Segfault on all TLS connections (mbedtls problem?)

I just upgraded libmbedtls 2.14.1-1 today. Now everything that tries to use TLS (such as uclient-fetch) fails with a segfault. I get this in dmesg when I try to do something as simple as wget -s https://google.com.

[   33.663602] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[   33.670508] br-lan: port 2(wlan0) entered blocking state
[   33.675962] br-lan: port 2(wlan0) entered forwarding state
[   33.820448] do_page_fault(): sending SIGSEGV to uclient-fetch for invalid write access to 777ec8b4
[   33.829589] epc = 77856cc0 in libc.so[7782e000+92000]
[   33.834820] ra  = 77856cac in libc.so[7782e000+92000]
[   37.001684] __do_page_fault: 5 callbacks suppressed
[   37.001695] do_page_fault(): sending SIGSEGV to uclient-fetch for invalid write access to 77d928b4
[   37.015882] epc = 77dfccc0 in libc.so[77dd4000+92000]
[   37.021142] ra  = 77dfccac in libc.so[77dd4000+92000]
[   52.608974] do_page_fault(): sending SIGSEGV to wget for invalid read access from 00000010
[   52.617421] epc = 774abeb4 in libmbedtls.so.2.12.0[774a6000+24000]
[   52.623752] ra  = 774ab330 in libmbedtls.so.2.12.0[774a6000+24000]
[   53.106129] do_page_fault(): sending SIGSEGV to wget for invalid read access from 00000010
[   53.114586] epc = 77a71eb4 in libmbedtls.so.2.12.0[77a6c000+24000]
[   53.120908] ra  = 77a71330 in libmbedtls.so.2.12.0[77a6c000+24000]
[   53.403069] do_page_fault(): sending SIGSEGV to wget for invalid write access to 00000000
[   53.411500] epc = 7754433c in libc.so[7751c000+92000]
[   53.416882] ra  = 774b59e7 in libustream-ssl.so[774b4000+11000]
[   64.630633] random: crng init done
[   86.647179] do_page_fault(): sending SIGSEGV to uclient-fetch for invalid read access from 000000bc
[   86.657141] epc = 77417a0c in libmbedcrypto.so.2.12.0[773f6000+45000]
[   86.665377] ra  = 7745257c in libmbedtls.so.2.12.0[77440000+24000]
[  554.607241] do_page_fault(): sending SIGSEGV to uclient-fetch for invalid write access to 777ae074
[  554.616410] epc = 77806cc0 in libc.so[777de000+92000]
[  554.621568] ra  = 77806cac in libc.so[777de000+92000]
[  818.743450] do_page_fault(): sending SIGSEGV to wget for invalid write access to 77b80074
[  818.751828] epc = 77bd8cc0 in libc.so[77bb0000+92000]
[  818.756990] ra  = 77bd8cac in libc.so[77bb0000+92000]

I cannot downgrade because only the latest versions are available in the opkg repo according to Google. I am using OpenWrt 18.06.1, r7258-5eb055306f on a TP-LINK TL-WDR3600 router, maintained over SSH and not the web interface. I tried rebooting and I tried updating. I really don't want to have to reinstall the entire thing if I can help it.

I know what a page fault is and I know how segfaults work, but I have never attempted debugging OpenWrt before (I have only ever done debugging on a Linux system with a full toolchain and gdb installed).

Is this a known problem that is going to be fixed in a future update of mbedtls?

What was the original reason to want to upgrade libmbedtls in the first place?

18.06.2 is now available. If you havent upgraded already , it would be worth doing and that might sort out tls

1 Like

Reinstall the packages using libmbedtls....
Uclient-fetch, libustream-mbedtls etc.

1 Like

I wanted to upgrade libmbedtls because it had an available update. I prefer to update when an update is out (especially when there are security fixes), not waiting until enough security bugs pile up that the next major version must be made available.

I didn't know 18.06.2 was available. I will try upgrading and see if that fixes things. Do you know if there's a way to check if a major upgrade is available, or some API I can use so I can write a script to display its availability in the SSH login banner?

What would that accomplish for me? OpenWrt doesn't build packages locally so there isn't any need to reinstall packages dependent on a library (unless the library ABI changes but then I would expect a corresponding update for all those programs as well, not just libmbedtls). The checksums of those packages now and after a reinstall of them would be identical.

If you look at the source code changes, you will notice that a better library ABI evaluation for dependencies has been implemented a few days ago in master, so the issue is being fixed, but not yet in 18.06 branch.

Relevant commits are here.

https://github.com/openwrt/openwrt/commits/790bce92adce6fc52a5fe68ac05b1018e171af28