in another terminal:
3. /usr/lib64/nss/unsupported-tools/tstclnt -h localhost -p 4433 -d sql:./nssdb/ -n rsa-client -4 -V tls1.0:
4. enter "GET / HTTP/1.0" and two newlines to tstclnt

Actual results:
    ==9241== Memcheck, a memory error detector
    ==9241== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
    ==9241== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
    ==9241== Command: gnutls-serv --http -p 4433 --priority NORMAL:+VERS-TLS1.2 --x509keyfile rsa-server/key.pem --x509certfile /dev/fd/63 --x509cafile /dev/fd/62 --require-cert
    ==9241==
    HTTP Server listening on 0.0.0.0 port 4433 family 2...done
    HTTP Server listening on :: port 4433 family 10...bind() failed: Address already in use
    ==9241== Conditional jump or move depends on uninitialised value(s)
    ==9241==    at 0x4E55817: gnutls_session_get_id (gnutls_session.c:161)
    ==9241==    by 0x40431E: peer_print_info (serv.c:501)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==
    ==9241== Invalid write of size 1
    ==9241==    at 0x4C29C8C: strcat (mc_replace_strmem.c:267)
    ==9241==    by 0x404637: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd
    ==9241==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
    ==9241==    by 0x4042A8: peer_print_info (serv.c:494)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==
    ==9241== Invalid write of size 1
    ==9241==    at 0x4C29C9F: strcat (mc_replace_strmem.c:267)
    ==9241==    by 0x404637: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c64 is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid read of size 1
    ==9241==    at 0x4C29FA4: strlen (mc_replace_strmem.c:403)
    ==9241==    by 0x40463F: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd
    ==9241==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
    ==9241==    by 0x4042A8: peer_print_info (serv.c:494)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==
    ==9241== Invalid write of size 8
    ==9241==    at 0x40464F: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c64 is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 1
    ==9241==    at 0x404652: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c6c is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid read of size 1
    ==9241==    at 0x4C29FA4: strlen (mc_replace_strmem.c:403)
    ==9241==    by 0x404667: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd
    ==9241==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
    ==9241==    by 0x4042A8: peer_print_info (serv.c:494)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==
    ==9241== Invalid write of size 8
    ==9241==    at 0x404695: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c6c is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 8
    ==9241==    at 0x404698: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c74 is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 8
    ==9241==    at 0x40469C: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c7c is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 8
    ==9241==    at 0x4046A0: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c84 is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 2
    ==9241==    at 0x4046AA: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c8c is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid read of size 1
    ==9241==    at 0x4C29C74: strcat (mc_replace_strmem.c:267)
    ==9241==    by 0x4046B4: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd
    ==9241==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
    ==9241==    by 0x4042A8: peer_print_info (serv.c:494)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==
    ==9241== Invalid write of size 1
    ==9241==    at 0x4C29C9F: strcat (mc_replace_strmem.c:267)
    ==9241==    by 0x4046B4: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c8d is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid read of size 1
    ==9241==    at 0x4C29FA4: strlen (mc_replace_strmem.c:403)
    ==9241==    by 0x4046BC: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd
    ==9241==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
    ==9241==    by 0x4042A8: peer_print_info (serv.c:494)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==
    ==9241== Invalid write of size 8
    ==9241==    at 0x4046C5: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c8d is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 2
    ==9241==    at 0x4046C8: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c95 is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 1
    ==9241==    at 0x4046CE: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c97 is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid read of size 1
    ==9241==    at 0x4C29FA4: strlen (mc_replace_strmem.c:403)
    ==9241==    by 0x4046D6: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd
    ==9241==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
    ==9241==    by 0x4042A8: peer_print_info (serv.c:494)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==
    ==9241== Invalid write of size 8
    ==9241==    at 0x4046F3: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c9f is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 8
    ==9241==    at 0x4046F7: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c97 is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 2
    ==9241==    at 0x4046FA: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613ca7 is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid read of size 1
    ==9241==    at 0x4C29FA4: strlen (mc_replace_strmem.c:403)
    ==9241==    by 0x404704: peer_print_info (serv.c:621)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd
    ==9241==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
    ==9241==    by 0x4042A8: peer_print_info (serv.c:494)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==
    --9241-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
    --9241-- si_code=80;  Faulting address: 0x0;  sp: 0x4030bbdd0
     
    valgrind: the 'impossible' happened:
       Killed by fatal signal
    ==9241==    at 0x3803EC04: vgPlain_arena_malloc (m_mallocfree.c:291)
    ==9241==    by 0x38003C34: vgMemCheck_new_block (mc_malloc_wrappers.c:263)
    ==9241==    by 0x3800409A: vgMemCheck_malloc (mc_malloc_wrappers.c:301)
    ==9241==    by 0x3807A58A: vgPlain_scheduler (scheduler.c:1665)
    ==9241==    by 0x380A6409: run_a_thread_NORETURN (syswrap-linux.c:103)
     
    sched status:
      running_tid=1
     
    Thread 1: status = VgTs_Runnable
    ==9241==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
    ==9241==    by 0x4E470A6: _gnutls_send_int (gnutls_record.c:404)
    ==9241==    by 0x405B8D: main (serv.c:1336)
     
     
    Note: see also the FAQ in the source distribution.
    It contains workarounds to several common problems.
    In particular, if Valgrind aborted or crashed after
    identifying problems in your program, there's a good chance
    that fixing those problems will prevent Valgrind aborting or
    crashing, especially if it happened in m_mallocfree.c.
     
    If that doesn't help, please report this bug to: www.valgrind.org
     
    In the bug report, send all the above text, the valgrind
    version, and what OS and version you are using.  Thanks.


Expected results:
HTML with description of the connection

Additional info:

Comment 1 Alicja Kario 2016-04-01 14:47:48 UTC

Created attachment 1142614 [details]
Nikos proposed patch

Patch proposed by Nikos to fix it (untested)

Comment 3 Nikos Mavrogiannopoulos 2016-08-09 12:24:37 UTC

Verified that this is addressed with the 2.12.x rebase.

Comment 7 errata-xmlrpc 2017-03-21 09:03:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0574.html

Note You need to log in before you can comment on or make changes to this bug.