Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[defect]: 3.2.x: smbencrypt segfault (also affects standard package in Ubuntu 22) #4539

Closed
user-45-20 opened this issue May 26, 2022 · 1 comment
Closed

[defect]: 3.2.x: smbencrypt segfault (also affects standard package in Ubuntu 22) #4539

user-45-20 opened this issue May 26, 2022 · 1 comment
Labels
defect category: a defect or misbehaviour

Comments

@user-45-20
Copy link

What type of defect/bug is this?

Crash or memory corruption (segv, abort, etc...)

How can the issue be reproduced?

This issue also affects the freeradius-utils package in upstream Ubuntu 22.04. So, to reproduce it, one can also run:
apt install -y freeradius-utils && smbencrypt test.

This problem seems to be related to OpenSSL 3.0.0. On Ubuntu 20, which ships OpenSSL 1.1.1, this doesn't happen.

I've also tried building current master (b8537d59f6fa933013a1806aea66d4292bdc6906 at the time of writing) and while the crash still happens, the stacktrace is slightly different. In 3.2.x RIP jumps to 0, while in current master it correctly goes into EVP_DigestUpdate in libcrypto.so and crashes there. I've included both stacktraces below.

Log output from the FreeRADIUS daemon

N/A, not a deamon issue

Relevant log output from client utilities

No response

Backtrace from LLDB or GDB

v3.2.x:

#0  0x0000000000000000 in ?? ()
No symbol table info available.
#1  0x00007f19c4e57568 in fr_md4_update (ctx=0x7ffd7b76c1e0, in=0x7ffd7b76c230 "t", inlen=8) at src/freeradius-devel/md4.h:114
No locals.
#2  0x00007f19c4e57604 in fr_md4_calc (out=0x7ffd7b76c470 "\001\374Zk\347\274i)\252\323\264\065\265\024\004\356\300\305v{\375\177", in=0x7ffd7b76c230 "t",
    inlen=8) at src/lib/md4.c:29
        ctx = {ctx = 0x55c8550b02a0, md = 0x7f19c4bc5700, len = 16}
#3  0x000055c854cd93ab in ntpwdhash (out=0x7ffd7b76c470 "\001\374Zk\347\274i)\252\323\264\065\265\024\004\356\300\305v{\375\177",
    password=0x7ffd7b76c4e0 "test") at src/modules/rlm_mschap/smbencrypt.c:59
        len = 8
        ucs2_password = "t\000e\000s\000t", '\000' <repeats 33 times>, "\330\"y{\375\177\000\000\000\000\000\001\000\001\001\001\000\000\000\000\000\001\000\000\001\001\000\000\000\000\001\000\001\000\001\000\001\001\001\001\000\000\000\000\000\000\000\000\001\001\001\000\001\000\000\000\000\000\000\000\000\000\000\001\000\000\001\000\000\001\001\001\001\000\000\000\000\000\001\000\000\000\001\001\001\001\001\000\001\001\001\001\001\001\000\000\000\000\000\001\001\000\001\000\001\000\000\001\000\001\001\001\001\000\000\001\001\001\000\001\001\000\000\000\000\000\000\001\001\000\000\000\000\000\001\001early_in\000\b\002\205=\310\222\230\000\304v{\375\177\000\000"...
#4  0x000055c854cd9522 in main (argc=2, argv=0x7ffd7b76ca08) at src/modules/rlm_mschap/smbencrypt.c:79
        i = 1
        l = 4
        password = "test\000\177\000\000 \307\350\304\031\177\000\000\000\000\000\000\001\000\000\000\220\312\350\304\031\177", '\000' <repeats 14 times>, "\031\177\000\000\000\000\000\000\031\177\000\000\000\000\000\000\031\177\000\000\377\377\377\377", '\000' <repeats 12 times>, "\b\351\350\304\031\177\000\000\360\212\354\304\031\177\000\000\330\350\350\304\031\177\000\000\324\261\351\304\031\177\000\000\030\002\000\000\000\000\000\000\214\v\301\304\031\177\000\000@\021\000\000\000\000\000\000 \307\350\304\031\177\000\000\n\000\000\000\000\000\000\000\r\000\000\000\000\000\000\000 \307\350\304\031\177\000\000\270\201\342\304\031\177\000\000\301\223\315T\310U\000\000P\315\315T\310U\000\000@\200\354\304\031\177\000\000"...
        hash = "\001\374Zk\347\274i)\252\323\264\065\265\024\004\356"
        ntpass = "\300\305v{\375\177\000\000z\257\302\304\031\177\000\000\220\312\350\304\031\177\000\000 \305v{\375\177\000\000\060"
        lmpass = "01FC5A6BE7BC6929AAD3B435B51404EE"



current master:

#0  0x00007f9c12e7845d in EVP_DigestUpdate () from /lib/x86_64-linux-gnu/libcrypto.so.3
No symbol table info available.
#1  0x00007f9c133c9ac3 in fr_md4_openssl_update (ctx=0x0, in=0x7fff9f76ebf0 "t", inlen=8) at src/lib/util/md4.c:103
No locals.
#2  0x00007f9c133ca8c5 in fr_md4_calc (out=0x7fff9f76ee30 "\001\374Zk\347\274i)\252\323\264\065\265\024\004\356\200\357v\237\377\177",
    in=0x7fff9f76ebf0 "t", inlen=8) at src/lib/util/md4.c:494
        ctx = 0x0
#3  0x000055d53bcf73dc in ntpwdhash (out=0x7fff9f76ee30 "\001\374Zk\347\274i)\252\323\264\065\265\024\004\356\200\357v\237\377\177",
    password=0x7fff9f76eea0 "test") at src/modules/rlm_mschap/smbencrypt.c:60
        len = 8
        ucs2_password = "t\000e\000s\000t", '\000' <repeats 33 times>, "\330\"\177\237\377\177\000\000\000\000\000\001\000\001\001\001\000\000\000\000\000\001\000\000\001\001\000\000\000\000\001\000\001\000\001\000\001\001\001\001\000\000\000\000\000\000\000\000\001\001\001\000\001\000\000\000\000\000\000\000\000\000\000\001\000\000\001\000\000\001\001\001\001\000\000\000\000\000\001\000\000\000\001\001\001\001\001\000\001\001\001\001\001\001\000\000\000\000\000\001\001\000\001\000\001\000\000\001\000\001\001\001\001\000\000\001\001\001\000\001\001\000\000\000\000\000\000\001\001\000\000\000\000\000\001\001early_in\000U\214\021\337\004\263?\300\355v\237\377\177\000\000"...
#4  0x000055d53bcf7553 in main (argc=2, argv=0x7fff9f76f3c8) at src/modules/rlm_mschap/smbencrypt.c:80
        i = 1
        l = 4
        password = "test\000\177\000\000 WF\023\234\177\000\000\000\000\000\000\001\000\000\000\220ZF\023\234\177", '\000' <repeats 14 times>, "\234\177\000\000\000\000\000\000\234\177\000\000\000\000\000\000\234\177\000\000\377\377\377\377", '\000' <repeats 12 times>, "\byF\023\234\177\000\000\360\032J\023\234\177\000\000\330xF\023\234\177\000\000\324AG\023\234\177\000\000\030\002\000\000\000\000\000\000\214\333\023\023\234\177\000\000\000C\000\000\000\000\000\000 WF\023\234\177\000\000\n\000\000\000\000\000\000\000\r\000\000\000\000\000\000\000 WF\023\234\177\000\000\270Q5\023\234\177\000\000\362s\317;\325U\000\000P\255\317;\325U\000\000@\020J\023\234\177\000\000"...
        hash = "\001\374Zk\347\274i)\252\323\264\065\265\024\004\356"
        ntpass = "\200\357v\237\377\177\000\000z\177\025\023\234\177\000\000\220ZF\023\234\177\000\000\340\356v\237\377\177\000\000\360"
        lmpass = "01FC5A6BE7BC6929AAD3B435B51404EE"
@user-45-20 user-45-20 added the defect category: a defect or misbehaviour label May 26, 2022
alandekok added a commit that referenced this issue May 26, 2022
@alandekok
patches for OpenSSL3. Fixes #4539
63056d8
@alandekok
Copy link
Member

smbencrypt likely needs the same hacks for resolving MD4/MD5 stuff as was done for radclient.

I've pushed a fix.

alandekok added a commit that referenced this issue May 26, 2022
@alandekok
patches for OpenSSL3. Fixes #4539
2511403
@RobbieLePommie RobbieLePommie mentioned this issue Aug 22, 2022
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect category: a defect or misbehaviour
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alandekok @user-45-20