[Pkg-openssl-devel] Bug#844715: openssl: segfault in shlibloadtest (observed on x32) due to dlopen/dlclose/OPENSSL_atexit/OPENSSL_cleanup ordering

Thorsten Glaser tg at mirbsd.de
Fri Nov 18 11:59:57 UTC 2016


Source: openssl
Version: 1.1.0c-1
Severity: important

[…]
ok 1 - running secmemtest
ok
../util/shlib_wrap.sh ./shlibloadtest -crypto_first libcrypto.so libssl.so => 139

#   Failed test 'running shlibloadtest -crypto_first'
#   at ../test/recipes/90-test_shlibload.t line 30.
../util/shlib_wrap.sh ./shlibloadtest -ssl_first libcrypto.so libssl.so => 0
../util/shlib_wrap.sh ./shlibloadtest -just_crypto libcrypto.so libssl.so => 0
# Looks like you failed 1 test of 3.
../test/recipes/90-test_shlibload.t ........
1..3
not ok 1 - running shlibloadtest -crypto_first
Success
ok 2 - running shlibloadtest -ssl_first
Success
ok 3 - running shlibloadtest -just_crypto
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/3 subtests 
[…]

The cause here seems to be:

(pbuild24392)root at tglase:/tmp/buildd/openssl-1.1.0c # export SHELL=/bin/sh LD_LIBRARY_PATH=/tmp/buildd/openssl-1.1.0c:/usr/lib/libeatmydata:/usr/lib/libeatmydata
(pbuild24392)root at tglase:/tmp/buildd/openssl-1.1.0c # gdb --args test/shlibloadtest -crypto_first libcrypto.so libssl.so
GNU gdb (Debian 7.10-1.1) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnux32".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from test/shlibloadtest...done.
(gdb) r
Starting program: /tmp/buildd/openssl-1.1.0c/test/shlibloadtest -crypto_first libcrypto.so libssl.so
warning: linux_ptrace_test_ret_to_nx: Cannot PTRACE_PEEKUSER: Input/output error
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnux32/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0xf6745c50 in ?? ()
(gdb) bt
#0  0xf6745c50 in ?? ()
#1  0xf6ac51c5 in OPENSSL_cleanup () at crypto/init.c:395
#2  0xf724fece in __cxa_finalize () from /lib/x86_64-linux-gnux32/libc.so.6
#3  0xf69d80d1 in __do_global_dtors_aux () from /tmp/buildd/openssl-1.1.0c/libcrypto.so
#4  0xffffce90 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) frame 1
#1  0xf6ac51c5 in OPENSSL_cleanup () at crypto/init.c:395
395             currhandler->handler();
(gdb) list
390          */
391         ossl_init_thread_stop(ossl_init_get_thread_local(0));
392
393         currhandler = stop_handlers;
394         while (currhandler != NULL) {
395             currhandler->handler();
396             lasthandler = currhandler;
397             currhandler = currhandler->next;
398             OPENSSL_free(lasthandler);
399         }
(gdb) print *currhandler
$1 = {handler = 0xf6745c50, next = 0x0}
(gdb) x/i currhandler->handler
   0xf6745c50:  Cannot access memory at address 0xf6745c50

So, when does that value get written?

(gdb) x/4xc currhandler
0x5675b170:     80 'P'  92 '\\' 116 't' -10 '\366'

This looks only vaguely ASCII-ish, so that’s not like it.

The memory map of the process is:

tglase at tglase:~ $ sudo cat /proc/13583/maps
56555000-56556000 r-xp 00000000 fd:00 4511408                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/test/shlibloadtest
56755000-56756000 r--p 00000000 fd:00 4511408                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/test/shlibloadtest
56756000-56757000 rw-p 00001000 fd:00 4511408                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/test/shlibloadtest
56757000-56779000 rw-p 00000000 00:00 0                                  [heap]
f6982000-f6bbf000 r-xp 00000000 fd:00 4511417                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libcrypto.so.1.1
f6bbf000-f6dbf000 ---p 0023d000 fd:00 4511417                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libcrypto.so.1.1
f6dbf000-f6dd1000 r--p 0023d000 fd:00 4511417                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libcrypto.so.1.1
f6dd1000-f6dda000 rw-p 0024f000 fd:00 4511417                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libcrypto.so.1.1
f6dda000-f6dde000 rw-p 00000000 00:00 0 
f6dde000-f6dfe000 r-xp 00000000 fd:00 2304977                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libtinfo.so.5.9
f6dfe000-f6ffe000 ---p 00020000 fd:00 2304977                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libtinfo.so.5.9
f6ffe000-f7000000 r--p 00020000 fd:00 2304977                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libtinfo.so.5.9
f7000000-f7001000 rw-p 00022000 fd:00 2304977                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libtinfo.so.5.9
f7001000-f7021000 r-xp 00000000 fd:00 2304975                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libncurses.so.5.9
f7021000-f7220000 ---p 00020000 fd:00 2304975                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libncurses.so.5.9
f7220000-f7221000 r--p 0001f000 fd:00 2304975                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libncurses.so.5.9
f7221000-f7222000 rw-p 00020000 fd:00 2304975                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libncurses.so.5.9
f7222000-f73b1000 r-xp 00000000 fd:00 4386086                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libc-2.24.so
f73b1000-f75b1000 ---p 0018f000 fd:00 4386086                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libc-2.24.so
f75b1000-f75b3000 r--p 0018f000 fd:00 4386086                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libc-2.24.so
f75b3000-f75b4000 rw-p 00191000 fd:00 4386086                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libc-2.24.so
f75b4000-f75b7000 rw-p 00000000 00:00 0 
f75b7000-f75cd000 r-xp 00000000 fd:00 4386116                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libpthread-2.24.so
f75cd000-f77cc000 ---p 00016000 fd:00 4386116                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libpthread-2.24.so
f77cc000-f77cd000 r--p 00015000 fd:00 4386116                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libpthread-2.24.so
f77cd000-f77ce000 rw-p 00016000 fd:00 4386116                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libpthread-2.24.so
f77ce000-f77d0000 rw-p 00000000 00:00 0 
f77d0000-f77d2000 r-xp 00000000 fd:00 4386092                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libdl-2.24.so
f77d2000-f79d1000 ---p 00002000 fd:00 4386092                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libdl-2.24.so
f79d1000-f79d2000 r--p 00001000 fd:00 4386092                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libdl-2.24.so
f79d2000-f79d3000 rw-p 00002000 fd:00 4386092                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libdl-2.24.so
f79d3000-f79d7000 r-xp 00000000 fd:00 4464900                            /var/cache/pbuilder/build/cow.24367/usr/lib/cowdancer/libcowdancer.so
f79d7000-f7bd6000 ---p 00004000 fd:00 4464900                            /var/cache/pbuilder/build/cow.24367/usr/lib/cowdancer/libcowdancer.so
f7bd6000-f7bd7000 r--p 00003000 fd:00 4464900                            /var/cache/pbuilder/build/cow.24367/usr/lib/cowdancer/libcowdancer.so
f7bd7000-f7bd8000 rw-p 00004000 fd:00 4464900                            /var/cache/pbuilder/build/cow.24367/usr/lib/cowdancer/libcowdancer.so
f7bd8000-f7bd9000 r-xp 00000000 fd:00 4487785                            /var/cache/pbuilder/build/cow.24367/usr/lib/x86_64-linux-gnux32/libeatmydata.so.1.1.2
f7bd9000-f7dd8000 ---p 00001000 fd:00 4487785                            /var/cache/pbuilder/build/cow.24367/usr/lib/x86_64-linux-gnux32/libeatmydata.so.1.1.2
f7dd8000-f7dd9000 r--p 00000000 fd:00 4487785                            /var/cache/pbuilder/build/cow.24367/usr/lib/x86_64-linux-gnux32/libeatmydata.so.1.1.2
f7dd9000-f7dda000 rw-p 00001000 fd:00 4487785                            /var/cache/pbuilder/build/cow.24367/usr/lib/x86_64-linux-gnux32/libeatmydata.so.1.1.2
f7dda000-f7dfc000 r-xp 00000000 fd:00 4386078                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/ld-2.24.so
f7fc2000-f7ff1000 r--p 00000000 fd:00 2230949                            /var/cache/pbuilder/build/cow.24367/.ilist
f7ff1000-f7ff3000 rw-p 00000000 00:00 0 
f7ff7000-f7ff9000 rw-p 00000000 00:00 0 
f7ff9000-f7ffb000 r--p 00000000 00:00 0                                  [vvar]
f7ffb000-f7ffc000 r-xp 00000000 00:00 0                                  [vdso]
f7ffc000-f7ffd000 r--p 00022000 fd:00 4386078                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/ld-2.24.so
f7ffd000-f7ffe000 rw-p 00023000 fd:00 4386078                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/ld-2.24.so
fffdd000-ffffe000 rw-p 00000000 00:00 0                                  [stack]

So this seems to be an address *below* libcrypto.so.1.1’s .text in
memory but also not on the heap, so no dynamically generated code.

Next debugging session:

(gdb) b OPENSSL_atexit
Function "OPENSSL_atexit" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (OPENSSL_atexit) pending.
(gdb) r
Starting program: /tmp/buildd/openssl-1.1.0c/test/shlibloadtest -crypto_first libcrypto.so libssl.so
warning: linux_ptrace_test_ret_to_nx: Cannot PTRACE_PEEKUSER: Input/output error
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnux32/libthread_db.so.1".

Breakpoint 1, OPENSSL_atexit (handler=handler at entry=0xf6745c50 <ssl_library_stop>) at crypto/init.c:604
604     {

There is our 0xf6745c50, which is ssl_library_stop… huh?

Memory map at this time:

tglase at tglase:~ $ sudo cat /proc/13924/maps
56555000-56556000 r-xp 00000000 fd:00 4511408                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/test/shlibloadtest
56755000-56756000 r--p 00000000 fd:00 4511408                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/test/shlibloadtest
56756000-56757000 rw-p 00001000 fd:00 4511408                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/test/shlibloadtest
56757000-56779000 rw-p 00000000 00:00 0                                  [heap]
f6721000-f677a000 r-xp 00000000 fd:00 4511445                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libssl.so.1.1
f677a000-f697a000 ---p 00059000 fd:00 4511445                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libssl.so.1.1
f697a000-f697d000 r--p 00059000 fd:00 4511445                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libssl.so.1.1
f697d000-f6982000 rw-p 0005c000 fd:00 4511445                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libssl.so.1.1
f6982000-f6bbf000 r-xp 00000000 fd:00 4511417                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libcrypto.so.1.1
f6bbf000-f6dbf000 ---p 0023d000 fd:00 4511417                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libcrypto.so.1.1
f6dbf000-f6dd1000 r--p 0023d000 fd:00 4511417                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libcrypto.so.1.1
f6dd1000-f6dda000 rw-p 0024f000 fd:00 4511417                            /var/cache/pbuilder/build/cow.24367/tmp/buildd/openssl-1.1.0c/libcrypto.so.1.1
f6dda000-f6dde000 rw-p 00000000 00:00 0 
f6dde000-f6dfe000 r-xp 00000000 fd:00 2304977                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libtinfo.so.5.9
f6dfe000-f6ffe000 ---p 00020000 fd:00 2304977                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libtinfo.so.5.9
f6ffe000-f7000000 r--p 00020000 fd:00 2304977                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libtinfo.so.5.9
f7000000-f7001000 rw-p 00022000 fd:00 2304977                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libtinfo.so.5.9
f7001000-f7021000 r-xp 00000000 fd:00 2304975                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libncurses.so.5.9
f7021000-f7220000 ---p 00020000 fd:00 2304975                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libncurses.so.5.9
f7220000-f7221000 r--p 0001f000 fd:00 2304975                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libncurses.so.5.9
f7221000-f7222000 rw-p 00020000 fd:00 2304975                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libncurses.so.5.9
f7222000-f73b1000 r-xp 00000000 fd:00 4386086                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libc-2.24.so
f73b1000-f75b1000 ---p 0018f000 fd:00 4386086                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libc-2.24.so
f75b1000-f75b3000 r--p 0018f000 fd:00 4386086                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libc-2.24.so
f75b3000-f75b4000 rw-p 00191000 fd:00 4386086                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libc-2.24.so
f75b4000-f75b7000 rw-p 00000000 00:00 0 
f75b7000-f75cd000 r-xp 00000000 fd:00 4386116                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libpthread-2.24.so
f75cd000-f77cc000 ---p 00016000 fd:00 4386116                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libpthread-2.24.so
f77cc000-f77cd000 r--p 00015000 fd:00 4386116                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libpthread-2.24.so
f77cd000-f77ce000 rw-p 00016000 fd:00 4386116                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libpthread-2.24.so
f77ce000-f77d0000 rw-p 00000000 00:00 0 
f77d0000-f77d2000 r-xp 00000000 fd:00 4386092                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libdl-2.24.so
f77d2000-f79d1000 ---p 00002000 fd:00 4386092                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libdl-2.24.so
f79d1000-f79d2000 r--p 00001000 fd:00 4386092                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libdl-2.24.so
f79d2000-f79d3000 rw-p 00002000 fd:00 4386092                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/libdl-2.24.so
f79d3000-f79d7000 r-xp 00000000 fd:00 4464900                            /var/cache/pbuilder/build/cow.24367/usr/lib/cowdancer/libcowdancer.so
f79d7000-f7bd6000 ---p 00004000 fd:00 4464900                            /var/cache/pbuilder/build/cow.24367/usr/lib/cowdancer/libcowdancer.so
f7bd6000-f7bd7000 r--p 00003000 fd:00 4464900                            /var/cache/pbuilder/build/cow.24367/usr/lib/cowdancer/libcowdancer.so
f7bd7000-f7bd8000 rw-p 00004000 fd:00 4464900                            /var/cache/pbuilder/build/cow.24367/usr/lib/cowdancer/libcowdancer.so
f7bd8000-f7bd9000 r-xp 00000000 fd:00 4487785                            /var/cache/pbuilder/build/cow.24367/usr/lib/x86_64-linux-gnux32/libeatmydata.so.1.1.2
f7bd9000-f7dd8000 ---p 00001000 fd:00 4487785                            /var/cache/pbuilder/build/cow.24367/usr/lib/x86_64-linux-gnux32/libeatmydata.so.1.1.2
f7dd8000-f7dd9000 r--p 00000000 fd:00 4487785                            /var/cache/pbuilder/build/cow.24367/usr/lib/x86_64-linux-gnux32/libeatmydata.so.1.1.2
f7dd9000-f7dda000 rw-p 00001000 fd:00 4487785                            /var/cache/pbuilder/build/cow.24367/usr/lib/x86_64-linux-gnux32/libeatmydata.so.1.1.2
f7dda000-f7dfc000 r-xp 00000000 fd:00 4386078                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/ld-2.24.so
f7fc2000-f7ff1000 r--p 00000000 fd:00 2230949                            /var/cache/pbuilder/build/cow.24367/.ilist
f7ff1000-f7ff3000 rw-p 00000000 00:00 0 
f7ff7000-f7ff9000 rw-p 00000000 00:00 0 
f7ff9000-f7ffb000 r--p 00000000 00:00 0                                  [vvar]
f7ffb000-f7ffc000 r-xp 00000000 00:00 0                                  [vdso]
f7ffc000-f7ffd000 r--p 00022000 fd:00 4386078                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/ld-2.24.so
f7ffd000-f7ffe000 rw-p 00023000 fd:00 4386078                            /var/cache/pbuilder/build/cow.24367/lib/x86_64-linux-gnux32/ld-2.24.so
fffdd000-ffffe000 rw-p 00000000 00:00 0                                  [stack]

That’s .text of libssl.so.1.1!

So it appears that dynamically loaded libraries are dismantled,
and OPENSSL_cleanup() is called too late. This might even be a
bug on other architectures; I’m changing the bug title before
submitting.

-- System Information:
Debian Release: stretch/sid
  APT prefers unreleased
  APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64

Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)



More information about the Pkg-openssl-devel mailing list