search

tempesta-tech / tempesta

All-in-one solution for high performance web content delivery and advanced protection against DDoS and web attacks
https://tempesta-tech.com/
GNU General Public License v2.0
621 stars 103 forks source link

bug in `ttls_ctx_init` #2203

Closed EvgeniiMekhanik closed 2 months ago

EvgeniiMekhanik commented 3 months ago 
general protection fault, probably for non-canonical address 0xd5e70b8f4c41b70d: 0000 [#1] SMP PTI
[  579.897797] CPU: 20 PID: 0 Comm: swapper/20 Tainted: G        W  OE     5.10.35+ #5
[  579.899096] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
[  579.900447] [tempesta fw] 192.169.100.1 "-" "POST  HTTP/2.0" 400 0 "-" "-"
[  579.900496] RIP: 0010:kmem_cache_alloc+0x8b/0x200
[  579.900499] Code: 04 8d 68 49 8b 00 49 83 78 10 00 48 89 45 c0 0f 84 4b 01 00 00 48 85 c0 0f 84 42 01 00 00 41 8b 4c 24 28 49 8b 3c 24 48 01 c1 <48> 8b 19 48 89 ce 49 33 9c 24 b8 00 00 00 48 8d 4a 01 48 0f ce 48
[  579.902545] RSP: 0018:ffffa93b4055cb00 EFLAGS: 00010282
[  579.902547] RAX: d5e70b8f4c41b3f5 RBX: ffff959879e404b8 RCX: d5e70b8f4c41b70d
[  579.902549] RDX: 0000000000000025 RSI: 0000000000000a20 RDI: 000033a0100124f0
[  579.912331] RBP: ffffa93b4055cb40 R08: ffffc93b3fb124f0 R09: ffff959879e40000
[  579.913407] R10: ffff9597c6233010 R11: 0000000000000278 R12: ffff9597e0d21000
[  579.914472] R13: ffffffffc0a6c9c8 R14: 0000000000000a20 R15: ffff9597e0d21000
[  579.915686] FS:  0000000000000000(0000) GS:ffff959b2fb00000(0000) knlGS:0000000000000000
[  579.916943] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  579.917854] CR2: 000055f35c8af028 CR3: 00000001b95b6006 CR4: 0000000000770ee0
[  579.919049] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  579.920271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  579.921430] PKRU: 55555554
[  579.929568] Call Trace:
[  579.929956]  <IRQ>
[  579.930286]  ttls_ctx_init+0x38/0x70 [tempesta_tls]
[  579.931093]  tfw_tls_conn_init+0x2d/0xb0 [tempesta_fw]
[  579.931963]  tfw_connection_new+0x24/0x30 [tempesta_fw]
[  579.932807]  tfw_sock_clnt_new+0x10c/0x290 [tempesta_fw]
[  579.933634]  ss_tcp_state_change+0xf2/0x250 [tempesta_fw]
[  579.934478]  tcp_rcv_state_process+0xd87/0x1200
[  579.935251]  ? tcp_check_req+0x1ae/0x610
[  579.935954]  tcp_child_process+0xa4/0x1a0
[  579.936740]  tcp_v4_rcv+0xa63/0xe20
[  579.937387]  ip_protocol_deliver_rcu+0x44/0x230
[  579.942247]  ip_local_deliver_finish+0x48/0x60
[  579.951599]  ip_local_deliver+0x70/0x110
[  579.953300]  ? ip_rcv_finish_core.constprop.0+0x61/0x470
[  579.969442]  ip_rcv_finish+0x87/0xa0
[  579.983141]  ip_rcv+0xce/0xe0
[  579.993165]  ? ip_rcv_finish_core.constprop.0+0x470/0x470
[  580.011598]  __netif_receive_skb_one_core+0x86/0xa0
[  580.029536]  __netif_receive_skb+0x18/0x60
[  580.052792]  process_backlog+0x9e/0x170
[  580.063697]  net_rx_action+0x13b/0x430
[  580.074327]  __do_softirq+0xe3/0x340
[  580.091658]  asm_call_irq_on_stack+0x12/0x20
[  580.102289]  </IRQ>
[  580.114322]  do_softirq_own_stack+0x3d/0x50
[  580.125104]  irq_exit_rcu+0xa2/0xe0
[  580.136147]  sysvec_call_function_single+0x3d/0x90
[  580.146398]  asm_sysvec_call_function_single+0x12/0x20
[  580.164128] RIP: 0010:native_safe_halt+0xe/0x10
[  580.174370] Code: 39 ff ff ff 4c 89 ee 48 c7 c7 a0 ba 05 99 e8 89 64 91 ff e9 01 ff ff ff cc cc cc cc e9 07 00 00 00 0f 00 2d 96 55 47 00 fb f4 <c3> 90 e9 07 00 00 00 0f 00 2d 86 55 47 00 f4 c3 cc cc 0f 1f 44 00
[  580.190545] RSP: 0018:ffffa93b40123e88 EFLAGS: 00000206
[  580.207192] RAX: ffffffff98196750 RBX: 0000000000000014 RCX: ffff959b2fb2cdc0
[  580.207193] RDX: 000000000004d0d2 RSI: 0000000000000083 RDI: 0000000000000083
[  580.207193] RBP: ffffa93b40123e90 R08: ffff959b2fb1f180 R09: 0000000000000114
[  580.207194] R10: 00000086fc2dba58 R11: 000000000000b8d7 R12: ffff9597e03bdc40
[  580.207195] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  580.207201]  ? __sched_text_end+0x4/0x4
[  580.207204]  ? default_idle+0xe/0x20
[  580.207206]  arch_cpu_idle+0x15/0x20
[  580.207208]  default_idle_call+0x3d/0xc0
[  580.207210]  do_idle+0x215/0x2a0
[  580.207212]  ? complete+0x3f/0x50
[  580.207214]  cpu_startup_entry+0x20/0x30
[  580.207217]  start_secondary+0x145/0x1b0
[  580.207219]  secondary_startup_64_no_verify+0xc2/0xcb
[  580.207221] Modules linked in: tempesta_fw(OE) tempesta_db(OE) tempesta_tls(OE) tempesta_lib(OE) nft_counter xt_mark xt_tcpudp nft_compat nf_tables nfnetlink sha256_ssse3 sha512_ssse3 intel_rapl_msr intel_rapl_common isst_if_common nfit kvm_intel snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec kvm snd_hda_core binfmt_misc snd_hwdep rapl joydev snd_pcm input_leds snd_timer serio_raw snd soundcore qemu_fw_cfg mac_hid dm_multipath scsi_dh_rdac scsi_dh_emc sch_fq_codel scsi_dh_alua msr efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core crct10dif_pclmul crc32_pclmul psmouse ghash_clmulni_intel aesni_intel crypto_simd drm virtio_net ahci cryptd glue_helper i2c_i801 libahci net_failover xhci_pci lpc_ich i2c_smbus
[  580.207276]  virtio_blk virtio_rng failover xhci_pci_renesas [last unloaded: tempesta_lib]
[  580.207320] ---[ end trace 8b4892202d5481c4 ]---
[  580.207325] RIP: 0010:kmem_cache_alloc+0x8b/0x200
[  580.207328] Code: 04 8d 68 49 8b 00 49 83 78 10 00 48 89 45 c0 0f 84 4b 01 00 00 48 85 c0 0f 84 42 01 00 00 41 8b 4c 24 28 49 8b 3c 24 48 01 c1 <48> 8b 19 48 89 ce 49 33 9c 24 b8 00 00 00 48 8d 4a 01 48 0f ce 48
[  580.207332] RSP: 0018:ffffa93b4055cb00 EFLAGS: 00010282
[  580.207336] RAX: d5e70b8f4c41b3f5 RBX: ffff959879e404b8 RCX: d5e70b8f4c41b70d
[  580.207338] RDX: 0000000000000025 RSI: 0000000000000a20 RDI: 000033a0100124f0
[  580.207340] RBP: ffffa93b4055cb40 R08: ffffc93b3fb124f0 R09: ffff959879e40000
[  580.207343] R10: ffff9597c6233010 R11: 0000000000000278 R12: ffff9597e0d21000
[  580.207345] R13: ffffffffc0a6c9c8 R14: 0000000000000a20 R15: ffff9597e0d21000
[  580.207347] FS:  0000000000000000(0000) GS:ffff959b2fb00000(0000) knlGS:0000000000000000
[  580.207349] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  580.207353] CR2: 000055f35c8af028 CR3: 00000001b95b6006 CR4: 0000000000770ee0
[  580.207357] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  580.207359] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  580.207362] PKRU: 55555554
[  580.207364] Kernel panic - not syncing: Fatal exception in interrupt
[  580.214838] Kernel Offset: 0x16400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

Tempesta hash b3175a7465bcc8439105f4e583fd3e5b68d5d571

EvgeniiMekhanik commented 2 months ago

The problem was in memory corruption in hpack, which corrupt memory in random place.