Hi,
I use irssi to to connect to oftc.net channels, using SSL and a
personal certificate to authenticate myself. From time to time (once
every 2 weeks or so, but its' not a regular frequence) it segfaults
because of a NULL pointer dereference, somewhere in the SSL code.
I somehow trust OpenBSD's defense mechanisms to make this harder to
exploit, but still it doesn't feel too good.
Backtrace below. Not that it's not an action on my side that triggers
this. It generally happens during the night while I'm away from the
keyboard.
Loaded symbols for /usr/libexec/ld.so
#0 strncpy (dst=0x7f7ffffc92e0 "Ð\234üÿ\177\177", src=0x0, n=1024)
at /local/OpenBSD/src/lib/libc/string/strncpy.c:53
53 if ((*d++ = *s++) == 0) {
(gdb) bt
#0 strncpy (dst=0x7f7ffffc92e0 "Ð\234üÿ\177\177", src=0x0, n=1024)
at /local/OpenBSD/src/lib/libc/string/strncpy.c:53
#1 0x000000000048b607 in net_connect_ip_ssl ()
#2 0x0000000205601f31 in PEM_do_header (cipher=0x7f7ffffc9870,
data=0x20d14f000 "ËkóV¿pÛ-l", plen=0x7f7ffffc9850, callback=Variable
"callback" is not available.
)
at /local/OpenBSD/src/lib/libssl/crypto/../src/crypto/pem/pem_lib.c:451
#3 0x000000020560243d in PEM_bytes_read_bio (pdata=0x7f7ffffc98e8,
plen=0x7f7ffffc98e0, pnm=0x7f7ffffc98f8,
name=0x20573a2c5 "ANY PRIVATE KEY", bp=0x2068ba080,
cb=0x48b5b0 <net_connect_ip_ssl+1008>, u=0x2081908a0)
at /local/OpenBSD/src/lib/libssl/crypto/../src/crypto/pem/pem_lib.c:296
#4 0x0000000205595997 in PEM_read_bio_PrivateKey (bp=Variable "bp" is not
available.
)
at /local/OpenBSD/src/lib/libssl/crypto/../src/crypto/pem/pem_pkey.c:84
#5 0x000000020e0e76ef in SSL_CTX_use_PrivateKey_file (ctx=0x20922fc00,
file=0x200ecbe40 "/home/matthieu/.irssi/certs/mherrb.pem", type=1)
at /local/OpenBSD/src/lib/libssl/ssl/../src/ssl/ssl_rsa.c:654
#6 0x000000000048b2d5 in net_connect_ip_ssl ()
#7 0x0000000000481f23 in server_connect_finished ()
#8 0x00000000004823b9 in server_start_connect ()
#9 0x000000000047a5aa in mask_match ()
#10 0x00000002029a9125 in g_main_context_dispatch ()
from /usr/local/lib/libglib-2.0.so.2992.0
#11 0x00000002029ac9cc in g_main_context_check ()
from /usr/local/lib/libglib-2.0.so.2992.0
#12 0x00000002029aceee in g_main_context_iteration ()
from /usr/local/lib/libglib-2.0.so.2992.0
#13 0x0000000000428733 in main ()
(gdb) p d
$1 = 0x7f7ffffc92e0 "Ð\234üÿ\177\177"
(gdb) p s
$2 = 0x0
(gdb)
% irssi --version
irssi 0.8.15 (20100403 1617)
OpenBSD 5.0-current (GENERIC.MP) #0: Sat Dec 3 09:43:45 CET 2011
matth...@cortez.herrb.net:/usr/obj/GENERIC.MP
real mem = 4025024512 (3838MB)
avail mem = 3903729664 (3722MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xfbdd0 (54 entries)
bios0: vendor American Megatrends Inc. version "V1.0" date 02/20/2009
bios0: MICRO-STAR INTERNATIONAL CO.,LTD MS-7576
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB HPET
acpi0: wakeup devices PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) PCE7(S4)
PCE9(S4) PCEA(S4) PCEB(S4) PCEC(S4) SBAZ(S4) PS2K(S1) PS2M(S1) P0PC(S4)
UHC1(S4) UHC2(S4) UHC3(S4) USB4(S4) UHC5(S4) UHC6(S4) UHC7(S4) PWRB(S1)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Athlon(tm) X2 250 Processor, 3000.65 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line
16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
cpu0: apic clock running at 200MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Athlon(tm) X2 250 Processor, 3000.15 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line
16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 21, 24 pins
acpimcfg0 at acpi0 addr 0xe0000000, bus 0-255
acpihpet0 at acpi0: 14318180 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (P0P1)
acpiprt2 at acpi0: bus -1 (PCE2)
acpiprt3 at acpi0: bus -1 (PCE3)
acpiprt4 at acpi0: bus -1 (PCE4)
acpiprt5 at acpi0: bus 2 (PCE5)
acpiprt6 at acpi0: bus 0 (PCE6)
acpiprt7 at acpi0: bus -1 (PCE7)
acpiprt8 at acpi0: bus -1 (PCE9)
acpiprt9 at acpi0: bus -1 (PCEA)
acpiprt10 at acpi0: bus -1 (PCEB)
acpiprt11 at acpi0: bus -1 (PCEC)
acpiprt12 at acpi0: bus 3 (P0PC)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpibtn0 at acpi0: PWRB
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "AMD RS780 Host" rev 0x00
ppb0 at pci0 dev 1 function 0 "AMD RS780 PCIE" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 5 function 0 "ATI Radeon HD 3300" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
radeondrm0 at vga1: apic 2 int 18
drm0 at radeondrm0
azalia0 at pci1 dev 5 function 1 "ATI RS780 HD Audio" rev 0x00: msi
azalia0: no supported codecs
ppb1 at pci0 dev 5 function 0 "AMD RS780 PCIE" rev 0x00: msi
pci2 at ppb1 bus 2
re0 at pci2 dev 0 function 0 "Realtek 8168" rev 0x03: RTL8168D/8111D (0x2800),
apic 2 int 17, address 00:24:21:20:da:c2
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
ppb2 at pci0 dev 6 function 0 "AMD RS780 PCIE" rev 0x00: not configured by
system firmware
ahci0 at pci0 dev 17 function 0 "ATI SBx00 SATA" rev 0x00: apic 2 int 22, AHCI
1.1
scsibus0 at ahci0: 32 targets
cd0 at scsibus0 targ 2 lun 0: <Optiarc, DVD RW AD-7200S, 1.0A> ATAPI 5/cdrom
removable
sd0 at scsibus0 targ 3 lun 0: <ATA, ST3320613AS, CC2H> SCSI3 0/direct fixed
naa.5000c50013fa5682
sd0: 305245MB, 512 bytes/sector, 625142448 sectors
ohci0 at pci0 dev 18 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 16,
version 1.0, legacy support
ohci1 at pci0 dev 18 function 1 "ATI SB700 USB" rev 0x00: apic 2 int 16,
version 1.0, legacy support
ehci0 at pci0 dev 18 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "ATI EHCI root hub" rev 2.00/1.00 addr 1
ohci2 at pci0 dev 19 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18,
version 1.0, legacy support
ohci3 at pci0 dev 19 function 1 "ATI SB700 USB" rev 0x00: apic 2 int 18,
version 1.0, legacy support
ehci1 at pci0 dev 19 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 19
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "ATI EHCI root hub" rev 2.00/1.00 addr 1
piixpm0 at pci0 dev 20 function 0 "ATI SBx00 SMBus" rev 0x3c: SMI
iic0 at piixpm0
iic0: addr 0x28 01=20 02=00 03=00 04=20 05=00 06=00 07=83 3e=03 41=20 42=00
43=00 44=20 45=00 46=00 47=83 81=20 82=00 83=00 84=20 85=00 86=00 87=83 c1=20
c2=00 c3=00 c4=20 c5=00 c6=00 c7=83 words 00=ff20 01=2000 02=0000 03=00ff
04=20ff 05=00ff 06=00ff 07=ffff
spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM PC3-10600
spdmem1 at iic0 addr 0x51: 2GB DDR3 SDRAM PC3-10600
pciide0 at pci0 dev 20 function 1 "ATI SB700 IDE" rev 0x00: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 1 drive 0: <ST3320613AS>
wd0: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
wd0(pciide0:1:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 6
azalia1 at pci0 dev 20 function 2 "ATI SBx00 HD Audio" rev 0x00: apic 2 int 16
azalia1: codecs: Realtek/0x0889
audio0 at azalia1
pcib0 at pci0 dev 20 function 3 "ATI SB700 ISA" rev 0x00
ppb3 at pci0 dev 20 function 4 "ATI SB600 PCI" rev 0x00
pci3 at ppb3 bus 3
ohci4 at pci0 dev 20 function 5 "ATI SB700 USB" rev 0x00: apic 2 int 18,
version 1.0, legacy support
pchb1 at pci0 dev 24 function 0 "AMD AMD64 10h HyperTransport" rev 0x00
pchb2 at pci0 dev 24 function 1 "AMD AMD64 10h Address Map" rev 0x00
pchb3 at pci0 dev 24 function 2 "AMD AMD64 10h DRAM Cfg" rev 0x00
km0 at pci0 dev 24 function 3 "AMD AMD64 10h Misc Cfg" rev 0x00
pchb4 at pci0 dev 24 function 4 "AMD AMD64 10h Link Cfg" rev 0x00
usb2 at ohci0: USB revision 1.0
uhub2 at usb2 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb3 at ohci1: USB revision 1.0
uhub3 at usb3 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb4 at ohci2: USB revision 1.0
uhub4 at usb4 "ATI OHCI root hub" rev 1.00/1.00 addr 1
usb5 at ohci3: USB revision 1.0
uhub5 at usb5 "ATI OHCI root hub" rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: probed fifo depth: 15 bytes
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb6 at ohci4: USB revision 1.0
uhub6 at usb6 "ATI OHCI root hub" rev 1.00/1.00 addr 1
mtrr: Pentium Pro MTRR support
uhidev0 at uhub4 port 3 configuration 1 interface 0 "vendor 0x04f3 USB+PS/2
Optical Mouse" rev 1.10/24.58 addr 2
uhidev0: iclass 3/1
ums0 at uhidev0: 3 buttons, Z dir
wsmouse0 at ums0 mux 0
uplcom0 at uhub5 port 1 "Prolific Technology PL2303 Serial" rev 1.10/2.02 addr 2
ucom0 at uplcom0
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on wd0a swap on wd0b dump on wd0b
usb_insert_transfer: xfer=0xffff8000003a0d00 not busy 0x4f4e5155
ucomstart: err=INVAL
usb_insert_transfer: xfer=0xffff800000939600 not busy 0x4f4e5155
ucomstart: err=INVAL
ucom0 detached
uplcom0 detached
uplcom0 at uhub5 port 1 "Prolific Technology PL2303 Serial" rev 1.10/2.02 addr 2
ucom0 at uplcom0
ucom0 detached
uplcom0 detached
uplcom0 at uhub5 port 1 "Prolific Technology PL2303 Serial" rev 1.10/2.02 addr 2
ucom0 at uplcom0
--
Matthieu Herrb
