Debug logs kill radiusd on AlmaLinux 9.2 with SIGSEGV
Hi! I am in the process of setting up freeradius-3.0.21-37.el9.x86_64 on a new AlmaLinux 9.2 server to migrate from our old centos 7 servers. I have noticed that the server crashes with a segmentation fault if I enable debug logs (e.g. radiusd -X or with raddebug) and run a test with EAP-TLS. The test works fine and succeeds without debug logging. So it's something which only happens during debug logging. gdb backtrace from the core dump is #0 __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74 #1 0x00007ff611284268 in __vfprintf_internal (s=s@entry=0x7ffcc44437e0, format=format@entry=0x564c843544b8 "(TLS) Creating attributes from %s certificate", ap=ap@entry=0x7ffcc44439c0, mode_flags=mode_flags@entry=2) at vfprintf-internal.c:1647 #2 0x00007ff61129487a in __vsnprintf_internal (string=0x7ffcc4443a20 "(TLS) Creating attributes from ServerHelloDone\"\n", maxlen=<optimized out>, format=0x564c843544b8 "(TLS) Creating attributes from %s certificate", args=0x7ffcc44439c0, mode_flags=2) at vsnprintf.c:114 #3 0x00007ff611bec5dc in vsnprintf (__ap=0x7ffcc44439c0, __fmt=0x564c843544b8 "(TLS) Creating attributes from %s certificate", __n=10240, __s=0x7ffcc4443a20 "(TLS) Creating attributes from ServerHelloDone\"\n") at /usr/include/bits/stdio2.h:68 #4 vradlog_request (type=L_DBG, lvl=<optimized out>, request=0x564c85de2a30, msg=0x564c843544b8 "(TLS) Creating attributes from %s certificate", ap=0x7ffcc4446270) at src/main/log.c:695 #5 0x00007ff611bec801 in radlog_request (type=<optimized out>, lvl=<optimized out>, request=<optimized out>, msg=<optimized out>) at src/main/log.c:787 #6 0x0000564c8433b992 in ?? () #7 0x0000564c85c96368 in ?? () #8 0x0000564c85bf5aa0 in ?? () #9 0x3232363000000001 in ?? () #10 0x0000564c85c962d0 in ?? () #11 0x0000000000000003 in ?? () #12 0x3461626338663361 in ?? () #13 0x0000564c85d87380 in ?? () #14 0x0000564c85c96328 in ?? () #15 0x3039363639633635 in ?? () #16 0x6566323131383235 in ?? () #17 0x3563666364323264 in ?? () #18 0x0000000000000000 in ?? () It happens during handshake: (11) Auth-Type eap { (11) eap: Expiring EAP session with state 0x923d2dbc9836205f (11) eap: Finished EAP session with state 0x923d2dbc9836205f (11) eap: Previous EAP request found for state 0x923d2dbc9836205f, released from the list (11) eap: Peer sent packet with method EAP TLS (13) (11) eap: Calling submodule eap_tls to process data (11) eap_tls: (TLS) EAP Got final fragment (24 bytes) (11) eap_tls: (TLS) EAP Done initial handshake (11) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (11) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate Segmentation fault (core dumped) Tested with two different client certificates... Regards, Gerald
On 26/05/2023 16:23, Gerald Vogt wrote:
I am in the process of setting up freeradius-3.0.21-37.el9.x86_64 on a new AlmaLinux 9.2 server to migrate from our old centos 7 servers.
That version was released over 3 years ago. Please try with the latest release (3.0.26 or 3.2.3) and see if it still happens. Packages are available from packages.networkradius.com. -- Matthew
On 26.05.23 17:26, Matthew Newton via Freeradius-Users wrote:
On 26/05/2023 16:23, Gerald Vogt wrote:
I am in the process of setting up freeradius-3.0.21-37.el9.x86_64 on a new AlmaLinux 9.2 server to migrate from our old centos 7 servers.
That version was released over 3 years ago.
Please try with the latest release (3.0.26 or 3.2.3) and see if it still happens.
Packages are available from packages.networkradius.com.
There is no 3.0 repository for EL9... -Gerald
=On May 26, 2023, at 11:54 AM, Gerald Vogt <vogt@spamcop.net> wrote:
On 26.05.23 17:26, Matthew Newton via Freeradius-Users wrote:
On 26/05/2023 16:23, Gerald Vogt wrote:
I am in the process of setting up freeradius-3.0.21-37.el9.x86_64 on a new AlmaLinux 9.2 server to migrate from our old centos 7 servers. That version was released over 3 years ago. Please try with the latest release (3.0.26 or 3.2.3) and see if it still happens. Packages are available from packages.networkradius.com.
There is no 3.0 repository for EL9... -Gerald
Download 3.2.3. Run "make rpm" You can make your own packages. We build packages for the common distributions. We don't build packages for every possible Linux distribution. Alan DeKok.
On 26/05/2023 16:54, Gerald Vogt wrote:
On 26.05.23 17:26, Matthew Newton via Freeradius-Users wrote:
On 26/05/2023 16:23, Gerald Vogt wrote:
I am in the process of setting up freeradius-3.0.21-37.el9.x86_64 on a new AlmaLinux 9.2 server to migrate from our old centos 7 servers.
That version was released over 3 years ago.
Please try with the latest release (3.0.26 or 3.2.3) and see if it still happens.
Packages are available from packages.networkradius.com.
There is no 3.0 repository for EL9... -Gerald
Good point, I fixed that this morning. You can get latest 3.0.26 from: http://packages.networkradius.com/freeradius-devel-3.0/rocky/9/ Otherwise just use 3.2.3, there's generally not much reason to stick with 3.0. -- Matthew
On 26.05.23 17:26, Matthew Newton via Freeradius-Users wrote:
On 26/05/2023 16:23, Gerald Vogt wrote:
I am in the process of setting up freeradius-3.0.21-37.el9.x86_64 on a new AlmaLinux 9.2 server to migrate from our old centos 7 servers.
That version was released over 3 years ago.
Please try with the latest release (3.0.26 or 3.2.3) and see if it still happens.
Packages are available from packages.networkradius.com.
Well it seems the issue has been introduced with a openssl backport into freeradius. https://bugzilla.redhat.com/show_bug.cgi?id=2183447 The issue is known and is supposed to be fixed in the next version freeradius-3.0.21-38.el9, so I'll wait for the release. I am pretty happy using the rhel version because it's stable and I don't have to review and crunch through changelogs and upgrade notes for every new version. It took me long enough to go through the whole configuration to adjust it from 3.0.13 to 3.0.21... Cheers, Gerald
participants (3)
-
Alan DeKok -
Gerald Vogt -
Matthew Newton