On Sun, Feb 19, 2012 at 08:50:40AM +0100, Matthieu Herrb wrote:
> Hi,
>
> I use irssi to to connect to oftc.net channels, using SSL and a
> personal certificate to authenticate myself. From time to time (once
> every 2 weeks or so, but its' not a regular frequence) it segfaults
> because of a NULL pointer dereference, somewhere in the SSL code.
>
> I somehow trust OpenBSD's defense mechanisms to make this harder to
> exploit, but still it doesn't feel too good.
>
> Backtrace below. Not that it's not an action on my side that triggers
> this. It generally happens during the night while I'm away from the
> keyboard.
It seems the trace shows there's a irssi callback function involved:
net_connect_ip_ssl(). That would be my first suspect. Compiling irssi
with debug might reveal more.
-Otto
>
> Loaded symbols for /usr/libexec/ld.so
> #0 strncpy (dst=0x7f7ffffc92e0 "?\234??\177\177", src=0x0, n=1024)
> at /local/OpenBSD/src/lib/libc/string/strncpy.c:53
> 53 if ((*d++ = *s++) == 0) {
> (gdb) bt
> #0 strncpy (dst=0x7f7ffffc92e0 "?\234??\177\177", src=0x0, n=1024)
> at /local/OpenBSD/src/lib/libc/string/strncpy.c:53
> #1 0x000000000048b607 in net_connect_ip_ssl ()
> #2 0x0000000205601f31 in PEM_do_header (cipher=0x7f7ffffc9870,
> data=0x20d14f000 "?k?V?p?-l", plen=0x7f7ffffc9850, callback=Variable
> "callback" is not available.
> )
> at /local/OpenBSD/src/lib/libssl/crypto/../src/crypto/pem/pem_lib.c:451
> #3 0x000000020560243d in PEM_bytes_read_bio (pdata=0x7f7ffffc98e8,
> plen=0x7f7ffffc98e0, pnm=0x7f7ffffc98f8,
> name=0x20573a2c5 "ANY PRIVATE KEY", bp=0x2068ba080,
> cb=0x48b5b0 <net_connect_ip_ssl+1008>, u=0x2081908a0)
> at /local/OpenBSD/src/lib/libssl/crypto/../src/crypto/pem/pem_lib.c:296
> #4 0x0000000205595997 in PEM_read_bio_PrivateKey (bp=Variable "bp" is not
> available.
> )
> at /local/OpenBSD/src/lib/libssl/crypto/../src/crypto/pem/pem_pkey.c:84
> #5 0x000000020e0e76ef in SSL_CTX_use_PrivateKey_file (ctx=0x20922fc00,
> file=0x200ecbe40 "/home/matthieu/.irssi/certs/mherrb.pem", type=1)
> at /local/OpenBSD/src/lib/libssl/ssl/../src/ssl/ssl_rsa.c:654
> #6 0x000000000048b2d5 in net_connect_ip_ssl ()
> #7 0x0000000000481f23 in server_connect_finished ()
> #8 0x00000000004823b9 in server_start_connect ()
> #9 0x000000000047a5aa in mask_match ()
> #10 0x00000002029a9125 in g_main_context_dispatch ()
> from /usr/local/lib/libglib-2.0.so.2992.0
> #11 0x00000002029ac9cc in g_main_context_check ()
> from /usr/local/lib/libglib-2.0.so.2992.0
> #12 0x00000002029aceee in g_main_context_iteration ()
> from /usr/local/lib/libglib-2.0.so.2992.0
> #13 0x0000000000428733 in main ()
> (gdb) p d
> $1 = 0x7f7ffffc92e0 "?\234??\177\177"
> (gdb) p s
> $2 = 0x0
> (gdb)
>
> % irssi --version
> irssi 0.8.15 (20100403 1617)
>
> OpenBSD 5.0-current (GENERIC.MP) #0: Sat Dec 3 09:43:45 CET 2011
> matth...@cortez.herrb.net:/usr/obj/GENERIC.MP
> real mem = 4025024512 (3838MB)
> avail mem = 3903729664 (3722MB)
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xfbdd0 (54 entries)
> bios0: vendor American Megatrends Inc. version "V1.0" date 02/20/2009
> bios0: MICRO-STAR INTERNATIONAL CO.,LTD MS-7576
> acpi0 at bios0: rev 0
> acpi0: sleep states S0 S1 S4 S5
> acpi0: tables DSDT FACP APIC MCFG OEMB HPET
> acpi0: wakeup devices PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) PCE7(S4)
> PCE9(S4) PCEA(S4) PCEB(S4) PCEC(S4) SBAZ(S4) PS2K(S1) PS2M(S1) P0PC(S4)
> UHC1(S4) UHC2(S4) UHC3(S4) USB4(S4) UHC5(S4) UHC6(S4) UHC7(S4) PWRB(S1)
> acpitimer0 at acpi0: 3579545 Hz, 32 bits
> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: AMD Athlon(tm) X2 250 Processor, 3000.65 MHz
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
> cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line
> 16-way L2 cache
> cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
> cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
> cpu0: apic clock running at 200MHz
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: AMD Athlon(tm) X2 250 Processor, 3000.15 MHz
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
> cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line
> 16-way L2 cache
> cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
> cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
> ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 21, 24 pins
> acpimcfg0 at acpi0 addr 0xe0000000, bus 0-255
> acpihpet0 at acpi0: 14318180 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 1 (P0P1)
> acpiprt2 at acpi0: bus -1 (PCE2)
> acpiprt3 at acpi0: bus -1 (PCE3)
> acpiprt4 at acpi0: bus -1 (PCE4)
> acpiprt5 at acpi0: bus 2 (PCE5)
> acpiprt6 at acpi0: bus 0 (PCE6)
> acpiprt7 at acpi0: bus -1 (PCE7)
> acpiprt8 at acpi0: bus -1 (PCE9)
> acpiprt9 at acpi0: bus -1 (PCEA)
> acpiprt10 at acpi0: bus -1 (PCEB)
> acpiprt11 at acpi0: bus -1 (PCEC)
> acpiprt12 at acpi0: bus 3 (P0PC)
> acpicpu0 at acpi0
> acpicpu1 at acpi0
> acpibtn0 at acpi0: PWRB
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "AMD RS780 Host" rev 0x00
> ppb0 at pci0 dev 1 function 0 "AMD RS780 PCIE" rev 0x00
> pci1 at ppb0 bus 1
> vga1 at pci1 dev 5 function 0 "ATI Radeon HD 3300" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> radeondrm0 at vga1: apic 2 int 18
> drm0 at radeondrm0
> azalia0 at pci1 dev 5 function 1 "ATI RS780 HD Audio" rev 0x00: msi
> azalia0: no supported codecs
> ppb1 at pci0 dev 5 function 0 "AMD RS780 PCIE" rev 0x00: msi
> pci2 at ppb1 bus 2
> re0 at pci2 dev 0 function 0 "Realtek 8168" rev 0x03: RTL8168D/8111D
> (0x2800), apic 2 int 17, address 00:24:21:20:da:c2
> rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
> ppb2 at pci0 dev 6 function 0 "AMD RS780 PCIE" rev 0x00: not configured by
> system firmware
> ahci0 at pci0 dev 17 function 0 "ATI SBx00 SATA" rev 0x00: apic 2 int 22,
> AHCI 1.1
> scsibus0 at ahci0: 32 targets
> cd0 at scsibus0 targ 2 lun 0: <Optiarc, DVD RW AD-7200S, 1.0A> ATAPI 5/cdrom
> removable
> sd0 at scsibus0 targ 3 lun 0: <ATA, ST3320613AS, CC2H> SCSI3 0/direct fixed
> naa.5000c50013fa5682
> sd0: 305245MB, 512 bytes/sector, 625142448 sectors
> ohci0 at pci0 dev 18 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 16,
> version 1.0, legacy support
> ohci1 at pci0 dev 18 function 1 "ATI SB700 USB" rev 0x00: apic 2 int 16,
> version 1.0, legacy support
> ehci0 at pci0 dev 18 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 "ATI EHCI root hub" rev 2.00/1.00 addr 1
> ohci2 at pci0 dev 19 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 18,
> version 1.0, legacy support
> ohci3 at pci0 dev 19 function 1 "ATI SB700 USB" rev 0x00: apic 2 int 18,
> version 1.0, legacy support
> ehci1 at pci0 dev 19 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 19
> usb1 at ehci1: USB revision 2.0
> uhub1 at usb1 "ATI EHCI root hub" rev 2.00/1.00 addr 1
> piixpm0 at pci0 dev 20 function 0 "ATI SBx00 SMBus" rev 0x3c: SMI
> iic0 at piixpm0
> iic0: addr 0x28 01=20 02=00 03=00 04=20 05=00 06=00 07=83 3e=03 41=20 42=00
> 43=00 44=20 45=00 46=00 47=83 81=20 82=00 83=00 84=20 85=00 86=00 87=83 c1=20
> c2=00 c3=00 c4=20 c5=00 c6=00 c7=83 words 00=ff20 01=2000 02=0000 03=00ff
> 04=20ff 05=00ff 06=00ff 07=ffff
> spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM PC3-10600
> spdmem1 at iic0 addr 0x51: 2GB DDR3 SDRAM PC3-10600
> pciide0 at pci0 dev 20 function 1 "ATI SB700 IDE" rev 0x00: DMA, channel 0
> configured to compatibility, channel 1 configured to compatibility
> wd0 at pciide0 channel 1 drive 0: <ST3320613AS>
> wd0: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
> wd0(pciide0:1:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 6
> azalia1 at pci0 dev 20 function 2 "ATI SBx00 HD Audio" rev 0x00: apic 2 int 16
> azalia1: codecs: Realtek/0x0889
> audio0 at azalia1
> pcib0 at pci0 dev 20 function 3 "ATI SB700 ISA" rev 0x00
> ppb3 at pci0 dev 20 function 4 "ATI SB600 PCI" rev 0x00
> pci3 at ppb3 bus 3
> ohci4 at pci0 dev 20 function 5 "ATI SB700 USB" rev 0x00: apic 2 int 18,
> version 1.0, legacy support
> pchb1 at pci0 dev 24 function 0 "AMD AMD64 10h HyperTransport" rev 0x00
> pchb2 at pci0 dev 24 function 1 "AMD AMD64 10h Address Map" rev 0x00
> pchb3 at pci0 dev 24 function 2 "AMD AMD64 10h DRAM Cfg" rev 0x00
> km0 at pci0 dev 24 function 3 "AMD AMD64 10h Misc Cfg" rev 0x00
> pchb4 at pci0 dev 24 function 4 "AMD AMD64 10h Link Cfg" rev 0x00
> usb2 at ohci0: USB revision 1.0
> uhub2 at usb2 "ATI OHCI root hub" rev 1.00/1.00 addr 1
> usb3 at ohci1: USB revision 1.0
> uhub3 at usb3 "ATI OHCI root hub" rev 1.00/1.00 addr 1
> usb4 at ohci2: USB revision 1.0
> uhub4 at usb4 "ATI OHCI root hub" rev 1.00/1.00 addr 1
> usb5 at ohci3: USB revision 1.0
> uhub5 at usb5 "ATI OHCI root hub" rev 1.00/1.00 addr 1
> isa0 at pcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com0: probed fifo depth: 15 bytes
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> usb6 at ohci4: USB revision 1.0
> uhub6 at usb6 "ATI OHCI root hub" rev 1.00/1.00 addr 1
> mtrr: Pentium Pro MTRR support
> uhidev0 at uhub4 port 3 configuration 1 interface 0 "vendor 0x04f3 USB+PS/2
> Optical Mouse" rev 1.10/24.58 addr 2
> uhidev0: iclass 3/1
> ums0 at uhidev0: 3 buttons, Z dir
> wsmouse0 at ums0 mux 0
> uplcom0 at uhub5 port 1 "Prolific Technology PL2303 Serial" rev 1.10/2.02
> addr 2
> ucom0 at uplcom0
> vscsi0 at root
> scsibus1 at vscsi0: 256 targets
> softraid0 at root
> scsibus2 at softraid0: 256 targets
> root on wd0a swap on wd0b dump on wd0b
> usb_insert_transfer: xfer=0xffff8000003a0d00 not busy 0x4f4e5155
> ucomstart: err=INVAL
> usb_insert_transfer: xfer=0xffff800000939600 not busy 0x4f4e5155
> ucomstart: err=INVAL
> ucom0 detached
> uplcom0 detached
> uplcom0 at uhub5 port 1 "Prolific Technology PL2303 Serial" rev 1.10/2.02
> addr 2
> ucom0 at uplcom0
> ucom0 detached
> uplcom0 detached
> uplcom0 at uhub5 port 1 "Prolific Technology PL2303 Serial" rev 1.10/2.02
> addr 2
> ucom0 at uplcom0
>
> --
> Matthieu Herrb
