[Bug 1921518] Re: OpenSSL "double free" error

Eyal Itkin 1921518 at bugs.launchpad.net
Wed Oct 27 06:45:47 UTC 2021 

While trying to understand why a fix in PKA that guards against multiple
destroys (https://github.com/Mellanox/pka/pull/37/files) didn't bypass
this issue, I found the following.

bind() operation of engines is expected to populate the pmeths and
ameths of an existing engine (https://github.com/gost-
engine/engine/blob/df3ead272bd2019f98d16e6787f5df51556c0603/gost_eng.c#L375,
https://github.com/Mellanox/pka/blob/master/engine/e_bluefield.c#L1615).
This means that the engine uses EVP_PKEY_meth_new (for instance) as part
of this registration.

However, on teardown, OpenSSL's engine_free_util() is invoking
engine_pkey_meths_free() and engine_pkey_asn1_meths_free(). Both of
which iterate the list of registered methods, and invoke
EVP_PKEY_meth_free() on each on of them. Only after OpenSSL freed these
methods it calls the engine's destroy() method which allows the
registered engine to do its own cleanup.

As long as this design is used, an engine using pkey methods can't
protect itself against multiple destroy operations, because OpenSSL is
the one freeing it's methods and there isn't much the engine can do
about it. For future versions, it might be recommended to update this
API and grant the engine the ownership on clearing up the memory that it
allocated on the first place.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1921518

Title:
  OpenSSL "double free" error

Status in openssl package in Ubuntu:
  Incomplete
Status in openssl source package in Focal:
  Incomplete

Bug description:
  "double free" error is seen when using curl utility. Error is from
  libcrypto.so which is part of the OpenSSL package. This happens only
  when OpenSSL is configured to use a dynamic engine.

  OpenSSL version is 1.1.1f

  The issue is not encountered if
  http://www.openssl.org/source/openssl-1.1.1f.tar.gz is used instead.

  
  OpenSSL can be configured to use a dynamic engine by editing the default openssl config file which is located at '/etc/ssl/openssl.cnf' on Ubuntu systems.

  On Bluefield systems, config diff to enable PKA dynamic engine, is as
  below:

  +openssl_conf = conf_section
  +
   # Extra OBJECT IDENTIFIER info:
   #oid_file              = $ENV::HOME/.oid
   oid_section            = new_oids
   
  +[ conf_section ]
  +engines = engine_section
  +
  +[ engine_section ]
  +bf = bf_section
  +
  +[ bf_section ]
  +engine_id=pka
  +dynamic_path=/usr/lib/aarch64-linux-gnu/engines-1.1/pka.so
  +init=0
  +

  engine_id above refers to dynamic engine name/identifier.
  dynamic_path points to the .so file for the dynamic engine.

  # curl -O https://tpo.pe/pathogen.vim

  double free or corruption (out)

  Aborted (core dumped)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518/+subscriptions

More information about the foundations-bugs mailing list