[Bug 1921518] Re: OpenSSL "double free" error

Julian Andres Klode 1921518 at bugs.launchpad.net
Fri Nov 12 17:18:49 UTC 2021 

I have uploaded a fixed wget for focal, verified that it only loads the
config file once.

** Description changed:

- "double free" error is seen when using curl utility. Error is from
- libcrypto.so which is part of the OpenSSL package. This happens only
- when OpenSSL is configured to use a dynamic engine.
+ [Impact]
+ openssl config file is being loaded twice, causing engines to be loaded twice if specified therein, causing double free errors and other strange behavior.
+ 
+ [Test plan]
+ Run the command of the package being tested in
+ 
+ gdb  -ex "break CONF_modules_load_file" -ex "run" --args
+ 
+ and make sure it only breaks one.
+ 
+ [Where problems could occur]
+ 
+ wget: This is an upstream change that changes initialization and is in
+ use in later releases. Since it mostly removes an unneeded call to the
+ load file function, a regression could be a config file being ignored,
+ but it seems unlikely given the use in later releases
+ 
+ [Original bug report]
+ "double free" error is seen when using curl utility. Error is from libcrypto.so which is part of the OpenSSL package. This happens only when OpenSSL is configured to use a dynamic engine.
  
  OpenSSL version is 1.1.1f
  
  The issue is not encountered if
  http://www.openssl.org/source/openssl-1.1.1f.tar.gz is used instead.
  
- 
- OpenSSL can be configured to use a dynamic engine by editing the default openssl config file which is located at '/etc/ssl/openssl.cnf' on Ubuntu systems.
+ OpenSSL can be configured to use a dynamic engine by editing the default
+ openssl config file which is located at '/etc/ssl/openssl.cnf' on Ubuntu
+ systems.
  
  On Bluefield systems, config diff to enable PKA dynamic engine, is as
  below:
  
  +openssl_conf = conf_section
  +
-  # Extra OBJECT IDENTIFIER info:
-  #oid_file              = $ENV::HOME/.oid
-  oid_section            = new_oids
-  
+  # Extra OBJECT IDENTIFIER info:
+  #oid_file              = $ENV::HOME/.oid
+  oid_section            = new_oids
+ 
  +[ conf_section ]
  +engines = engine_section
  +
  +[ engine_section ]
  +bf = bf_section
  +
  +[ bf_section ]
  +engine_id=pka
  +dynamic_path=/usr/lib/aarch64-linux-gnu/engines-1.1/pka.so
  +init=0
  +
  
  engine_id above refers to dynamic engine name/identifier.
  dynamic_path points to the .so file for the dynamic engine.
  
  # curl -O https://tpo.pe/pathogen.vim
  
  double free or corruption (out)
  
  Aborted (core dumped)

** Changed in: wget (Ubuntu Focal)
       Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/1921518

Title:
  OpenSSL "double free" error

Status in curl package in Ubuntu:
  Fix Released
Status in openssl package in Ubuntu:
  Incomplete
Status in wget package in Ubuntu:
  Fix Released
Status in curl source package in Focal:
  Triaged
Status in openssl source package in Focal:
  Incomplete
Status in wget source package in Focal:
  In Progress

Bug description:
  [Impact]
  openssl config file is being loaded twice, causing engines to be loaded twice if specified therein, causing double free errors and other strange behavior.

  [Test plan]
  Run the command of the package being tested in

  gdb  -ex "break CONF_modules_load_file" -ex "run" --args

  and make sure it only breaks one.

  [Where problems could occur]

  wget: This is an upstream change that changes initialization and is in
  use in later releases. Since it mostly removes an unneeded call to the
  load file function, a regression could be a config file being ignored,
  but it seems unlikely given the use in later releases

  [Original bug report]
  "double free" error is seen when using curl utility. Error is from libcrypto.so which is part of the OpenSSL package. This happens only when OpenSSL is configured to use a dynamic engine.

  OpenSSL version is 1.1.1f

  The issue is not encountered if
  http://www.openssl.org/source/openssl-1.1.1f.tar.gz is used instead.

  OpenSSL can be configured to use a dynamic engine by editing the
  default openssl config file which is located at '/etc/ssl/openssl.cnf'
  on Ubuntu systems.

  On Bluefield systems, config diff to enable PKA dynamic engine, is as
  below:

  +openssl_conf = conf_section
  +
   # Extra OBJECT IDENTIFIER info:
   #oid_file              = $ENV::HOME/.oid
   oid_section            = new_oids

  +[ conf_section ]
  +engines = engine_section
  +
  +[ engine_section ]
  +bf = bf_section
  +
  +[ bf_section ]
  +engine_id=pka
  +dynamic_path=/usr/lib/aarch64-linux-gnu/engines-1.1/pka.so
  +init=0
  +

  engine_id above refers to dynamic engine name/identifier.
  dynamic_path points to the .so file for the dynamic engine.

  # curl -O https://tpo.pe/pathogen.vim

  double free or corruption (out)

  Aborted (core dumped)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1921518/+subscriptions

More information about the foundations-bugs mailing list