From hyc@symas.com Thu Oct 29 02:07:53 2015
From: hyc@symas.com
To: openldap-bugs@openldap.org
Subject: Re: (ITS#8294) slappasswd can use SHA256 for hash but not SHA384 or
 SHA512...segfault
Date: Thu, 29 Oct 2015 02:07:51 +0000
Message-ID: <E1Zrcd5-0004iR-Ff@gauss.openldap.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7793415915602964943=="

--===============7793415915602964943==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

ktmdms(a)gmail.com wrote:
> --001a11c39c4eeea62d05232d4fc9
> Content-Type: text/plain; charset=3DUTF-8
>
> adding the -fstack-protector-all option to the compile of the pw-sha2 on
> the 3.18 machine and recompiling just the pw-sha2 appears to have fixed the
> issue.

Using -fstack-protector-all wasn't intended to fix the issue, it was intended=
=20
to make the cause more visible. Instead it has hidden it. Needless to say,=20
that's not an acceptable resolution for us.
>
> Regards,
>
> Kevin Martin
>
>
>
> ---
>
>
> Regards,
>
> Kevin Martin
>
> On Wed, Oct 28, 2015 at 9:58 AM, Howard Chu <hyc(a)symas.com> wrote:
>
>> Howard Chu wrote:
>>
>>> ktmdms(a)gmail.com wrote:
>>>
>>>> --089e0115ec1091312605232ac99f
>>>> Content-Type: text/plain; charset=3DUTF-8
>>>>
>>>> To add fuel to the fire, if I use pw-sha2 libraries that were built on a
>>>> 2.6 kernel (specifically 2.6.32-358.el6.x86_64) on the 3.18 machine I can
>>>> generate SHA512/384 hashed passwords with no issues.  What should I be
>>>> looking for between the two platforms that might cause the core?
>>>>
>>>
>>> Strange that the kernel would make any difference - more likely it's your
>>> C
>>> compiler making the difference.
>>>
>>
>> I may have misread your message. If the same binary works on a newer
>> system, that tends to imply something weird in the runtime environment.
>> Perhaps a problem with ASLR.
>>
>>
>> I ran a test on one machine and got an abort in glibc saying there was a
>>> stack
>>> overrun. On a different machine I got no such error, and running on the
>>> problem system under valgrind produced no errors.
>>>
>>> On the machine that aborted, when I compiled with gcc
>>> -fstack-protector-all,
>>> the glibc abort disappeared as well. So, this hasn't helped me identify
>>> the
>>> problem yet. (gcc 4.8.4-2ubuntu1~14.04)
>>>
>>>
>>
>> --
>>    -- Howard Chu
>>    CTO, Symas Corp.           http://www.symas.com
>>    Director, Highland Sun     http://highlandsun.com/hyc/
>>    Chief Architect, OpenLDAP  http://www.openldap.org/project/
>>
>
> --001a11c39c4eeea62d05232d4fc9
> Content-Type: text/html; charset=3DUTF-8
> Content-Transfer-Encoding: quoted-printable
>
> <div dir=3D3D"ltr">adding the -fstack-protector-all option to the compile o=
f =3D
> the pw-sha2 on the 3.18 machine and recompiling just the pw-sha2 appears to=
=3D
>   have fixed the issue.<div><br></div><div>Regards,</div><div><br></div><di=
v=3D
>> Kevin Martin<br><div><br></div><div><br></div></div></div><div class=3D3D"=
gm=3D
> ail_extra"><br clear=3D3D"all"><div><div class=3D3D"gmail_signature"><div d=
ir=3D
> =3D3D"ltr">---<div><span style=3D3D"font-size:12.8px"><br></span></div><div=
><sp=3D
> an style=3D3D"font-size:12.8px"><br></span></div><div><span style=3D3D"font=
-siz=3D
> e:12.8px">Regards,</span></div><div><div><br></div><div>Kevin Martin</div><=
=3D
> /div></div></div></div>
> <br><div class=3D3D"gmail_quote">On Wed, Oct 28, 2015 at 9:58 AM, Howard Ch=
u =3D
> <span dir=3D3D"ltr">&lt;<a href=3D3D"mailto:hyc(a)symas.com" target=3D3D"_b=
lank">hy=3D
> c(a)symas.com</a>&gt;</span> wrote:<br><blockquote class=3D3D"gmail_quote" =
styl=3D
> e=3D3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span=
 c=3D
> lass=3D3D"">Howard Chu wrote:<br>
> <blockquote class=3D3D"gmail_quote" style=3D3D"margin:0 0 0 .8ex;border-lef=
t:1p=3D
> x #ccc solid;padding-left:1ex">
> <a href=3D3D"mailto:ktmdms(a)gmail.com" target=3D3D"_blank">ktmdms(a)gmail.=
com</a> =3D
> wrote:<br>
> <blockquote class=3D3D"gmail_quote" style=3D3D"margin:0 0 0 .8ex;border-lef=
t:1p=3D
> x #ccc solid;padding-left:1ex">
> --089e0115ec1091312605232ac99f<br>
> Content-Type: text/plain; charset=3D3DUTF-8<br>
> <br>
> To add fuel to the fire, if I use pw-sha2 libraries that were built on a<br=
=3D
>>
> 2.6 kernel (specifically 2.6.32-358.el6.x86_64) on the 3.18 machine I can<b=
=3D
> r>
> generate SHA512/384 hashed passwords with no issues.=3DC2=3DA0 What should =
I be=3D
> <br>
> looking for between the two platforms that might cause the core?<br>
> </blockquote>
> <br>
> Strange that the kernel would make any difference - more likely it&#39;s yo=
=3D
> ur C<br>
> compiler making the difference.<br>
> </blockquote>
> <br></span>
> I may have misread your message. If the same binary works on a newer system=
=3D
> , that tends to imply something weird in the runtime environment. Perhaps a=
=3D
>   problem with ASLR.<div class=3D3D"HOEnZb"><div class=3D3D"h5"><br>
> <br>
> <blockquote class=3D3D"gmail_quote" style=3D3D"margin:0 0 0 .8ex;border-lef=
t:1p=3D
> x #ccc solid;padding-left:1ex">
> I ran a test on one machine and got an abort in glibc saying there was a st=
=3D
> ack<br>
> overrun. On a different machine I got no such error, and running on the<br>
> problem system under valgrind produced no errors.<br>
> <br>
> On the machine that aborted, when I compiled with gcc -fstack-protector-all=
=3D
> ,<br>
> the glibc abort disappeared as well. So, this hasn&#39;t helped me identify=
=3D
>   the<br>
> problem yet. (gcc 4.8.4-2ubuntu1~14.04)<br>
> <br>
> </blockquote>
> <br>
> <br>
> -- <br>
> =3DC2=3DA0 -- Howard Chu<br>
> =3DC2=3DA0 CTO, Symas Corp.=3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0 =3DC=
2=3DA0 =3DC2=3DA0<a href=3D3D"=3D
> http://www.symas.com" rel=3D3D"noreferrer" target=3D3D"_blank">http://www.s=
ymas=3D
> .com</a><br>
> =3DC2=3DA0 Director, Highland Sun=3DC2=3DA0 =3DC2=3DA0 =3DC2=3DA0<a href=3D=
3D"http://highland=3D
> sun.com/hyc/" rel=3D3D"noreferrer" target=3D3D"_blank">http://highlandsun.c=
om/h=3D
> yc/</a><br>
> =3DC2=3DA0 Chief Architect, OpenLDAP=3DC2=3DA0 <a href=3D3D"http://www.open=
ldap.org/p=3D
> roject/" rel=3D3D"noreferrer" target=3D3D"_blank">http://www.openldap.org/p=
roje=3D
> ct/</a><br>
> </div></div></blockquote></div><br></div>
>
> --001a11c39c4eeea62d05232d4fc9--
>
>
>
>


--=20
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/




--===============7793415915602964943==--