OpenVPN openvpn-2.5.2_1 dumps core with signal 11 on 12.2-STABLE and 13.0-STABLE, core file available. 12.2-STABLE version is stable/12-n1-11417329c 13.0 very recent but do not have exact version available right now. How to reproduce: Update to recent 12- or 13-STABLE Update or install openvpn-2.5.2_1 Use /dev/tap Works with /dev/tun Config: client dev tap0 proto udp remote 1.2.3.4 nobind pull # cipher AES-256-CBC persist-key persist-tun ca ca.crt cert cerificate key key tls-auth /usr/local/etc/openvpn/tls-auth.key 1 remote-cert-tls server comp-lzo log /var/log/openvpn verb 4 status status.log 20 status-version 2 mute 5
@peo, I cannot reproduce this. We need more information - what is the server-side configuration? - can you reproduce this with demo keys that you could share? - what is the logging you get? - what is the symbolic backtrace --- you may need to rebuild openvpn from port with make -C /usr/ports/security/openvpn WITH_DEBUG=yes reinstall) --- and then use gdb or lldb to obtain a backtrace with variables
Thanks, give me a little time and I'll try to get the info, cannot fiddle with a production enviroment. We got as far as the problem looked like a string comparison with null. BTW, I solved the problem by reverting ovpn to 2.5.0. Per
oh and please confirm the build options of OpenVPN when you report back (or if you used the default package from the servers)
Solved. Problam was "push" statements in the server configuration, remains from some ancient config: # Print your own welcome message push "echo " push "echo Welcome" push "echo " Versions up to and including 2.5.0 apparently just ignores this while 2.5.2 crashes. Removing the configuration junk fixed it. So the idea that it crashes at a string comparison seems relevant but it would be better of course that the error is caught. Per
Per, understood, but it's much easier to fix if we know where exactly it breaks down, a backtrace from a DEBUG build would be most useful. ;-)
OK, got it. Server side option push "echo " without further arguments is sufficient to crash my client. I'll admit this is a Linux-client AddressSanitizer backtrace, not FreeBSD, from a Git v2.5.2 build, but why would that matter... 2021-06-03 12:26:20 us=474848 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 2021-06-03 12:26:20 us=474951 [whatever] Peer Connection Initiated with [AF_INET6]whatever 2021-06-03 12:26:20 us=493994 PUSH: Received control message: 'PUSH_REPLY,route-ipv6 2000::/3,echo,dhcp-option DNS 172.27.0.1,dhcp-option DNS fc00:da::1,tun-ipv6,route-gateway 172.27.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fc00:da::1000/64 fc00:da::1,ifconfig 172.27.0.2 255.255.0.0,peer-id 0,cipher AES-256-GCM' AddressSanitizer:DEADLYSIGNAL ================================================================= ==390317==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f68168b8860 bp 0x7ffc261201b0 sp 0x7ffc2611f930 T0) ==390317==The signal is caused by a READ memory access. ==390317==Hint: address points to the zero page. #0 0x7f68168b8860 (/lib64/libasan.so.6+0x8a860) #1 0x4c1eac in add_option ../../../src/openvpn/options.c:5322 #2 0x4d6f2d in apply_push_options ../../../src/openvpn/options.c:5009 #3 0x4f1efc in process_incoming_push_reply ../../../src/openvpn/push.c:819 #4 0x4f69f6 in process_incoming_push_msg ../../../src/openvpn/push.c:871 #5 0x4f6c81 in incoming_push_message ../../../src/openvpn/push.c:336 #6 0x436c41 in check_incoming_control_channel ../../../src/openvpn/forward.c:214 #7 0x440ce4 in pre_select ../../../src/openvpn/forward.c:1849 #8 0x4a40ef in tunnel_point_to_point ../../../src/openvpn/openvpn.c:79 #9 0x4a4603 in openvpn_main ../../../src/openvpn/openvpn.c:283 #10 0x4a4b93 in main ../../../src/openvpn/openvpn.c:364 #11 0x7f68162821e1 in __libc_start_main (/lib64/libc.so.6+0x281e1) #12 0x409a6d in _start (/home/mandree/VCS-other/openvpn-master.git/_build-asan/src/openvpn/openvpn+0x409a6d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.6+0x8a860) ==390317==ABORTING Git bisect, failure inducing change 4008ce020526f950cb2055ba7effff8f7ceb13e4 is the first bad commit ... Document common uses of 'echo' directive, re-enable logging for 'echo'. I'll commit a band-aid fix to 2.5.2_2, but will need to talk to upstream to fully resolve this since it's not fully understood.
In case this does not appear automatically from Git, PORTREVISION 2 (openvpn v2.5.2) fixes things. commit 6c20c4906a3b0f805c932f4e74ef7f62086e704d (HEAD -> main, origin/main, origin/HEAD) Author: Matthias Andree <mandree@FreeBSD.org> Date: Thu Jun 3 12:47:16 2021 +0200 security/openvpn: band-aid fix for SIGSEGV on push echo PR: 256331 Reported by: peo@nethead.se diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index 4a82851e65f1..9119e2dfa9ab 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -2,7 +2,7 @@ PORTNAME= openvpn DISTVERSION= 2.5.2 -PORTREVISION?= 1 +PORTREVISION?= 2 CATEGORIES= security net net-vpn MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ https://build.openvpn.net/downloads/releases/ \ diff --git a/security/openvpn/files/patch-src_openvpn_options.c b/security/openvpn/files/patch-src_openvpn_options.c new file mode 100644 index 000000000000..e46faee8efd0 --- /dev/null +++ b/security/openvpn/files/patch-src_openvpn_options.c @@ -0,0 +1,11 @@ +--- src/openvpn/options.c.orig 2021-04-21 04:02:50 UTC ++++ src/openvpn/options.c +@@ -5319,7 +5319,7 @@ add_option(struct options *options, + { + /* only message-related ECHO are logged, since other ECHOs + * can potentially include security-sensitive strings */ +- if (strncmp(p[1], "msg", 3) == 0) ++ if (p[1] && strncmp(p[1], "msg", 3) == 0) + { + msg(M_INFO, "%s:%s", + pull_mode ? "ECHO-PULL" : "ECHO",
A commit in branch 2021Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=c306c212d40f2112cd0713e53add1e7851393dc3 commit c306c212d40f2112cd0713e53add1e7851393dc3 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2021-06-03 10:47:16 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2021-06-03 12:34:57 +0000 security/openvpn: band-aid fix for SIGSEGV on push echo PR: 256331 Reported by: peo@nethead.se (cherry picked from commit 6c20c4906a3b0f805c932f4e74ef7f62086e704d) security/openvpn/Makefile | 2 +- security/openvpn/files/patch-src_openvpn_options.c (new) | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=6c20c4906a3b0f805c932f4e74ef7f620 86e704d commit 6c20c4906a3b0f805c932f4e74ef7f62086e704d Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2021-06-03 10:47:16 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2021-06-03 10:47:25 +0000 security/openvpn: band-aid fix for SIGSEGV on push echo PR: 256331 Reported by: peo@nethead.se security/openvpn/Makefile | 2 +- security/openvpn/files/patch-src_openvpn_options.c (new) | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-)