[Bug 1921518] Re: OpenSSL "double free" error

Dmitrii Shcherbakov 1921518 at bugs.launchpad.net
Fri Oct 1 11:53:06 UTC 2021 

Vladimir,

stracing reveals that si_code is set to BUS_ADRALN so there is a problem
with address alignment.

strace curl https://example.com

--- SIGBUS {si_signo=SIGBUS, si_code=BUS_ADRALN, si_addr=0x3efd151115865b} ---
+++ killed by SIGBUS (core dumped) +++
Bus error (core dumped)

The fault is raised by the CPU in response to a misaligned address and
the respective handler in the kernel is being invoked to assert a signal
to the process:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=52d7523d84d534c241ebac5ac89f5c0a6cb51e41

https://paste.ubuntu.com/p/yHJrJW2gSF/ (package & distro details)

----

By the looks of it the alignment fault is caused by just trying to call
the public key method init function in the PKA engine.

Below we have:

1) pmeth->init is at 0xc82028bf65604647

When it is attempted to be called, si_addr has the same value:

2) _sigfault = {si_addr = 0x2028bf65604647}

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/bin/curl https://example.com
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/aarch64-linux-gnu/libthread_db.so.1".
[New Thread 0xfffff6372f90 (LWP 2486506)]
[Thread 0xfffff6372f90 (LWP 2486506) exited]

Thread 1 "curl" hit Breakpoint 1, int_ctx_new (pkey=pkey at entry=0x0, e=e at entry=0x0, id=1034) at ../crypto/evp/pmeth_lib.c:113
113 if (id == -1) {
(gdb) n
119 if (e == NULL && pkey != NULL)
(gdb)
122 if (e) {
(gdb)
128 e = ENGINE_get_pkey_meth_engine(id);
(gdb)
135 if (e)
(gdb)
136 pmeth = ENGINE_get_pkey_meth(e, id);
(gdb)
141 if (pmeth == NULL) {
(gdb)
149 ret = OPENSSL_zalloc(sizeof(*ret));
(gdb)
150 if (ret == NULL) {
(gdb)
157 ret->engine = e;
(gdb)
159 ret->operation = EVP_PKEY_OP_UNDEFINED;
(gdb)
161 if (pkey != NULL)
(gdb)
164 if (pmeth->init) {
(gdb)
165 if (pmeth->init(ret) <= 0) {
(gdb) print *pmeth
$10 = {pkey_id = -1784943492, flags = -364887078, init = 0xc82028bf65604647, copy = 0x9c17b192eb068c0b, cleanup = 0xedbe7dcdf413f1c0, paramgen_init = 0xc28e015828ce4282, paramgen = 0x6fce6fa0a7ee471f,
  keygen_init = 0xdf9a9579438d24eb, keygen = 0xc63719742b8964b9, sign_init = 0x78f4d90cba7ad854, sign = 0xb0d4f1b3df1a9e13, verify_init = 0x7b5f10ffa4c58586, verify = 0x96e16d3250d67446,
  verify_recover_init = 0xe11ef96099ea206c, verify_recover = 0x8ed096c03e046773, signctx_init = 0xc6ea05c3bdb5153c, signctx = 0xdd1cb7963c7185, verifyctx_init = 0xd19718983089e1f8,
  verifyctx = 0x6143e92bef937feb, encrypt_init = 0x94450e0e52af0bcd, encrypt = 0x2a4633c02797f8b, decrypt_init = 0xa69b08bdbfea813, decrypt = 0x84b9264be5facf60, derive_init = 0x99bcf2700df9fc7e,
  derive = 0x9961eec79bc58dfb, ctrl = 0x1779f7901d10471b, ctrl_str = 0x763a1ebbf28338f0, digestsign = 0xacc57ce435798e94, digestverify = 0xae611fd83700f11f, check = 0x6b8d5f0b7cf4a89b,
  public_check = 0xef347940990e67fb, param_check = 0xe, digest_custom = 0xfffff797ec60 <aes_v8_encrypt>}

(gdb) print pmeth->init
$11 = (int (*)(EVP_PKEY_CTX *)) 0xc82028bf65604647

(gdb) n

Thread 1 "curl" received signal SIGBUS, Bus error.
0x002028bf65604647 in ?? ()

(gdb) p $_siginfo
$12 = {si_signo = 7, si_errno = 0, si_code = 1, _sifields = {_pad = {1700808263, 2107583, 0 <repeats 26 times>}, _kill = {si_pid = 1700808263, si_uid = 2107583}, _timer = {si_tid = 1700808263,
      si_overrun = 2107583, si_sigval = {sival_int = 0, sival_ptr = 0x0}}, _rt = {si_pid = 1700808263, si_uid = 2107583, si_sigval = {sival_int = 0, sival_ptr = 0x0}}, _sigchld = {si_pid = 1700808263,
      si_uid = 2107583, si_status = 0, si_utime = 0, si_stime = 0}, _sigfault = {si_addr = 0x2028bf65604647}, _sigpoll = {si_band = 9052001759413831, si_fd = 0}}}

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1921518

Title:
  OpenSSL "double free" error

Status in openssl package in Ubuntu:
  Incomplete
Status in openssl source package in Focal:
  Incomplete

Bug description:
  "double free" error is seen when using curl utility. Error is from
  libcrypto.so which is part of the OpenSSL package. This happens only
  when OpenSSL is configured to use a dynamic engine.

  OpenSSL version is 1.1.1f

  The issue is not encountered if
  http://www.openssl.org/source/openssl-1.1.1f.tar.gz is used instead.

  
  OpenSSL can be configured to use a dynamic engine by editing the default openssl config file which is located at '/etc/ssl/openssl.cnf' on Ubuntu systems.

  On Bluefield systems, config diff to enable PKA dynamic engine, is as
  below:

  +openssl_conf = conf_section
  +
   # Extra OBJECT IDENTIFIER info:
   #oid_file              = $ENV::HOME/.oid
   oid_section            = new_oids
   
  +[ conf_section ]
  +engines = engine_section
  +
  +[ engine_section ]
  +bf = bf_section
  +
  +[ bf_section ]
  +engine_id=pka
  +dynamic_path=/usr/lib/aarch64-linux-gnu/engines-1.1/pka.so
  +init=0
  +

  engine_id above refers to dynamic engine name/identifier.
  dynamic_path points to the .so file for the dynamic engine.

  # curl -O https://tpo.pe/pathogen.vim

  double free or corruption (out)

  Aborted (core dumped)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518/+subscriptions

More information about the foundations-bugs mailing list