Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1323215

Summary:

gnutls-serv --http crashes with client certificates with NSS client

Product:

Red Hat Enterprise Linux 6

Reporter:

Alicja Kario <hkario>

Component:

gnutls

Assignee:

Nikos Mavrogiannopoulos <nmavrogi>

Status:

CLOSED ERRATA

QA Contact:

Alicja Kario <hkario>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

6.8

CC:

szidek

Target Milestone:

Keywords:

TestBlocker

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

gnutls-2.12.23-1.el6

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2017-03-21 09:03:08 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

1339222, 1343211

Attachments:

Description	Flags
Certificates	none
Nikos proposed patch	none

Description Alicja Kario 2016-04-01 14:45:39 UTC

Created attachment 1142600 [details]
Certificates

Description of problem:
When gnutls-serv is configured to request client certificates and work as an HTTP server, connections from NSS with client certificates cause the server to crash.

Version-Release number of selected component (if applicable):
gnutls-2.8.5-19.el6_7.x86_64

How reproducible:
always

Steps to Reproduce:
1. tar xzf certs.tar.gz
2. valgrind gnutls-serv --http -p 4433 --priority NORMAL:+VERS-TLS1.2 --x509keyfile rsa-server/key.pem --x509certfile <(cat 'rsa-server/cert.pem' 'rsa-ca/cert.pem') --x509cafile <(cat ca/cert.pem rsa-ca/cert.pem) --require-cert

in another terminal:
3. /usr/lib64/nss/unsupported-tools/tstclnt -h localhost -p 4433 -d sql:./nssdb/ -n rsa-client -4 -V tls1.0:
4. enter "GET / HTTP/1.0" and two newlines to tstclnt

Actual results:
    ==9241== Memcheck, a memory error detector
    ==9241== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
    ==9241== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
    ==9241== Command: gnutls-serv --http -p 4433 --priority NORMAL:+VERS-TLS1.2 --x509keyfile rsa-server/key.pem --x509certfile /dev/fd/63 --x509cafile /dev/fd/62 --require-cert
    ==9241==
    HTTP Server listening on 0.0.0.0 port 4433 family 2...done
    HTTP Server listening on :: port 4433 family 10...bind() failed: Address already in use
    ==9241== Conditional jump or move depends on uninitialised value(s)
    ==9241==    at 0x4E55817: gnutls_session_get_id (gnutls_session.c:161)
    ==9241==    by 0x40431E: peer_print_info (serv.c:501)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==
    ==9241== Invalid write of size 1
    ==9241==    at 0x4C29C8C: strcat (mc_replace_strmem.c:267)
    ==9241==    by 0x404637: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd
    ==9241==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
    ==9241==    by 0x4042A8: peer_print_info (serv.c:494)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==
    ==9241== Invalid write of size 1
    ==9241==    at 0x4C29C9F: strcat (mc_replace_strmem.c:267)
    ==9241==    by 0x404637: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c64 is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid read of size 1
    ==9241==    at 0x4C29FA4: strlen (mc_replace_strmem.c:403)
    ==9241==    by 0x40463F: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd
    ==9241==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
    ==9241==    by 0x4042A8: peer_print_info (serv.c:494)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==
    ==9241== Invalid write of size 8
    ==9241==    at 0x40464F: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c64 is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 1
    ==9241==    at 0x404652: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c6c is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid read of size 1
    ==9241==    at 0x4C29FA4: strlen (mc_replace_strmem.c:403)
    ==9241==    by 0x404667: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd
    ==9241==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
    ==9241==    by 0x4042A8: peer_print_info (serv.c:494)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==
    ==9241== Invalid write of size 8
    ==9241==    at 0x404695: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c6c is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 8
    ==9241==    at 0x404698: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c74 is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 8
    ==9241==    at 0x40469C: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c7c is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 8
    ==9241==    at 0x4046A0: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c84 is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 2
    ==9241==    at 0x4046AA: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c8c is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid read of size 1
    ==9241==    at 0x4C29C74: strcat (mc_replace_strmem.c:267)
    ==9241==    by 0x4046B4: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd
    ==9241==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
    ==9241==    by 0x4042A8: peer_print_info (serv.c:494)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==
    ==9241== Invalid write of size 1
    ==9241==    at 0x4C29C9F: strcat (mc_replace_strmem.c:267)
    ==9241==    by 0x4046B4: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c8d is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid read of size 1
    ==9241==    at 0x4C29FA4: strlen (mc_replace_strmem.c:403)
    ==9241==    by 0x4046BC: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd
    ==9241==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
    ==9241==    by 0x4042A8: peer_print_info (serv.c:494)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==
    ==9241== Invalid write of size 8
    ==9241==    at 0x4046C5: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c8d is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 2
    ==9241==    at 0x4046C8: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c95 is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 1
    ==9241==    at 0x4046CE: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c97 is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid read of size 1
    ==9241==    at 0x4C29FA4: strlen (mc_replace_strmem.c:403)
    ==9241==    by 0x4046D6: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd
    ==9241==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
    ==9241==    by 0x4042A8: peer_print_info (serv.c:494)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==
    ==9241== Invalid write of size 8
    ==9241==    at 0x4046F3: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c9f is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 8
    ==9241==    at 0x4046F7: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613c97 is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid write of size 2
    ==9241==    at 0x4046FA: peer_print_info (string3.h:144)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x6613ca7 is not stack'd, malloc'd or (recently) free'd
    ==9241==
    ==9241== Invalid read of size 1
    ==9241==    at 0x4C29FA4: strlen (mc_replace_strmem.c:403)
    ==9241==    by 0x404704: peer_print_info (serv.c:621)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==  Address 0x66139f0 is 0 bytes after a block of size 5,120 alloc'd
    ==9241==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
    ==9241==    by 0x4042A8: peer_print_info (serv.c:494)
    ==9241==    by 0x40638C: main (serv.c:759)
    ==9241==
    --9241-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
    --9241-- si_code=80;  Faulting address: 0x0;  sp: 0x4030bbdd0
     
    valgrind: the 'impossible' happened:
       Killed by fatal signal
    ==9241==    at 0x3803EC04: vgPlain_arena_malloc (m_mallocfree.c:291)
    ==9241==    by 0x38003C34: vgMemCheck_new_block (mc_malloc_wrappers.c:263)
    ==9241==    by 0x3800409A: vgMemCheck_malloc (mc_malloc_wrappers.c:301)
    ==9241==    by 0x3807A58A: vgPlain_scheduler (scheduler.c:1665)
    ==9241==    by 0x380A6409: run_a_thread_NORETURN (syswrap-linux.c:103)
     
    sched status:
      running_tid=1
     
    Thread 1: status = VgTs_Runnable
    ==9241==    at 0x4C28A2E: malloc (vg_replace_malloc.c:270)
    ==9241==    by 0x4E470A6: _gnutls_send_int (gnutls_record.c:404)
    ==9241==    by 0x405B8D: main (serv.c:1336)
     
     
    Note: see also the FAQ in the source distribution.
    It contains workarounds to several common problems.
    In particular, if Valgrind aborted or crashed after
    identifying problems in your program, there's a good chance
    that fixing those problems will prevent Valgrind aborting or
    crashing, especially if it happened in m_mallocfree.c.
     
    If that doesn't help, please report this bug to: www.valgrind.org
     
    In the bug report, send all the above text, the valgrind
    version, and what OS and version you are using.  Thanks.


Expected results:
HTML with description of the connection

Additional info:

Comment 1 Alicja Kario 2016-04-01 14:47:48 UTC

Created attachment 1142614 [details]
Nikos proposed patch

Patch proposed by Nikos to fix it (untested)

Comment 3 Nikos Mavrogiannopoulos 2016-08-09 12:24:37 UTC

Verified that this is addressed with the 2.12.x rebase.

Comment 7 errata-xmlrpc 2017-03-21 09:03:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0574.html