[Pkg-openssl-devel] Bug#844715: openssl: segfault in shlibloadtest (observed on x32) due to dlopen/dlclose/OPENSSL_atexit/OPENSSL_cleanup ordering
Thorsten Glaser
tg at mirbsd.de
Fri Nov 18 11:59:57 UTC 2016
Source: openssl
Version: 1.1.0c-1
Severity: important
[…]
ok 1 - running secmemtest
ok
../util/shlib_wrap.sh ./shlibloadtest -crypto_first libcrypto.so libssl.so => 139
# Failed test 'running shlibloadtest -crypto_first'
# at ../test/recipes/90-test_shlibload.t line 30.
../util/shlib_wrap.sh ./shlibloadtest -ssl_first libcrypto.so libssl.so => 0
../util/shlib_wrap.sh ./shlibloadtest -just_crypto libcrypto.so libssl.so => 0
# Looks like you failed 1 test of 3.
../test/recipes/90-test_shlibload.t ........
1..3
not ok 1 - running shlibloadtest -crypto_first
Success
ok 2 - running shlibloadtest -ssl_first
Success
ok 3 - running shlibloadtest -just_crypto
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/3 subtests
[…]
The cause here seems to be:
(pbuild24392)root at tglase:/tmp/buildd/openssl-1.1.0c # export SHELL=/bin/sh LD_LIBRARY_PATH=/tmp/buildd/openssl-1.1.0c:/usr/lib/libeatmydata:/usr/lib/libeatmydata
(pbuild24392)root at tglase:/tmp/buildd/openssl-1.1.0c # gdb --args test/shlibloadtest -crypto_first libcrypto.so libssl.so
GNU gdb (Debian 7.10-1.1) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnux32".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from test/shlibloadtest...done.
(gdb) r
Starting program: /tmp/buildd/openssl-1.1.0c/test/shlibloadtest -crypto_first libcrypto.so libssl.so
warning: linux_ptrace_test_ret_to_nx: Cannot PTRACE_PEEKUSER: Input/output error
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnux32/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0xf6745c50 in ?? ()
(gdb) bt
#0 0xf6745c50 in ?? ()
#1 0xf6ac51c5 in OPENSSL_cleanup () at crypto/init.c:395
#2 0xf724fece in __cxa_finalize () from /lib/x86_64-linux-gnux32/libc.so.6
#3 0xf69d80d1 in __do_global_dtors_aux () from /tmp/buildd/openssl-1.1.0c/libcrypto.so
#4 0xffffce90 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) frame 1
#1 0xf6ac51c5 in OPENSSL_cleanup () at crypto/init.c:395
395 currhandler->handler();
(gdb) list
390 */
391 ossl_init_thread_stop(ossl_init_get_thread_local(0));
392
393 currhandler = stop_handlers;
394 while (currhandler != NULL) {
395 currhandler->handler();
396 lasthandler = currhandler;
397 currhandler = currhandler->next;
398 OPENSSL_free(lasthandler);
399 }
(gdb) print *currhandler
$1 = {handler = 0xf6745c50, next = 0x0}
(gdb) x/i currhandler->handler
0xf6745c50: Cannot access memory at address 0xf6745c50
So, when does that value get written?
(gdb) x/4xc currhandler
0x5675b170: 80 'P' 92 '\\' 116 't' -10 '\366'
This looks only vaguely ASCII-ish, so that’s not like it.
The memory map of the process is:
tglase at tglase:~ $ sudo cat /proc/13583/maps
56555000-56556000 r-xp 00000000 fd:00 4511408 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/test/shlibloadtest
56755000-56756000 r--p 00000000 fd:00 4511408 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/test/shlibloadtest
56756000-56757000 rw-p 00001000 fd:00 4511408 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/test/shlibloadtest
56757000-56779000 rw-p 00000000 00:00 0 [heap]
f6982000-f6bbf000 r-xp 00000000 fd:00 4511417 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libcrypto.so.1.1
f6bbf000-f6dbf000 ---p 0023d000 fd:00 4511417 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libcrypto.so.1.1
f6dbf000-f6dd1000 r--p 0023d000 fd:00 4511417 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libcrypto.so.1.1
f6dd1000-f6dda000 rw-p 0024f000 fd:00 4511417 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libcrypto.so.1.1
f6dda000-f6dde000 rw-p 00000000 00:00 0
f6dde000-f6dfe000 r-xp 00000000 fd:00 2304977 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libtinfo.so.5.9
f6dfe000-f6ffe000 ---p 00020000 fd:00 2304977 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libtinfo.so.5.9
f6ffe000-f7000000 r--p 00020000 fd:00 2304977 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libtinfo.so.5.9
f7000000-f7001000 rw-p 00022000 fd:00 2304977 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libtinfo.so.5.9
f7001000-f7021000 r-xp 00000000 fd:00 2304975 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libncurses.so.5.9
f7021000-f7220000 ---p 00020000 fd:00 2304975 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libncurses.so.5.9
f7220000-f7221000 r--p 0001f000 fd:00 2304975 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libncurses.so.5.9
f7221000-f7222000 rw-p 00020000 fd:00 2304975 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libncurses.so.5.9
f7222000-f73b1000 r-xp 00000000 fd:00 4386086 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libc-2.24.so
f73b1000-f75b1000 ---p 0018f000 fd:00 4386086 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libc-2.24.so
f75b1000-f75b3000 r--p 0018f000 fd:00 4386086 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libc-2.24.so
f75b3000-f75b4000 rw-p 00191000 fd:00 4386086 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libc-2.24.so
f75b4000-f75b7000 rw-p 00000000 00:00 0
f75b7000-f75cd000 r-xp 00000000 fd:00 4386116 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libpthread-2.24.so
f75cd000-f77cc000 ---p 00016000 fd:00 4386116 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libpthread-2.24.so
f77cc000-f77cd000 r--p 00015000 fd:00 4386116 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libpthread-2.24.so
f77cd000-f77ce000 rw-p 00016000 fd:00 4386116 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libpthread-2.24.so
f77ce000-f77d0000 rw-p 00000000 00:00 0
f77d0000-f77d2000 r-xp 00000000 fd:00 4386092 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libdl-2.24.so
f77d2000-f79d1000 ---p 00002000 fd:00 4386092 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libdl-2.24.so
f79d1000-f79d2000 r--p 00001000 fd:00 4386092 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libdl-2.24.so
f79d2000-f79d3000 rw-p 00002000 fd:00 4386092 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libdl-2.24.so
f79d3000-f79d7000 r-xp 00000000 fd:00 4464900 /var/cache/pbuilder/build/cow.24367/usr/lib/cowdancer/libcowdancer.so
f79d7000-f7bd6000 ---p 00004000 fd:00 4464900 /var/cache/pbuilder/build/cow.24367/usr/lib/cowdancer/libcowdancer.so
f7bd6000-f7bd7000 r--p 00003000 fd:00 4464900 /var/cache/pbuilder/build/cow.24367/usr/lib/cowdancer/libcowdancer.so
f7bd7000-f7bd8000 rw-p 00004000 fd:00 4464900 /var/cache/pbuilder/build/cow.24367/usr/lib/cowdancer/libcowdancer.so
f7bd8000-f7bd9000 r-xp 00000000 fd:00 4487785 /var/cache/pbuilder/build/cow.24367/usr/lib/x86_64-linux-gnux32/libeatmydata.so.1.1.2
f7bd9000-f7dd8000 ---p 00001000 fd:00 4487785 /var/cache/pbuilder/build/cow.24367/usr/lib/x86_64-linux-gnux32/libeatmydata.so.1.1.2
f7dd8000-f7dd9000 r--p 00000000 fd:00 4487785 /var/cache/pbuilder/build/cow.24367/usr/lib/x86_64-linux-gnux32/libeatmydata.so.1.1.2
f7dd9000-f7dda000 rw-p 00001000 fd:00 4487785 /var/cache/pbuilder/build/cow.24367/usr/lib/x86_64-linux-gnux32/libeatmydata.so.1.1.2
f7dda000-f7dfc000 r-xp 00000000 fd:00 4386078 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/ld-2.24.so
f7fc2000-f7ff1000 r--p 00000000 fd:00 2230949 /var/cache/pbuilder/build/cow.24367/.ilist
f7ff1000-f7ff3000 rw-p 00000000 00:00 0
f7ff7000-f7ff9000 rw-p 00000000 00:00 0
f7ff9000-f7ffb000 r--p 00000000 00:00 0 [vvar]
f7ffb000-f7ffc000 r-xp 00000000 00:00 0 [vdso]
f7ffc000-f7ffd000 r--p 00022000 fd:00 4386078 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/ld-2.24.so
f7ffd000-f7ffe000 rw-p 00023000 fd:00 4386078 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/ld-2.24.so
fffdd000-ffffe000 rw-p 00000000 00:00 0 [stack]
So this seems to be an address *below* libcrypto.so.1.1’s .text in
memory but also not on the heap, so no dynamically generated code.
Next debugging session:
(gdb) b OPENSSL_atexit
Function "OPENSSL_atexit" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (OPENSSL_atexit) pending.
(gdb) r
Starting program: /tmp/buildd/openssl-1.1.0c/test/shlibloadtest -crypto_first libcrypto.so libssl.so
warning: linux_ptrace_test_ret_to_nx: Cannot PTRACE_PEEKUSER: Input/output error
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnux32/libthread_db.so.1".
Breakpoint 1, OPENSSL_atexit (handler=handler at entry=0xf6745c50 <ssl_library_stop>) at crypto/init.c:604
604 {
There is our 0xf6745c50, which is ssl_library_stop… huh?
Memory map at this time:
tglase at tglase:~ $ sudo cat /proc/13924/maps
56555000-56556000 r-xp 00000000 fd:00 4511408 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/test/shlibloadtest
56755000-56756000 r--p 00000000 fd:00 4511408 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/test/shlibloadtest
56756000-56757000 rw-p 00001000 fd:00 4511408 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/test/shlibloadtest
56757000-56779000 rw-p 00000000 00:00 0 [heap]
f6721000-f677a000 r-xp 00000000 fd:00 4511445 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libssl.so.1.1
f677a000-f697a000 ---p 00059000 fd:00 4511445 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libssl.so.1.1
f697a000-f697d000 r--p 00059000 fd:00 4511445 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libssl.so.1.1
f697d000-f6982000 rw-p 0005c000 fd:00 4511445 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libssl.so.1.1
f6982000-f6bbf000 r-xp 00000000 fd:00 4511417 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libcrypto.so.1.1
f6bbf000-f6dbf000 ---p 0023d000 fd:00 4511417 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libcrypto.so.1.1
f6dbf000-f6dd1000 r--p 0023d000 fd:00 4511417 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libcrypto.so.1.1
f6dd1000-f6dda000 rw-p 0024f000 fd:00 4511417 /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libcrypto.so.1.1
f6dda000-f6dde000 rw-p 00000000 00:00 0
f6dde000-f6dfe000 r-xp 00000000 fd:00 2304977 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libtinfo.so.5.9
f6dfe000-f6ffe000 ---p 00020000 fd:00 2304977 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libtinfo.so.5.9
f6ffe000-f7000000 r--p 00020000 fd:00 2304977 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libtinfo.so.5.9
f7000000-f7001000 rw-p 00022000 fd:00 2304977 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libtinfo.so.5.9
f7001000-f7021000 r-xp 00000000 fd:00 2304975 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libncurses.so.5.9
f7021000-f7220000 ---p 00020000 fd:00 2304975 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libncurses.so.5.9
f7220000-f7221000 r--p 0001f000 fd:00 2304975 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libncurses.so.5.9
f7221000-f7222000 rw-p 00020000 fd:00 2304975 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libncurses.so.5.9
f7222000-f73b1000 r-xp 00000000 fd:00 4386086 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libc-2.24.so
f73b1000-f75b1000 ---p 0018f000 fd:00 4386086 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libc-2.24.so
f75b1000-f75b3000 r--p 0018f000 fd:00 4386086 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libc-2.24.so
f75b3000-f75b4000 rw-p 00191000 fd:00 4386086 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libc-2.24.so
f75b4000-f75b7000 rw-p 00000000 00:00 0
f75b7000-f75cd000 r-xp 00000000 fd:00 4386116 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libpthread-2.24.so
f75cd000-f77cc000 ---p 00016000 fd:00 4386116 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libpthread-2.24.so
f77cc000-f77cd000 r--p 00015000 fd:00 4386116 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libpthread-2.24.so
f77cd000-f77ce000 rw-p 00016000 fd:00 4386116 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libpthread-2.24.so
f77ce000-f77d0000 rw-p 00000000 00:00 0
f77d0000-f77d2000 r-xp 00000000 fd:00 4386092 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libdl-2.24.so
f77d2000-f79d1000 ---p 00002000 fd:00 4386092 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libdl-2.24.so
f79d1000-f79d2000 r--p 00001000 fd:00 4386092 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libdl-2.24.so
f79d2000-f79d3000 rw-p 00002000 fd:00 4386092 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libdl-2.24.so
f79d3000-f79d7000 r-xp 00000000 fd:00 4464900 /var/cache/pbuilder/build/cow.24367/usr/lib/cowdancer/libcowdancer.so
f79d7000-f7bd6000 ---p 00004000 fd:00 4464900 /var/cache/pbuilder/build/cow.24367/usr/lib/cowdancer/libcowdancer.so
f7bd6000-f7bd7000 r--p 00003000 fd:00 4464900 /var/cache/pbuilder/build/cow.24367/usr/lib/cowdancer/libcowdancer.so
f7bd7000-f7bd8000 rw-p 00004000 fd:00 4464900 /var/cache/pbuilder/build/cow.24367/usr/lib/cowdancer/libcowdancer.so
f7bd8000-f7bd9000 r-xp 00000000 fd:00 4487785 /var/cache/pbuilder/build/cow.24367/usr/lib/x86_64-linux-gnux32/libeatmydata.so.1.1.2
f7bd9000-f7dd8000 ---p 00001000 fd:00 4487785 /var/cache/pbuilder/build/cow.24367/usr/lib/x86_64-linux-gnux32/libeatmydata.so.1.1.2
f7dd8000-f7dd9000 r--p 00000000 fd:00 4487785 /var/cache/pbuilder/build/cow.24367/usr/lib/x86_64-linux-gnux32/libeatmydata.so.1.1.2
f7dd9000-f7dda000 rw-p 00001000 fd:00 4487785 /var/cache/pbuilder/build/cow.24367/usr/lib/x86_64-linux-gnux32/libeatmydata.so.1.1.2
f7dda000-f7dfc000 r-xp 00000000 fd:00 4386078 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/ld-2.24.so
f7fc2000-f7ff1000 r--p 00000000 fd:00 2230949 /var/cache/pbuilder/build/cow.24367/.ilist
f7ff1000-f7ff3000 rw-p 00000000 00:00 0
f7ff7000-f7ff9000 rw-p 00000000 00:00 0
f7ff9000-f7ffb000 r--p 00000000 00:00 0 [vvar]
f7ffb000-f7ffc000 r-xp 00000000 00:00 0 [vdso]
f7ffc000-f7ffd000 r--p 00022000 fd:00 4386078 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/ld-2.24.so
f7ffd000-f7ffe000 rw-p 00023000 fd:00 4386078 /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/ld-2.24.so
fffdd000-ffffe000 rw-p 00000000 00:00 0 [stack]
That’s .text of libssl.so.1.1!
So it appears that dynamically loaded libraries are dismantled,
and OPENSSL_cleanup() is called too late. This might even be a
bug on other architectures; I’m changing the bug title before
submitting.
-- System Information:
Debian Release: stretch/sid
APT prefers unreleased
APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64
Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)
More information about the Pkg-openssl-devel
mailing list