core dump

Bug #1160585 reported by SW
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xmlsec1 (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

root # lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.2 LTS
Release: 12.04
Codename: precise

root# uname -a
Linux server 3.2.0-39-generic #62-Ubuntu SMP Thu Feb 28 00:28:53 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

root# xmlsec1 --version
xmlsec1 1.2.14 (openssl)

Package: openssl
Version: 1.0.1-4ubuntu5.8

Package: xmlsec1
Version: 1.2.14-1.2build1

Package: libxmlsec1
Version: 1.2.14-1.2build1

Same command with same files works on 32-bit Ubuntu (xmlsec1 in that working machine is version 1.2.9)

root# xmlsec1 --decrypt --trusted certs/ca.pem --trusted certs/RootCert.pem --privkey-pem certs/privkey.pem /tmp/crypted.EWKqgO
Segmentation fault (core dumped)

And backtrace from gdb
(gdb) bt
#0 0x00007ffff6ce6139 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
#1 0x00007ffff7bbf815 in ?? () from /usr/lib/libxmlsec1-openssl.so.1
#2 0x00007ffff797aa42 in xmlSecTransformDefaultPushBin () from /usr/lib/libxmlsec1.so.1
#3 0x00007ffff797aad1 in xmlSecTransformDefaultPushBin () from /usr/lib/libxmlsec1.so.1
#4 0x00007ffff797a39a in xmlSecTransformCtxBinaryExecute () from /usr/lib/libxmlsec1.so.1
#5 0x00007ffff79840a3 in xmlSecEncCtxDecryptToBuffer () from /usr/lib/libxmlsec1.so.1
#6 0x00007ffff7962d4d in ?? () from /usr/lib/libxmlsec1.so.1
#7 0x00007ffff795fa72 in xmlSecKeyInfoNodeRead () from /usr/lib/libxmlsec1.so.1
#8 0x00007ffff7965f46 in xmlSecKeysMngrGetKey () from /usr/lib/libxmlsec1.so.1
#9 0x00007ffff79821d2 in ?? () from /usr/lib/libxmlsec1.so.1
#10 0x00007ffff7984061 in xmlSecEncCtxDecryptToBuffer () from /usr/lib/libxmlsec1.so.1
#11 0x00007ffff7984345 in xmlSecEncCtxDecrypt () from /usr/lib/libxmlsec1.so.1
#12 0x00000000004061ea in ?? ()
#13 0x0000000000403b0a in ?? ()
#14 0x00007ffff701376d in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#15 0x0000000000403ed1 in ?? ()
#16 0x00007fffffffe678 in ?? ()
#17 0x000000000000001c in ?? ()
#18 0x0000000000000009 in ?? ()
#19 0x00007fffffffe8dc in ?? ()
#20 0x00007fffffffe8ed in ?? ()
#21 0x00007fffffffe8f7 in ?? ()
#22 0x00007fffffffe901 in ?? ()
#23 0x00007fffffffe90e in ?? ()
#24 0x00007fffffffe918 in ?? ()
#25 0x00007fffffffe92f in ?? ()
#26 0x00007fffffffe93d in ?? ()
#27 0x00007fffffffe94f in ?? ()
#28 0x0000000000000000 in ?? ()

I won't give full core dump file, it contains my privkey

Revision history for this message
SW (launchpad-mailinator) wrote :

I debugged this more. 32bit version of xmlsec1 works fine.

Crash happens during function call xmlSecEncCtxDecrypt(&encCtx, data->startNode). Call is made from apps/xmlsec.c:1710

      start_time = clock();
> if(xmlSecEncCtxDecrypt(&encCtx, data->startNode) < 0) {
          fprintf(stderr, "Error: failed to decrypt file\n");
          goto done;
      }
      total_time += clock() - start_time;

encCtx and data and data->startNode all have some content, but my knowledge about ssl-libraries is too small, so I cannot verify if that content is correct.

Revision history for this message
SW (launchpad-mailinator) wrote :
Download full text (4.2 KiB)

And little deeper trace.... (I censored content of those buffers just in case they contain key information)

Hope this helps tracking this bug out.

322 ret = RSA_private_decrypt(inSize, xmlSecBufferGetData(in),
(gdb) s
xmlSecBufferGetData (buf=0x62f960) at buffer.c:168
168 xmlSecBufferGetData(xmlSecBufferPtr buf) {
(gdb) n
169 xmlSecAssert2(buf != NULL, NULL);
(gdb)
171 return(buf->data);
(gdb) p buf
$8 = (xmlSecBufferPtr) 0x62f960
(gdb) p buf->data
$9 = (unsigned char *) 0x635060 ""
(gdb) bt
#0 xmlSecBufferGetData (buf=0x62f960) at buffer.c:171
#1 0x00007ffff7bbf7f4 in xmlSecOpenSSLRsaPkcs1Process (
    transformCtx=<optimized out>, transform=0x62f920) at kt_rsa.c:322
#2 xmlSecOpenSSLRsaPkcs1Execute (transform=0x62f920, last=<optimized out>,
    transformCtx=<optimized out>) at kt_rsa.c:226
#3 0x00007ffff797aa42 in xmlSecTransformDefaultPushBin (transform=0x62f920,
    data=0x634850 "", dataSize=0, final=1, transformCtx=0x62f348)
    at transforms.c:2195
#4 0x00007ffff797aad1 in xmlSecTransformDefaultPushBin (transform=0x62f880,
    data=0x6332c8 "", dataSize=0, final=1, transformCtx=0x62f348)
    at transforms.c:2218
#5 0x00007ffff797a39a in xmlSecTransformCtxBinaryExecute (ctx=0x62f348,
    data=0x633170 "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"..., dataSize=344)
    at transforms.c:1106
#6 0x00007ffff79840a3 in xmlSecEncCtxDecryptToBuffer (encCtx=0x62f080,
    node=<optimized out>) at xmlenc.c:739
#7 0x00007ffff7962d4d in xmlSecKeyDataEncryptedKeyXmlRead (id=0x7ffff7ba1400,
    key=0x638230, node=0x638930, keyInfoCtx=0x7fffffffe088) at keyinfo.c:1441
#8 0x00007ffff795fa72 in xmlSecKeyInfoNodeRead (keyInfoNode=<optimized out>,
    key=0x638230, keyInfoCtx=0x7fffffffe088) at keyinfo.c:112
#9 0x00007ffff7965f46 in xmlSecKeysMngrGetKey (keyInfoNode=0x638840,
    keyInfoCtx=0x7fffffffe088) at keys.c:1347
#10 0x00007ffff79821d2 in xmlSecEncCtxEncDataNodeRead (encCtx=0x7fffffffe070,
    node=<optimized out>) at xmlenc.c:949
#11 0x00007ffff7984061 in xmlSecEncCtxDecryptToBuffer (encCtx=0x7fffffffe070,
    node=0x638350) at xmlenc.c:713
#12 0x00007ffff7984345 in xmlSecEncCtxDecrypt (encCtx=0x7fffffffe070,
    node=0x638350) at xmlenc.c:621
#13 0x00000000004061ea in xmlSecAppDecryptFile (filename=<optimized out>)
    at xmlsec.c:1710
#14 0x0000000000403b0a in main (argc=9, argv=<optimized out>) at xmlsec.c:1168
(gdb) s
172 }
(gdb)
xmlSecBufferGetData (buf=0x62f948) at buffer.c:168
168 xmlSecBufferGetData(xmlSecBufferPtr buf) {
(gdb)
169 xmlSecAssert2(buf != NULL, NULL);
(gdb)
171 return(buf->data);
(gdb)
172 }
(gdb)
(gdb)
RSA_private_decrypt (flen=256,
    from=0x634c50 "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", <incomplete sequence \350>..., to=0x635060 "", rsa=0x632f70, padding=1) at rsa_crpt.c:114
114 rsa_crpt.c: No such file or directory.
(gdb)
RSA_eay_private_decrypt (flen=256,
    from=0x634c50 "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", <incomplete sequence \350>..., to=0x635060 "", rsa=0x632f70, padding=1) at rsa_eay.c:494
494 rsa_eay.c: No such file or directory.
(gdb)
500 in rsa_eay.c
(gdb)
507 in r...

Read more...

Revision history for this message
SW (launchpad-mailinator) wrote :

Forgot to print these too..

322 ret = RSA_private_decrypt(inSize, xmlSecBufferGetData(in),
(gdb) p out
$1 = (xmlSecBufferPtr) 0x62f960
(gdb) p *transform
$2 = {id = 0x7ffff7dd7100, operation = xmlSecTransformOperationDecrypt,
  status = xmlSecTransformStatusWorking, hereNode = 0x6389b0, next = 0x634390,
  prev = 0x62f880, inBuf = {
    data = 0x634c50 "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", <incomplete sequence \350>..., size = 256, maxSize = 1024, allocMode = xmlSecAllocModeDouble},
  outBuf = {data = 0x635060 "", size = 0, maxSize = 1024,
    allocMode = xmlSecAllocModeDouble}, inNodes = 0x0, outNodes = 0x0,
  reserved0 = 0x0, reserved1 = 0x0}
(gdb) p *ctx
$10 = {pKey = 0x630380}
(gdb) p *ctx->pKey
$11 = {type = 6, save_type = 6, references = 3, ameth = 0x7ffff6fd2ec0,
  engine = 0x0, pkey = {ptr = 0x632f70 "", rsa = 0x632f70, dsa = 0x632f70,
    dh = 0x632f70, ec = 0x632f70}, save_parameters = 1, attributes = 0x0}

Revision history for this message
James Page (james-page) wrote :

@SW

First apologies for the lag in response.

As this is a bug reported on a version of Ubuntu that is no longer supported, I'm going to close this bug out as a Won't Fix; if you're able to reproduce on Ubuntu 14.04 or later please feel free to re-open it with new information/stacktraces.

Thanks

Changed in xmlsec1 (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.