On Thu, Oct 13, 2022 at 03:02:51PM -0600, Jim Fehlig wrote:
Hi Daniel,
Thanks for the detailed report!
> What's interesting here is that this shows the real error
> mesage about TLS sessino priority.
>
> If you set MALLOC_CHECK=1, however, then we loose the useful
> error message:
>
> # MALLOC_CHECK_=1 MALLOC_PERTURB_=146 ./connect-tls-psk
> requires nbdkit --tls-verify-peer -U - null --run 'exit 0'
> free(): invalid pointer
> nbd_connect_command: gnutls_handshake: Error in the pull function. (-1/1)
>
> which was unfortunate for debuggability.
>
> I confirmed it is nbdkit that is crashing and it appears to be
> in gnutls code.
>
> Looking at the image there is no /etc/crypto-policies directory,
> and nor is there any 'crypto-policies' package available in the
> distro.
Indeed. Leap 15.4 and newer include the crypto-policies package. Should the
container move to a 15.4 base?
Looking further, in addition to the nbdkit bug depending on a priority
string that is not possible in the base 15.3 distro, there is a
definite bug in gnutls 3.6.7 shipped in the distro that was later
fixed by gnutls commit 90142f2d "Use inih to parse configuration
file". Look at the gnutls code base of lib/priority.c prior to that
patch:
static char *system_priority_buf = NULL;
...
char *_gnutls_resolve_priorities(const char* priorities)
...
#ifdef HAVE_FMEMOPEN
/* Always try to refresh the cached data, to
* allow it to be updated without restarting
* all applications
*/
_gnutls_update_system_priorities();
fp = fmemopen(system_priority_buf, system_priority_buf_size,
"r");
#else
fp = fopen(system_priority_file, "r");
#endif
...
fclose(fp);
fp = NULL;
This is very much a case of older gnutls mis-using fmemopen(), such
that an fclose() on a second or third attempt to use
system_priority_buf is indeed freeing an invalid pointer.
> So they have mis-built nbdkit in leap 15.3 with TLS priority
> string of @NBDKIT,SYSTEM, despite not having support for that
> in their distro.
I'll fix this in our downstream packages. Thanks a lot for bringing it to my
attention.
You may also want to point the gnutls maintainers to the need to
backport that patch (or otherwise fix that nastiness).
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization:
qemu.org |
libvirt.org