Debian
ipsec-tools package

racoon segfaults when flusing SPD

Bug #913935 reported by Simon Déziel
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
ipsec-tools (Debian)
Fix Released
Unknown
ipsec-tools (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

My IPsec tunnel is forming and working properly but when I flush the SPD information manually racoon segfaults :

service racoon start
setkey -f /etc/racoon/scripts/setkey

# test tunnel: OK

# Remove SPD
cat << EOF | setkey -c
flush;
spdflush;
EOF

The last command gives this in /var/log/syslog:

Jan 9 14:04:06 simon-laptop racoon: ERROR: privsep_socket: unauthorized domain (15)
Jan 9 14:04:06 simon-laptop kernel: [91971.982694] racoon[27776]: segfault at 10 ip 00007f0908153029 sp 00007fff8b154dc0 error 4 in racoon[7f090812a000+92000]

$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10

$ apt-cache policy racoon
racoon:
  Installed: 1:0.8.0-3ubuntu1.1
  Candidate: 1:0.8.0-3ubuntu1.1
  Version table:
 *** 1:0.8.0-3ubuntu1.1 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1:0.8.0-3ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages

$ apt-cache policy ipsec-tools
ipsec-tools:
  Installed: 1:0.8.0-3ubuntu1.1
  Candidate: 1:0.8.0-3ubuntu1.1
  Version table:
 *** 1:0.8.0-3ubuntu1.1 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1:0.8.0-3ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: racoon 1:0.8.0-3ubuntu1.1
ProcVersionSignature: Ubuntu 3.0.0-15.25-generic 3.0.13
Uname: Linux 3.0.0-15-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Mon Jan 9 14:06:25 2012
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111011)
ProcEnviron:
 LANGUAGE=en_CA:en
 PATH=(custom, no user)
 LANG=en_CA.UTF-8
 SHELL=/bin/bash
SourcePackage: ipsec-tools
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Simon Déziel (sdeziel) wrote :
Revision history for this message
Simon Déziel (sdeziel) wrote :

Here is my racoon configuration (remote IP obfuscated) :

$ cat /etc/racoon/racoon.conf
privsep
{
  user "racoon";
  group "racoon";
}

log notify;
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

remote 1.2.3.4 {
        exchange_mode main;
 nat_traversal on;
 certificate_type plain_rsa "/etc/racoon/local-key/sdeziel-laptop";
 peers_certfile plain_rsa "/etc/racoon/remote-key/sdeziel-fw.pub";
 peers_identifier fqdn "sdeziel-fw";
 my_identifier fqdn "sdeziel-laptop";
 verify_cert off;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group modp2048;
        }
}
sainfo anonymous {
        pfs_group modp2048;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

Note that the remote peer receives the SA deletion message even if racoon crashes.

Revision history for this message
Daniel Letzeisen (dtl131) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Please try to obtain a backtrace following the instructions at http://wiki.ubuntu.com/DebuggingProgramCrash and upload the backtrace (as an attachment) to the bug report. This will greatly help us in tracking down your problem.

Changed in ipsec-tools (Ubuntu):
status: New → Incomplete
Revision history for this message
Simon Déziel (sdeziel) wrote :

@Dave, here is the backtrace. FYI, the crash only happens in the separated unprivileged process. The crash does not occur when running with root.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for ipsec-tools (Ubuntu) because there has been no activity for 60 days.]

Changed in ipsec-tools (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Simon Déziel (sdeziel) wrote :

Please, let me know if the backtrace is not enough.

Changed in ipsec-tools (Ubuntu):
status: Expired → Confirmed
Revision history for this message
imagine (imagine-de) wrote :

I can confirm this. racoon is running as an unprivileged user and dying with the following error messages after a while (I do not have to run spdflush for this to happen):

Sep 11 15:28:23 racoon: ERROR: failed to get sainfo.
Sep 11 15:28:23 racoon: ERROR: failed to get sainfo.
Sep 11 15:28:23 racoon: [xx.xx.xx.xx] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Sep 11 15:28:23 racoon: ERROR: privsep_socket: unauthorized domain (15)
Sep 11 15:28:23 kernel: [59417.050147] show_signal_msg: 57 callbacks suppressed
Sep 11 15:28:23 kernel: [59417.050158] racoon[2166]: segfault at 10 ip 00007fd415fa0018 sp 00007ffff4ba3eb0 error 4 in racoon[7fd415f77000+92000]

Note that this happened after racoon was successfully running for a few hours. This never happened with racoon version 0.7.3.

Bug Watch Updater (bug-watch-updater)
Changed in ipsec-tools (Debian):
status: Unknown → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in ipsec-tools (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.