[libvirt-users] Libvirtd dead, pid still exists. ( Problem might be with TLS interface of libvirtd )

SHREE DUTH AWASTHI shreeduth.awasthi at gmail.com
Fri Apr 12 13:47:07 UTC 2013 

Hi Daniel,

Thanks for your explanation.

>>So secmem is left enabled.This is not an issue on most distros, since
they allow users to mlock
sufficient memory.

I could not understand your above statement. Can you please explain it a
bit more.

Please let us know the place where we need to look into for the
corresponding source code. We will try to provide a fix for it.

To add more info, This works fine on our board with libvirt version 0.9.4.
This is not working from libvirt 0.9.10

Thanks and Regards,
Shree Duth Awasthi.

GDB FULL ( if needed )

(gdb) bt full
#0  0x00007f5adad0b005 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f5adad0de40 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007f5adc4f4dc5 in _gcry_logv (level=50, fmt=0x7f5adc53b170
"operation is not possible without initialized secure memory\n",
    arg_ptr=0x7fff04a2a770) at misc.c:136
No locals.
#3  0x00007f5adc4f53d5 in _gcry_log_bug (fmt=0x67d6 <Address 0x67d6 out of
bounds>) at misc.c:220
        arg_ptr = {{gp_offset = 8, fp_offset = 48, overflow_arg_area =
0x7fff04a2a850, reg_save_area = 0x7fff04a2a790}}
#4  0x00007f5adc4fa697 in _gcry_secmem_malloc_internal (size=<value
optimized out>) at secmem.c:497
        mb = <value optimized out>
#5  0x00007f5adc4fa79c in _gcry_secmem_malloc (size=136) at secmem.c:522
        p = <value optimized out>
#6  0x00007f5adc4f5a65 in do_malloc (n=26582, flags=<value optimized out>,
mem=0x7fff04a2a8d0) at global.c:553
        m = <value optimized out>
#7  0x00007f5adc4f5aa9 in _gcry_malloc_secure (n=26582) at global.c:592
---Type <return> to continue, or q <return> to quit---
        mem = 0x0
#8  0x00007f5adc4f5b19 in _gcry_xmalloc_secure (n=136) at global.c:746
No locals.
#9  0x00007f5adc5385df in _gcry_mpi_alloc_limb_space (nlimbs=17,
secure=26582) at mpiutil.c:92
        len = 26582
#10 0x00007f5adc53865f in _gcry_mpi_alloc_secure (nlimbs=17) at mpiutil.c:75
No locals.
#11 0x00007f5adc52525a in secret (output=0x2297d80, input=0x228ce80,
skey=0x6) at rsa.c:365
        m1 = <value optimized out>
        m2 = <value optimized out>
        h = <value optimized out>
#12 0x00007f5adc52545a in _gcry_rsa_sign (algo=<value optimized out>,
resarr=0x228cfb0, data=0x228ce80, skey=<value optimized out>) at rsa.c:608
        sk = {n = 0x231b790, e = 0x231ddc0, d = 0x23100e0, p = 0x230fb10, q
= 0x231dd50, u = 0x228c690}
#13 0x00007f5adc5011ef in pubkey_sign (r_sig=0x7fff04a2aac8, s_hash=<value
optimized out>, s_skey=<value optimized out>) at pubkey.c:692
        module = <value optimized out>
        i = 32767
---Type <return> to continue, or q <return> to quit---
#14 _gcry_pk_sign (r_sig=0x7fff04a2aac8, s_hash=<value optimized out>,
s_skey=<value optimized out>) at pubkey.c:1807
        skey = 0x22991c0
        hash = 0x228ce80
        result = 0x228cfb0
        pubkey = <value optimized out>
        module = 0x224b890
        algo_name = 0x7f5adc547967 "rsa"
        algo_elems = 0x7f5adc547bd1 "s"
        i = <value optimized out>
        rc = <value optimized out>
        __PRETTY_FUNCTION__ = "_gcry_pk_sign"
        __FUNCTION__ = "_gcry_pk_sign"
#15 0x00007f5adc79ef9c in _wrap_gcry_pk_sign (algo=GNUTLS_PK_RSA,
signature=0x7fff04a2ab50, vdata=<value optimized out>,
pk_params=0x7fff04a2ab70)
    at pk-libgcrypt.c:308
        s_hash = 0x230f370
        s_key = 0x2288680
---Type <return> to continue, or q <return> to quit---
        s_sig = 0x0
        list = <value optimized out>
        rc = <value optimized out>
        ret = <value optimized out>
        hash = 0x22cfe30
        res = {0x0, 0x0}
#16 0x00007f5adc78b08a in _gnutls_pkcs1_rsa_encrypt (ciphertext=<value
optimized out>, plaintext=<value optimized out>, params=<value optimized
out>,
    params_len=6, btype=<value optimized out>) at gnutls_pk.c:150
        i = <value optimized out>
        pad = <value optimized out>
        ret = <value optimized out>
        edata = 0x228c980 ""
        ps = 0x228c982
"\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"
        k = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        psize = <value optimized out>
        mod_bits = <value optimized out>
        pk_params = {params = {0x224f360, 0x224ef40, 0x224f3d0, 0x224f140,
0x225dba0, 0x224ffc0}, params_nr = 6, flags = 32767}
        to_encrypt = {data = 0x228c980 "", size = 128}
        encrypted = {data = 0x7fff04a2ad90 "!\002", size = 3671393680}
#17 0x00007f5adc792fe6 in _gnutls_sign (algo=<value optimized out>,
params=<value optimized out>, params_size=<value optimized out>,
    data=0x7fff04a2acb0, signature=0x0) at gnutls_sig.c:251
        ret = <value optimized out>
#18 0x00007f5adc79388f in _gnutls_handshake_sign_data (session=0x22ceb70,
cert=0x2278c20, pkey=<value optimized out>, params=<value optimized out>,
    signature=0x7fff04a2ad90, sign_algo=<value optimized out>) at
gnutls_sig.c:226
        dconcat = {data = 0x7fff04a2acd0
"0!0\t\006\005+\016\003\002\032\005", size = 35}
        ret = 0
        td_sha = {registered = 0, hd = {gc = 0x2288680, rh = {cc =
0x2288680, ctx = 0x82}}, algorithm = GNUTLS_MAC_SHA1, key = 0x7fff04a2ad00,
          keysize = -623573616, active = 0}
        concat =
"0!0\t\006\005+\016\003\002\032\005\000\004\024\213^q\253^G\342\062\256\263\310\060\230\030(2-d\212\300\004\377\177\000\000\020\255\242\004\377\177\000\000\200\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\200",
'\000' <repeats 15 times>"\340, \306("
---Type <return> to continue, or q <return> to quit---
        ver = GNUTLS_TLS1_2
        hash_algo = GNUTLS_DIG_SHA1
#19 0x00007f5adc793fbf in gen_dhe_server_kx (session=0x22ceb70,
data=0x7fff04a2ae00) at auth_dhe.c:152
        g = <value optimized out>
        p = <value optimized out>
        mpis = <value optimized out>
        ret = 263
        data_size = <value optimized out>
        apr_cert_list = 0x2278c20
        apr_pkey = 0x2278560
        apr_cert_list_length = 1
        signature = {data = 0x221 <Address 0x221 out of bounds>, size = 0}
        ddata = {data = 0x2280f70 "", size = 263}
        dh_params = <value optimized out>
        sign_algo = <value optimized out>
        ver = GNUTLS_TLS1_2
---Type <return> to continue, or q <return> to quit---
#20 0x00007f5adc780195 in _gnutls_send_server_kx_message (session=0x67d6,
again=<value optimized out>) at gnutls_kx.c:207
        data = 0x2280f70 ""
        data_size = <value optimized out>
        ret = <value optimized out>
#21 0x00007f5adc77bc55 in _gnutls_handshake_server (session=0x22ceb70) at
gnutls_handshake.c:3047
        ret = 545
#22 0x00007f5adc77c481 in gnutls_handshake (session=0x22ceb70) at
gnutls_handshake.c:2709
        ret = <value optimized out>
#23 0x00007f5add51e744 in virNetTLSSessionHandshake () from
/usr/lib64/libvirt.so.0
No symbol table info available.
#24 0x00007f5add513a2b in virNetServerClientInit () from
/usr/lib64/libvirt.so.0
No symbol table info available.
#25 0x00007f5add511821 in ?? () from /usr/lib64/libvirt.so.0
No symbol table info available.
#26 0x00007f5add51512a in ?? () from /usr/lib64/libvirt.so.0
No symbol table info available.



On Fri, Apr 12, 2013 at 3:24 PM, Daniel P. Berrange <berrange at redhat.com>wrote:

> On Fri, Apr 12, 2013 at 03:14:58PM +0200, SHREE DUTH AWASTHI wrote:
> > Hi Daniel,
> >
> > Thanks for your time.
> >
> > Please find the requested output.
> >
> > # ulimit -a
> > core file size          (blocks, -c) 1000000
> > data seg size           (kbytes, -d) unlimited
> > scheduling priority             (-e) 0
> > file size               (blocks, -f) unlimited
> > pending signals                 (-i) 63706
> > max locked memory       (kbytes, -l) 64
> > max memory size         (kbytes, -m) unlimited
> > open files                      (-n) 1024
> > pipe size            (512 bytes, -p) 8
> > POSIX message queues     (bytes, -q) 819200
> > real-time priority              (-r) 0
> > stack size              (kbytes, -s) 8192
> > cpu time               (seconds, -t) unlimited
> > max user processes              (-u) 1024
> > virtual memory          (kbytes, -v) unlimited
> > file locks                      (-x) unlimited
>
> Ok, so ordinarily gnutls would initialize libgcrypt disabling secmem.
> Libvirt, however, needs to register thread callbacks with gcrypt. Doing
> this in turn disables gnutls' setup code. So secmem is left enabled.
> This is not an issue on most distros, since they allow users to mlock
> sufficient memory.
>
> Anyway we need to fix libvirt to disable secmem, since we've blocked
> gnutls' own setup from running
>
> Daniel
> --
> |: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/:|
> |: http://libvirt.org              -o-             http://virt-manager.org:|
> |: http://autobuild.org       -o-         http://search.cpan.org/~danberr/:|
> |: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc:|
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20130412/b67a3a62/attachment.htm>

More information about the libvirt-users mailing list