[Pkg-openssl-devel] Bug#895035: osc: crashes with memory corruption when using new libssl1.1
Simon McVittie
smcv at collabora.com
Fri Apr 6 13:58:03 BST 2018
Package: osc
Version: 0.162.1-1
Severity: grave
Justification: osc tool becomes mostly unusable
This is probably a bug in libssl1.1 or in python-m2crypto, but I'm
reporting it against osc for now, because that's the only place I know
how to reproduce it at the moment. X-Debbugs-Cc'd to the lower-level
packages' maintainers.
Steps to reproduce:
* have an account on any OBS instance (I used <https://build.opensuse.org/>:
anyone can register there, but an account is required to use the API)
* be in a temporary directory
* rm -fr binaries
* osc -A https://api.opensuse.org getbinaries openSUSE:Leap:15.0 \
hello standard x86_64
(or some project/package combination that exists on your OBS)
Expected result: osc downloads hello into ./binaries
Actual result: osc usually segfaults in glibc malloc-related functions,
probably due to memory corruption; sometimes glibc detects the memory
corruption itself and aborts instead.
Workaround: Downgrading libssl1.1 to 1.1.0f-3+deb9u2 from stable-security
makes osc work correctly, so presumably this is a behaviour change
between 1.1.0f and 1.1.0h, either a regression or something that triggers
a pre-existing bug in python-m2crypto (or possibly osc).
Other file-downloading operations like `osc co` have a similar crash.
Perhaps notably, `osc ls` does not.
Backtrace for memory corruption detected by glibc (with MALLOC_CHECK_=2):
#0 0x00007fa978092e7b in __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007fa978094231 in __GI_abort () at abort.c:79
#2 0x00007fa9780d57b7 in __libc_message (action=action at entry=do_abort, fmt=fmt at entry=0x7fa9781de0f3 "%s\n")
at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007fa9780dbd5a in malloc_printerr (str=str at entry=0x7fa9781dc2fe "free(): invalid pointer")
at malloc.c:5350
#4 0x00007fa9780dfc0e in free_check (mem=<optimized out>, caller=<optimized out>) at hooks.c:274
#5 0x00007fa9774999a9 in SSL_SESSION_free (ss=0x5561d9428070) at ../ssl/ssl_sess.c:780
#6 0x00007fa977499daf in ssl_get_new_session (s=s at entry=0x5561d9430d60, session=session at entry=0)
at ../ssl/ssl_sess.c:315
#7 0x00007fa97749e05a in tls_construct_client_hello (s=0x5561d9430d60) at ../ssl/statem/statem_clnt.c:705
#8 0x00007fa97749c556 in write_state_machine (s=0x5561d9430d60) at ../ssl/statem/statem.c:773
#9 0x00007fa97749c556 in state_machine (s=0x5561d9430d60, server=0) at ../ssl/statem/statem.c:404
#10 0x00007fa977494c91 in SSL_do_handshake (s=0x5561d9430d60) at ../ssl/ssl_lib.c:3220
#11 0x00007fa96e0cb0f2 in ssl_connect (ssl=ssl at entry=0x5561d9430d60, timeout=-1) at SWIG/_m2crypto_wrap.c:8255
#12 0x00007fa96e0cb20b in _wrap_ssl_connect (self=<optimized out>, args=<optimized out>)
at SWIG/_m2crypto_wrap.c:21441
#13 0x00005561d73e4e5a in call_function (oparg=<optimized out>, pp_stack=0x7ffcd796bcd0)
at ../Python/ceval.c:4372
#14 0x00005561d73e4e5a in PyEval_EvalFrameEx (f=<optimized out>, throwflag=<optimized out>)
at ../Python/ceval.c:3009
#15 0x00005561d73e241a in PyEval_EvalCodeEx (co=<optimized out>, globals=<optimized out>, locals=<optimized out>, args=<optimized out>, argcount=<optimized out>, kws=<optimized out>, kwcount=0, defs=0x0, defcount=0, closure=0x0) at ../Python/ceval.c:3604
#16 0x00005561d73ea661 in fast_function (nk=0, na=<optimized out>, n=<optimized out>, pp_stack=0x7ffcd796beb0, func=<optimized out>) at ../Python/ceval.c:4467
Backtrace for a segfault:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f34e77351c8 in _int_malloc (av=av at entry=0x7f34e7a68c40 <main_arena>, bytes=bytes at entry=32)
at malloc.c:4028
#1 0x00007f34e773659c in __GI___libc_malloc (bytes=32) at malloc.c:3057
#2 0x00007f34e6795469 in CRYPTO_zalloc (num=32, file=file at entry=0x7f34e6816be0 "../crypto/asn1/tasn_new.c", line=line at entry=122) at ../crypto/mem.c:107
#3 0x00007f34e66ce817 in asn1_item_embed_new (pval=pval at entry=0x7ffc4a4b75e0, it=it at entry=0x7f34e6a9ef40 <DIST_POINT_it>, embed=embed at entry=0) at ../crypto/asn1/tasn_new.c:122
#4 0x00007f34e66cea97 in ASN1_item_ex_new (pval=pval at entry=0x7ffc4a4b75e0, it=it at entry=0x7f34e6a9ef40 <DIST_POINT_it>) at ../crypto/asn1/tasn_new.c:39
#5 0x00007f34e66cc291 in asn1_item_embed_d2i (pval=pval at entry=0x7ffc4a4b75e0, in=in at entry=0x7ffc4a4b75d8, len=<optimized out>, it=0x7f34e6a9ef40 <DIST_POINT_it>, tag=<optimized out>, tag at entry=-1, aclass=<optimized out>,
aclass at entry=0, opt=0 '\000', ctx=0x7ffc4a4b77e0, depth=2) at ../crypto/asn1/tasn_dec.c:305
#6 0x00007f34e66cc9a8 in asn1_template_noexp_d2i (val=0x7ffc4a4b77d8, in=0x7ffc4a4b7820, len=<optimized out>, tt=tt at entry=0x7f34e6aa71e0 <CRL_DIST_POINTS_item_tt>, opt=<optimized out>, ctx=0x7ffc4a4b77e0, depth=1)
at ../crypto/asn1/tasn_dec.c:591
#7 0x00007f34e66cccc9 in asn1_template_ex_d2i (val=val at entry=0x7ffc4a4b77d8, in=in at entry=0x7ffc4a4b7820, inlen=<optimized out>, tt=0x7f34e6aa71e0 <CRL_DIST_POINTS_item_tt>, opt=opt at entry=0 '\000', ctx=ctx at entry=0x7ffc4a4b77e0, depth=1) at ../crypto/asn1/tasn_dec.c:498
#8 0x00007f34e66cc251 in asn1_item_embed_d2i (pval=pval at entry=0x7ffc4a4b77d8, in=0x7ffc4a4b7820, len=<optimized out>, it=it at entry=0x7f34e6a9ef00 <CRL_DIST_POINTS_it>, tag=tag at entry=-1, aclass=aclass at entry=0, opt=0 '\000', ctx=0x7ffc4a4b77e0, depth=1) at ../crypto/asn1/tasn_dec.c:177
#9 0x00007f34e66cce0d in ASN1_item_ex_d2i (pval=pval at entry=0x7ffc4a4b77d8, in=<optimized out>, len=<optimized out>, it=0x7f34e6a9ef00 <CRL_DIST_POINTS_it>, tag=tag at entry=-1, aclass=aclass at entry=0, opt=0 '\000', ctx=0x7ffc4a4b77e0) at ../crypto/asn1/tasn_dec.c:123
#10 0x00007f34e66cce8b in ASN1_item_d2i (pval=0x7ffc4a4b77d8, in=<optimized out>, len=<optimized out>, it=<optimized out>) at ../crypto/asn1/tasn_dec.c:113
#11 0x00007f34e680d885 in X509V3_EXT_d2i (ext=<optimized out>) at ../crypto/x509v3/v3_lib.c:210
#12 0x00007f34e680d94f in X509V3_get_d2i (x=<optimized out>, nid=nid at entry=103, crit=0x385372041cc40d00,
crit at entry=0x0, idx=idx at entry=0x0) at ../crypto/x509v3/v3_lib.c:269
#13 0x00007f34e67f52c9 in X509_get_ext_d2i (x=x at entry=0x55e18e619390, nid=nid at entry=103, crit=crit at entry=0x0, idx=idx at entry=0x0) at ../crypto/x509/x509_ext.c:105
#14 0x00007f34e6810c12 in setup_crldp (x=0x55e18e619390) at ../crypto/x509v3/v3_purp.c:334
#15 0x00007f34e6810c12 in x509v3_cache_extensions (x=x at entry=0x55e18e619390) at ../crypto/x509v3/v3_purp.c:472
#16 0x00007f34e6811188 in x509v3_cache_extensions (x=0x55e18e619390) at ../crypto/x509v3/v3_purp.c:765
#17 0x00007f34e6811188 in X509_check_issued (issuer=issuer at entry=0x55e18e619390, subject=subject at entry=0x55e18de7c030) at ../crypto/x509v3/v3_purp.c:762
#18 0x00007f34e67f89a4 in check_issued (ctx=0x55e18dc82960, x=0x55e18de7c030, issuer=0x55e18e619390)
at ../crypto/x509/x509_vfy.c:333
#19 0x00007f34e67f994a in find_issuer (ctx=ctx at entry=0x55e18dc82960, sk=sk at entry=0x55e18e6282b0, x=0x55e18de7c030) at ../crypto/x509/x509_vfy.c:317
#20 0x00007f34e67fac6e in build_chain (ctx=0x55e18dc82960) at ../crypto/x509/x509_vfy.c:3145
#21 0x00007f34e67fac6e in verify_chain (ctx=0x55e18dc82960) at ../crypto/x509/x509_vfy.c:218
#22 0x00007f34e67fbe56 in X509_verify_cert (ctx=ctx at entry=0x55e18dc82960) at ../crypto/x509/x509_vfy.c:295
#23 0x00007f34e6ae2297 in ssl_verify_cert_chain (s=s at entry=0x55e18e636360, sk=sk at entry=0x55e18e62fa90)
at ../ssl/ssl_cert.c:436
#24 0x00007f34e6af4d13 in tls_process_server_certificate (s=0x55e18e636360, pkt=0x7ffc4a4b7aa0)
at ../ssl/statem/statem_clnt.c:1212
#25 0x00007f34e6af28ed in read_state_machine (s=0x55e18e636360) at ../ssl/statem/statem.c:599
#26 0x00007f34e6af28ed in state_machine (s=0x55e18e636360, server=0) at ../ssl/statem/statem.c:395
#27 0x00007f34e6aeac91 in SSL_do_handshake (s=0x55e18e636360) at ../ssl/ssl_lib.c:3220
#28 0x00007f34dd7210f2 in ssl_connect (ssl=ssl at entry=0x55e18e636360, timeout=-1) at SWIG/_m2crypto_wrap.c:8255
#29 0x00007f34dd72120b in _wrap_ssl_connect (self=<optimized out>, args=<optimized out>)
at SWIG/_m2crypto_wrap.c:21441
#30 0x000055e18c298e5a in call_function (oparg=<optimized out>, pp_stack=0x7ffc4a4b7c70)
at ../Python/ceval.c:4372
#31 0x000055e18c298e5a in PyEval_EvalFrameEx (f=<optimized out>, throwflag=<optimized out>)
at ../Python/ceval.c:3009
#32 0x000055e18c29641a in PyEval_EvalCodeEx (co=<optimized out>, globals=<optimized out>, locals=<optimized out>, args=<optimized out>, argcount=<optimized out>, kws=<optimized out>, kwcount=0, defs=0x0, defcount=0, closure=0x0) at ../Python/ceval.c:3604
#33 0x000055e18c29e661 in fast_function (nk=0, na=<optimized out>, n=<optimized out>, pp_stack=0x7ffc4a4b7e50, func=<optimized out>) at ../Python/ceval.c:4467
(In both cases I've omitted a large number of probably-uninteresting
Python stack frames below the end of the backtrace I quoted, since this
is a C-level crash.)
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'experimental-debug'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages osc depends on:
ii ca-certificates 20170717
ii python 2.7.14-4
ii python-m2crypto 0.27.0-5
ii python-urlgrabber 3.10.2-1
Versions of packages osc recommends:
ii bash-completion 1:2.8-1
ii cpio 2.12+dfsg-6
ii obs-build 20180302-2
ii python-keyring 10.6.0-1
ii python-rpm 4.14.1+dfsg1-2
ii rpm2cpio 4.14.1+dfsg1-2
ii sensible-utils 0.0.12
osc suggests no packages.
-- no debconf information
More information about the Pkg-openssl-devel
mailing list