search

kolide / fleet

A flexible control server for osquery fleets
https://kolide.com/fleet
MIT License
1.1k stars 261 forks source link

Improper error handling for parsing of certificate PEM in fleetctl #2338

Open zwass opened 3 years ago

zwass commented 3 years ago

In https://github.com/kolide/fleet/blob/master/server/service/client.go#L53 we use errors.Wrap inside a statement that returns only a bool error status. errors.Wrap returns nil if the provided error is nil. If execution has made it to this point, the err variable is certain to be nil.

The function returns nil, nil, leading to a segfault later when the client is used.

zwass commented 3 years ago

Theory is that this is the cause of Slack user @Miguel's issue in https://osquery.slack.com/archives/C1XCLA5DZ/p1603363866247800

[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0xa4d1c9]
goroutine 1 [running]:
github.com/kolide/fleet/server/service.(*Client).url(...)
        /Users/zwass/dev/fleet/server/service/client.go:128
github.com/kolide/fleet/server/service.(*Client).doWithHeaders(0x0, 0xc0c65a, 0x4, 0xc1934b, 0x14, 0xb7a320, 0xc000440000, 0xc00033c780, 0x5, 0x2000, ...)
        /Users/zwass/dev/fleet/server/service/client.go:87 +0x69
github.com/kolide/fleet/server/service.(*Client).Do(0x0, 0xc0c65a, 0x4, 0xc1934b, 0x14, 0xb7a320, 0xc000440000, 0x4824fc, 0x18205e0, 0xc0000f2280)
        /Users/zwass/dev/fleet/server/service/client.go:106 +0x19b
github.com/kolide/fleet/server/service.(*Client).Login(0x0, 0x10b6aa8, 0x1, 0x10b6aa8, 0x1, 0x0, 0x0, 0x0, 0x0)
        /Users/zwass/dev/fleet/server/service/client_sessions.go:18 +0xfe
main.loginCommand.func1(0xc0000cef20, 0x0, 0xc0000cef20)
        /Users/zwass/dev/fleet/cmd/fleetctl/login.go:70 +0xc6
github.com/urfave/cli.HandleAction(0xb1f700, 0xc0001eafa0, 0xc0000cef20, 0xc0000a9800, 0x0)
        /Users/zwass/dev/go/pkg/mod/github.com/urfave/cli@v1.20.0/app.go:490 +0x82
github.com/urfave/cli.Command.Run(0xc0d5c9, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc1a218, 0x15, 0xc3dc2d, ...)
        /Users/zwass/dev/go/pkg/mod/github.com/urfave/cli@v1.20.0/command.go:210 +0x9fb
github.com/urfave/cli.(*App).Run(0xc000204b60, 0xc00009a020, 0x2, 0x2, 0x0, 0x0)
        /Users/zwass/dev/go/pkg/mod/github.com/urfave/cli@v1.20.0/app.go:255 +0x768
github.com/urfave/cli.(*App).RunAndExitOnError(0xc000204b60)
        /Users/zwass/dev/go/pkg/mod/github.com/urfave/cli@v1.20.0/app.go:276 +0x53
main.main()
        /Users/zwass/dev/fleet/cmd/fleetctl/fleetctl.go:44 +0x828
zwass commented 3 years ago

User confirmed that changing the RootCA configuration fixed the segfault.

Fixing this error handling should prevent others from seeing segfaults under similar circumstances.

noahtalerman commented 3 years ago

Steps to reproduce. More from Miguel's issue:

I have Kolide Fleet 3.2.0 installed on CentOS 7.8.2003:

fleetctl - version 3.2.0
  branch:       master
  revision:     07534c766beb7bf9a022d29572d88493ecef8f7c
  build date:   2020-10-08T19:25:24Z
  build user:   zwass
  go version:   go1.15
fleet version
fleet version 3.2.0

From the same server run: fleetctl login