Hi Daniel,
Thanks for your explanation.
>So secmem is left enabled.This is not an issue on most distros,
since
they allow users to mlock
sufficient memory.
I could not understand your above statement. Can you please explain it a
bit more.
Please let us know the place where we need to look into for the
corresponding source code. We will try to provide a fix for it.
To add more info, This works fine on our board with libvirt version 0.9.4.
This is not working from libvirt 0.9.10
Thanks and Regards,
Shree Duth Awasthi.
GDB FULL ( if needed )
(gdb) bt full
#0 0x00007f5adad0b005 in raise () from /lib64/libc.so.6
No symbol table info available.
#1 0x00007f5adad0de40 in abort () from /lib64/libc.so.6
No symbol table info available.
#2 0x00007f5adc4f4dc5 in _gcry_logv (level=50, fmt=0x7f5adc53b170
"operation is not possible without initialized secure memory\n",
arg_ptr=0x7fff04a2a770) at misc.c:136
No locals.
#3 0x00007f5adc4f53d5 in _gcry_log_bug (fmt=0x67d6 <Address 0x67d6 out of
bounds>) at misc.c:220
arg_ptr = {{gp_offset = 8, fp_offset = 48, overflow_arg_area =
0x7fff04a2a850, reg_save_area = 0x7fff04a2a790}}
#4 0x00007f5adc4fa697 in _gcry_secmem_malloc_internal (size=<value
optimized out>) at secmem.c:497
mb = <value optimized out>
#5 0x00007f5adc4fa79c in _gcry_secmem_malloc (size=136) at secmem.c:522
p = <value optimized out>
#6 0x00007f5adc4f5a65 in do_malloc (n=26582, flags=<value optimized out>,
mem=0x7fff04a2a8d0) at global.c:553
m = <value optimized out>
#7 0x00007f5adc4f5aa9 in _gcry_malloc_secure (n=26582) at global.c:592
---Type <return> to continue, or q <return> to quit---
mem = 0x0
#8 0x00007f5adc4f5b19 in _gcry_xmalloc_secure (n=136) at global.c:746
No locals.
#9 0x00007f5adc5385df in _gcry_mpi_alloc_limb_space (nlimbs=17,
secure=26582) at mpiutil.c:92
len = 26582
#10 0x00007f5adc53865f in _gcry_mpi_alloc_secure (nlimbs=17) at mpiutil.c:75
No locals.
#11 0x00007f5adc52525a in secret (output=0x2297d80, input=0x228ce80,
skey=0x6) at rsa.c:365
m1 = <value optimized out>
m2 = <value optimized out>
h = <value optimized out>
#12 0x00007f5adc52545a in _gcry_rsa_sign (algo=<value optimized out>,
resarr=0x228cfb0, data=0x228ce80, skey=<value optimized out>) at rsa.c:608
sk = {n = 0x231b790, e = 0x231ddc0, d = 0x23100e0, p = 0x230fb10, q
= 0x231dd50, u = 0x228c690}
#13 0x00007f5adc5011ef in pubkey_sign (r_sig=0x7fff04a2aac8, s_hash=<value
optimized out>, s_skey=<value optimized out>) at pubkey.c:692
module = <value optimized out>
i = 32767
---Type <return> to continue, or q <return> to quit---
#14 _gcry_pk_sign (r_sig=0x7fff04a2aac8, s_hash=<value optimized out>,
s_skey=<value optimized out>) at pubkey.c:1807
skey = 0x22991c0
hash = 0x228ce80
result = 0x228cfb0
pubkey = <value optimized out>
module = 0x224b890
algo_name = 0x7f5adc547967 "rsa"
algo_elems = 0x7f5adc547bd1 "s"
i = <value optimized out>
rc = <value optimized out>
__PRETTY_FUNCTION__ = "_gcry_pk_sign"
__FUNCTION__ = "_gcry_pk_sign"
#15 0x00007f5adc79ef9c in _wrap_gcry_pk_sign (algo=GNUTLS_PK_RSA,
signature=0x7fff04a2ab50, vdata=<value optimized out>,
pk_params=0x7fff04a2ab70)
at pk-libgcrypt.c:308
s_hash = 0x230f370
s_key = 0x2288680
---Type <return> to continue, or q <return> to quit---
s_sig = 0x0
list = <value optimized out>
rc = <value optimized out>
ret = <value optimized out>
hash = 0x22cfe30
res = {0x0, 0x0}
#16 0x00007f5adc78b08a in _gnutls_pkcs1_rsa_encrypt (ciphertext=<value
optimized out>, plaintext=<value optimized out>, params=<value optimized
out>,
params_len=6, btype=<value optimized out>) at gnutls_pk.c:150
i = <value optimized out>
pad = <value optimized out>
ret = <value optimized out>
edata = 0x228c980 ""
ps = 0x228c982
"\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"
k = <value optimized out>
---Type <return> to continue, or q <return> to quit---
psize = <value optimized out>
mod_bits = <value optimized out>
pk_params = {params = {0x224f360, 0x224ef40, 0x224f3d0, 0x224f140,
0x225dba0, 0x224ffc0}, params_nr = 6, flags = 32767}
to_encrypt = {data = 0x228c980 "", size = 128}
encrypted = {data = 0x7fff04a2ad90 "!\002", size = 3671393680}
#17 0x00007f5adc792fe6 in _gnutls_sign (algo=<value optimized out>,
params=<value optimized out>, params_size=<value optimized out>,
data=0x7fff04a2acb0, signature=0x0) at gnutls_sig.c:251
ret = <value optimized out>
#18 0x00007f5adc79388f in _gnutls_handshake_sign_data (session=0x22ceb70,
cert=0x2278c20, pkey=<value optimized out>, params=<value optimized out>,
signature=0x7fff04a2ad90, sign_algo=<value optimized out>) at
gnutls_sig.c:226
dconcat = {data = 0x7fff04a2acd0
"0!0\t\006\005+\016\003\002\032\005", size = 35}
ret = 0
td_sha = {registered = 0, hd = {gc = 0x2288680, rh = {cc =
0x2288680, ctx = 0x82}}, algorithm = GNUTLS_MAC_SHA1, key = 0x7fff04a2ad00,
keysize = -623573616, active = 0}
concat =
"0!0\t\006\005+\016\003\002\032\005\000\004\024\213^q\253^G\342\062\256\263\310\060\230\030(2-d\212\300\004\377\177\000\000\020\255\242\004\377\177\000\000\200\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\200",
'\000' <repeats 15 times>"\340, \306("
---Type <return> to continue, or q <return> to quit---
ver = GNUTLS_TLS1_2
hash_algo = GNUTLS_DIG_SHA1
#19 0x00007f5adc793fbf in gen_dhe_server_kx (session=0x22ceb70,
data=0x7fff04a2ae00) at auth_dhe.c:152
g = <value optimized out>
p = <value optimized out>
mpis = <value optimized out>
ret = 263
data_size = <value optimized out>
apr_cert_list = 0x2278c20
apr_pkey = 0x2278560
apr_cert_list_length = 1
signature = {data = 0x221 <Address 0x221 out of bounds>, size = 0}
ddata = {data = 0x2280f70 "", size = 263}
dh_params = <value optimized out>
sign_algo = <value optimized out>
ver = GNUTLS_TLS1_2
---Type <return> to continue, or q <return> to quit---
#20 0x00007f5adc780195 in _gnutls_send_server_kx_message (session=0x67d6,
again=<value optimized out>) at gnutls_kx.c:207
data = 0x2280f70 ""
data_size = <value optimized out>
ret = <value optimized out>
#21 0x00007f5adc77bc55 in _gnutls_handshake_server (session=0x22ceb70) at
gnutls_handshake.c:3047
ret = 545
#22 0x00007f5adc77c481 in gnutls_handshake (session=0x22ceb70) at
gnutls_handshake.c:2709
ret = <value optimized out>
#23 0x00007f5add51e744 in virNetTLSSessionHandshake () from
/usr/lib64/libvirt.so.0
No symbol table info available.
#24 0x00007f5add513a2b in virNetServerClientInit () from
/usr/lib64/libvirt.so.0
No symbol table info available.
#25 0x00007f5add511821 in ?? () from /usr/lib64/libvirt.so.0
No symbol table info available.
#26 0x00007f5add51512a in ?? () from /usr/lib64/libvirt.so.0
No symbol table info available.
On Fri, Apr 12, 2013 at 3:24 PM, Daniel P. Berrange <berrange(a)redhat.com>wrote:
On Fri, Apr 12, 2013 at 03:14:58PM +0200, SHREE DUTH AWASTHI wrote:
> Hi Daniel,
>
> Thanks for your time.
>
> Please find the requested output.
>
> # ulimit -a
> core file size (blocks, -c) 1000000
> data seg size (kbytes, -d) unlimited
> scheduling priority (-e) 0
> file size (blocks, -f) unlimited
> pending signals (-i) 63706
> max locked memory (kbytes, -l) 64
> max memory size (kbytes, -m) unlimited
> open files (-n) 1024
> pipe size (512 bytes, -p) 8
> POSIX message queues (bytes, -q) 819200
> real-time priority (-r) 0
> stack size (kbytes, -s) 8192
> cpu time (seconds, -t) unlimited
> max user processes (-u) 1024
> virtual memory (kbytes, -v) unlimited
> file locks (-x) unlimited
Ok, so ordinarily gnutls would initialize libgcrypt disabling secmem.
Libvirt, however, needs to register thread callbacks with gcrypt. Doing
this in turn disables gnutls' setup code. So secmem is left enabled.
This is not an issue on most distros, since they allow users to mlock
sufficient memory.
Anyway we need to fix libvirt to disable secmem, since we've blocked
gnutls' own setup from running
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/:|
|:
http://libvirt.org -o-
http://virt-manager.org:|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/:|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc:|