Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 417883 - net-firewall/ipsec-tools-0.8.0-r3: racoon segfaults on incoming connections if privsep is used
Summary: net-firewall/ipsec-tools-0.8.0-r3: racoon segfaults on incoming connections i...
Status: RESOLVED NEEDINFO
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: All Linux
: --- normal (vote)
Assignee: Anthony Basile
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-27 22:48 UTC by Andrew Savchenko
Modified: 2015-03-02 12:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
racoon.conf (racoon.conf,853 bytes, text/plain)
2012-05-27 22:51 UTC, Andrew Savchenko
Details
emerge --info (emerge.info,7.31 KB, text/plain)
2012-05-27 22:52 UTC, Andrew Savchenko
Details
emerge --info (emerge.info,7.19 KB, text/plain)
2012-07-18 18:58 UTC, Andrew Savchenko
Details
emerge --info from another host (emerge.info,6.42 KB, text/plain)
2012-07-25 01:11 UTC, Andrew Savchenko
Details
racoon.tar.xz (racoon.tar.xz,5.55 KB, text/plain)
2012-07-31 02:44 UTC, Andrew Savchenko
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Savchenko gentoo-dev 2012-05-27 22:48:48 UTC
Hello,

I have a following setup: racoon from ipsec-tools-0.8.0, privsep is enabled, on *any* new incoming connection (INITIAL-CONTACT) racoon segfaults:

May 27 16:44:13 [racoon] INFO: respond new phase 1 negotiation: 10.50.0.89[500]<=>10.51.15.126[500]_
May 27 16:44:13 [racoon] INFO: begin Identity Protection mode._
May 27 16:44:13 [racoon] INFO: received Vendor ID: DPD_
May 27 16:44:13 [racoon] WARNING: CERT validation disabled by configuration_
May 27 16:44:13 [racoon] INFO: ISAKMP-SA established 10.50.0.89[500]-10.51.15.126[500] spi:e018f61cc1ff7c11:894fe14faf0969f2_
May 27 16:44:13 [racoon] [10.51.15.126] INFO: received INITIAL-CONTACT_
May 27 16:44:13 [racoon] ERROR: privsep_socket: unauthorized domain (15)_
May 27 16:44:13 [racoon] INFO: racoon privileged process 29659 terminated_
May 27 16:44:13 [kernel] racoon[29686]: segfault at 10 ip 0000000000423ab6 sp 00007fffefd5a010 error 4 in racoon[400000+94000]

Even without chroot this crash is reproducible, with privsep completely disabled racoon works normally.

I use only AH tunelling for this connection.
Older racoon from ipsec-tools-0.7.3-r1 works fine under the same conditions.

Bug is reported upstream, I found similar report, but with no reply:
https://sourceforge.net/mailarchive/message.php?msg_id=27864382

This problem may have severe security implications:
1) This is a remote DoS.
2) Arbitrary code execution may be possible, scope is unknown.
3) Strong security measure — privsep — become unusable and useless.
Comment 1 Andrew Savchenko gentoo-dev 2012-05-27 22:51:10 UTC
Created attachment 313331 [details]
racoon.conf

Config file used.

Any option in privsep section is sufficient to reproduce problem. Of course, racoon user and chroot environment are created properly according to the racoon.conf manual.
Comment 2 Andrew Savchenko gentoo-dev 2012-05-27 22:52:33 UTC
Created attachment 313333 [details]
emerge --info
Comment 3 Andrew Savchenko gentoo-dev 2012-05-27 22:57:49 UTC
And I rebuilt it with CFLAGS="-O2" LDFLAGS="" with the same result.
Comment 4 Anthony Basile gentoo-dev 2012-07-12 18:20:47 UTC
I'm sorry for the delay in responding, but I've tried to reproduce this now several times with different permutations and I can't no matter what I do.  Under all conditions, I get the privsep working.

Can you please test again and see if you still have this problem.  Please upload your emerge --info again bececause the file you attached is corrupted.  In fact, don't upload it as an attachment, rather just run the following

     emerge --info ipsec-tools

and cut and paste directly into the text area.

Thanks.
Comment 5 Anthony Basile gentoo-dev 2012-07-18 14:45:54 UTC
Okay I'm going to close this since I can't reproduce it.  If you want me to continue pursuing this issue, please reopen and we'll work through the issue.
Comment 6 Andrew Savchenko gentoo-dev 2012-07-18 18:58:26 UTC
Created attachment 318562 [details]
emerge --info

Hmm, sorry, original emerge --info is indeed broken somehow.
I'm uploading a new file. I upload it as a file because it is rather large and I don't want to flood a discussion branch.
Comment 7 Andrew Savchenko gentoo-dev 2012-07-18 19:00:33 UTC
I'll try to reproduce this in a while.
Please understand that in order to reproduce this I need to broke setup of some host and its connectability.
Comment 8 Andrew Savchenko gentoo-dev 2012-07-19 00:04:36 UTC
I still have the same issue with racoon from ipsec-tools-0.8.0-r3:

Jul 19 04:01:43 [racoon] INFO: caught signal 15_                                                                                               
Jul 19 04:01:43 [racoon] INFO: racoon process 20687 shutdown_                                                                                  
Jul 19 04:01:44 [racoon] INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)_                                                     
Jul 19 04:01:44 [racoon] INFO: @(#)This product linked OpenSSL 1.0.0i 19 Apr 2012 (http://www.openssl.org/)_                                   
Jul 19 04:01:44 [racoon] INFO: Reading configuration from "/etc/racoon/racoon.conf"_                                                           
Jul 19 04:01:44 [racoon] INFO: 10.50.0.89[500] used for NAT-T_                                                                                 
Jul 19 04:01:44 [racoon] INFO: 10.50.0.89[500] used as isakmp port (fd=8)_                                                                     
Jul 19 04:01:44 [racoon] INFO: racoon privileged process running with PID 12236_                                                               
Jul 19 04:01:44 [racoon] INFO: racoon unprivileged process running with PID 12263_                                                             
Jul 19 04:01:59 [racoon] INFO: respond new phase 1 negotiation: 10.50.0.89[500]<=>10.51.15.126[500]_                                           
Jul 19 04:01:59 [racoon] INFO: begin Identity Protection mode._                                                                                
Jul 19 04:01:59 [racoon] INFO: received Vendor ID: DPD_                                                                                        
Jul 19 04:01:59 [racoon] WARNING: CERT validation disabled by configuration_                                                                   
Jul 19 04:01:59 [racoon] INFO: ISAKMP-SA established 10.50.0.89[500]-10.51.15.126[500] spi:1f1efbdbe607fd37:1c97fdd96fac9b3f_                  
Jul 19 04:01:59 [racoon] [10.51.15.126] INFO: received INITIAL-CONTACT_                                                                        
Jul 19 04:01:59 [racoon] ERROR: privsep_socket: unauthorized domain (15)_                                                                      
Jul 19 04:01:59 [racoon] INFO: racoon privileged process 12236 terminated_                                                                     
Jul 19 04:01:59 [kernel] racoon[12263]: segfault at 10 ip 00000000004238a8 sp 00007fff441266b0 error 4 in racoon[400000+94000]

racoon.conf is the same as in the first post.
Comment 9 Andrew Savchenko gentoo-dev 2012-07-19 00:18:50 UTC
Steps to reproduce:

0) You need either third host C with non-ipsec access to A and B hosts or direct physical/kvm/ilo access to both A and B host.
1) Stop racoon on both sides (A and B) of ipsec connection.
2) rc-config start racoon on A.
3) rc-config start racoon on B.
4) on B: ping A
5) Segfault on A!

I recompiled racoon with CFLAGS="-ggdb" FEATURES="splitdebug" and managed to get gdb backtrace on host A:

#0  0x000000000042ee8a in rec_fd (s=11) at privsep.c:1574
#1  0x000000000042df41 in privsep_socket (domain=15, type=3, protocol=2) at privsep.c:1144
#2  0x000000000042fa96 in pfkey_dump_sadb (satype=0) at pfkey.c:312
#3  0x0000000000427d63 in isakmp_info_recv_initialcontact (iph1=0x19f4f20, protectedph2=0x0) at isakmp_inf.c:1305
#4  0x0000000000425fbe in isakmp_info_recv_n (iph1=0x19f4f20, notify=0x19ebc40, msgid=2587936451, encrypted=1) at isakmp_inf.c:411
#5  0x0000000000425af2 in isakmp_info_recv (iph1=0x19f4f20, msg0=0x19f54c0) at isakmp_inf.c:294
#6  0x000000000040980c in isakmp_main (msg=0x19f54c0, remote=0x7fff56e3dc90, local=0x7fff56e3dc10) at isakmp.c:652
#7  0x0000000000408dbd in isakmp_handler (ctx=0x0, so_isakmp=8) at isakmp.c:377
#8  0x0000000000408021 in session () at session.c:325
#9  0x000000000040757b in main (ac=4, av=0x7fff56e3ef18) at main.c:345
Comment 10 Andrew Savchenko gentoo-dev 2012-07-19 00:57:02 UTC
Looks like I found why you were unable to reproduce this bug. It is essential that ipsec mode between A and B host must be tunnel — it works in transport mode, though I need (and use) tunnel in my setup.

Mine ipsec.conf on A host (which crashes): 

#!/usr/sbin/setkey -f
flush;
spdflush;

spdadd B A any -P in ipsec
    ah/transport/B-A/require;
spdadd A B any -P out ipsec
    ah/transport/A-B/require;


IPs are replaced by A and B respectively. B host has the same setup with in and out policies switched.
Comment 11 Andrew Savchenko gentoo-dev 2012-07-19 00:58:26 UTC
Uhh, sorry, that was a _working_ sample from my latest test.

The following sample leads to crash:

#!/usr/sbin/setkey -f
flush;
spdflush;

spdadd B A any -P in ipsec
    ah/tunnel/B-A/require;
spdadd A B any -P out ipsec
    ah/tunnel/A-B/require;
Comment 12 Andrew Savchenko gentoo-dev 2012-07-19 01:07:40 UTC
Sorry again, just ignore my two previous posts: during tests I forgot to reenable privsep, so racoon have not crashed. With privsep enabled racoon crashes regardles to mode set.
Comment 13 Anthony Basile gentoo-dev 2012-07-19 11:58:39 UTC
(In reply to comment #6)
> Created attachment 318562 [details]
> emerge --info
> 
> Hmm, sorry, original emerge --info is indeed broken somehow.
> I'm uploading a new file. I upload it as a file because it is rather large
> and I don't want to flood a discussion branch.

Thanks, but what I need is

    emerge --info ipsec-tools

so I can see your flags.  BTW, your stack trace is useful and shows me where the seg fault occurs, but I'm not sure why and I don't hit it.
Comment 14 Andrew Savchenko gentoo-dev 2012-07-19 18:41:13 UTC
net-firewall/ipsec-tools-0.8.0-r3 was built with the following:
USE="idea ipv6 kerberos ldap (multilib) nat pam rc5 readline -hybrid (-selinux) -stats"
Comment 15 Andrew Savchenko gentoo-dev 2012-07-25 01:05:57 UTC
Hmm, now on another host I have (after an update to 0.8.0-r3):

Jul 25 05:01:31 localhost racoon: INFO: respond new phase 1 negotiation: 10.51.15.126[500]<=>10.50.0.89[500]                                   
Jul 25 05:01:31 localhost racoon: INFO: begin Identity Protection mode.                                                                        
Jul 25 05:01:31 localhost racoon: INFO: received Vendor ID: DPD                                                                                
Jul 25 05:01:31 localhost racoon: WARNING: CERT validation disabled by configuration                                                           
Jul 25 05:01:31 localhost racoon: INFO: ISAKMP-SA established 10.51.15.126[500]-10.50.0.89[500] spi:e23d5d5f5de8e777:0a56c8a0b9188829          
Jul 25 05:01:31 localhost racoon: [10.50.0.89] INFO: received INITIAL-CONTACT                                                                  
Jul 25 05:01:31 localhost racoon: ERROR: privsep_socket: unauthorized domain (15)                                                              
Jul 25 05:01:31 localhost racoon: INFO: racoon privileged process 4985 terminated

And racoon process exits.
Comment 16 Andrew Savchenko gentoo-dev 2012-07-25 01:11:55 UTC
Created attachment 319158 [details]
emerge --info from another host

And I have a segfault here just, it just doesn't appear in the logs, but gdb confirms this.

racoon.conf is the essentially the same, the only difference is in rsa-plain keys provided.
Comment 17 Andrew Savchenko gentoo-dev 2012-07-25 01:17:33 UTC
Backtrace on the second host is the same:

#0  0x000000000042b4ac in rec_fd (s=11) at privsep.c:1574
#1  0x000000000042a563 in privsep_socket (domain=15, type=3, protocol=2) at privsep.c:1144
#2  0x000000000042c0b6 in pfkey_dump_sadb (satype=0) at pfkey.c:312
#3  0x0000000000426447 in isakmp_info_recv_initialcontact (iph1=0x82c730, protectedph2=0x0) at isakmp_inf.c:1305
#4  0x00000000004246a2 in isakmp_info_recv_n (iph1=0x82c730, notify=0x836530, msgid=845254017, encrypted=1) at isakmp_inf.c:411
#5  0x00000000004241d6 in isakmp_info_recv (iph1=0x82c730, msg0=0x82f8e0) at isakmp_inf.c:294
#6  0x0000000000408be9 in isakmp_main (msg=0x82f8e0, remote=0x7fff1e54f820, local=0x7fff1e54f7a0) at isakmp.c:652
#7  0x000000000040819a in isakmp_handler (ctx=0x0, so_isakmp=8) at isakmp.c:377
#8  0x00000000004073fe in session () at session.c:325
#9  0x000000000040697b in main (ac=4, av=0x7fff1e550aa8) at main.c:345
Comment 18 Anthony Basile gentoo-dev 2012-07-30 22:06:32 UTC
I have no idea why I can't hit this.  I set up two virtual machines, I even called them subaru and orion.  Generated keys.  Set up a user account racoon.  Got the privilege drop and it worked.  I don't want to give up, but I still can't see what we're doing differently.  Sorry :(  Nonetheless, I'm certina there's something there because you can reliably reproduce it and you've even bumped glibc during the duration of this bug.

I googled in the hopes that someone else might have hit this, but the only thing I keep finding is your upstream bug.
Comment 19 Anthony Basile gentoo-dev 2012-07-31 01:37:24 UTC
Grasping at straws here.  Can you tell me what you have at the following and how they were generated.  I want to get a precise reproduction to eliminate extra factors:

/etc/racoon/certs
/etc/racoon/script

subaru.priv
orionis.pub

and on the other host

orionis.priv
subaru.pub
Comment 20 Andrew Savchenko gentoo-dev 2012-07-31 02:42:48 UTC
Hello,

(In reply to comment #18)
> I have no idea why I can't hit this.  I set up two virtual machines, I even
> called them subaru and orion.

The second one is "orionis", but this should not matter ;-)

> Generated keys.  Set up a user account
> racoon.  Got the privilege drop and it worked.  I don't want to give up, but
> I still can't see what we're doing differently.  Sorry :(  Nonetheless, I'm
> certina there's something there because you can reliably reproduce it and
> you've even bumped glibc during the duration of this bug.

I planned to perform a full debug: not just a backtrace, but to see step-by-step what is going on, what is wrong and probably what differs from 0.7.3, where everything works for me. But ATM I'm far away from these boxes and have only a very slow and expensive ssh link to them, it is hardly possible to do debugging under such conditions. I'll be back at September, so I'll try to debug this case more thoroughly.

> I googled in the hopes that someone else might have hit this, but the only
> thing I keep finding is your upstream bug.

As I mentioned in my first post, there is another report with a similar issue, without any solution: http://sourceforge.net/mailarchive/message.php?msg_id=27864382
At the very least I'm not the only one stumbling an this.

(In reply to comment #19)
> Grasping at straws here.  Can you tell me what you have at the following and
> how they were generated.  

All keys were generated using:
plainrsa-gen -b 4096 -f outfile.priv

Sorry, I can't upload private keys now, becuase I can't change them until September. Though, I changed them in the past and this hadn't affected this issue.

> I want to get a precise reproduction to eliminate
> extra factors:
> 
> /etc/racoon/certs
> /etc/racoon/script

I have nothing in the scripts directory.

There is one change in the certs, though: in 0.7.3 it was possible to use multiple peers_certificate options per single remote statement, so I had multiple *.pub files in the certs directory on orionis, but in 0.8.0 it is possible no longer. That's why after an upgrade on orionis I use single res.pub file with all public keys for all hosts in this file.

> subaru.priv
> orionis.pub
> 
> and on the other host
> 
> orionis.priv
> subaru.pub

I'll upload shortly all content of my /etc/racoon and chroot directories for both hosts, except for *.priv files, where private records were removed.
Comment 21 Andrew Savchenko gentoo-dev 2012-07-31 02:44:59 UTC
Created attachment 319808 [details]
racoon.tar.xz

Full /etc/racoon and chroot directories for both subaru and orionis hosts, except for *.priv files.
Comment 22 Anthony Basile gentoo-dev 2013-03-18 12:13:57 UTC
(In reply to comment #21)
> Created attachment 319808 [details]
> racoon.tar.xz
> 
> Full /etc/racoon and chroot directories for both subaru and orionis hosts,
> except for *.priv files.

I still haven't forgotten about this one!

Can you test ipsec-tools-0.8.1 which I added to the tree a few days ago.  Let me know if this is still an issue.
Comment 23 Anthony Basile gentoo-dev 2015-03-02 12:32:21 UTC
(In reply to Anthony Basile from comment #22)
> (In reply to comment #21)
> > Created attachment 319808 [details]
> > racoon.tar.xz
> > 
> > Full /etc/racoon and chroot directories for both subaru and orionis hosts,
> > except for *.priv files.
> 
> I still haven't forgotten about this one!
> 
> Can you test ipsec-tools-0.8.1 which I added to the tree a few days ago. 
> Let me know if this is still an issue.

we're up to 0.8.1.  I never did hit the seg fault of comment 0.  Let's reopen if we get more information.