[Pkg-openssl-devel] Bug#1013441: openssl crashes with "munmap_chunk(): invalid pointer"

Philippe Daouadi philippe at ud2.org
Thu Jun 23 18:28:11 BST 2022 

Package: libssl3
Version: 3.0.4-1

Hello,

openssl crashes when it signs things with RSA.
I discovered the bug with sbtool and sign-file, but found out that I can reproduce it with just openssl.
My system worked fine before I ran `apt full-upgrade`, I probably didn't run it for a month or so.

$ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key \
         -out PK.crt -days 3650 -nodes -sha256
..+......+....+..+....+...+..+...+.+......+..............................+.....+......+...+....+...+..+...+...+.+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+..........+...........+....+.....+....+......+.....+.+.....+...............+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
....+.+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+......+.+......+.....+.......+......+.........+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+........+....+...+......+.....+.+...........+.......+...........+.........+.......+......+..+...+.........+.+............+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
munmap_chunk(): invalid pointer
[1]    462685 IOT instruction  openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key

I tried getting a backtrace from gdb:

Thread 1 (Thread 0x7ffff7ec5740 (LWP 468166) "openssl"):
#0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
#1  0x00007ffff7849546 in __GI_abort () at abort.c:79
#2  0x00007ffff78a0eb8 in __libc_message (action=action at entry=do_abort, fmt=fmt at entry=0x7ffff79bea78 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff78a891a in malloc_printerr (str=str at entry=0x7ffff79c0a20 "munmap_chunk(): invalid pointer") at malloc.c:5628
#4  0x00007ffff78a8d6c in munmap_chunk (p=<optimized out>) at malloc.c:2995
#5  0x00007ffff78ad9e3 in __GI___libc_free (mem=<optimized out>) at malloc.c:3302
#6  0x00007ffff7b2bd2c in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.3
#7  0x00007ffff7b1858e in BN_mod_exp_mont_consttime_x2 () from /lib/x86_64-linux-gnu/libcrypto.so.3
#8  0x00007ffff7c77b6d in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.3
#9  0x00007ffff7c79010 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.3
#10 0x00007ffff7c7d0d1 in RSA_sign () from /lib/x86_64-linux-gnu/libcrypto.so.3
#11 0x00007ffff7d31aec in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.3
#12 0x00007ffff7d31d7f in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.3
#13 0x00007ffff7c135fc in EVP_DigestSignFinal () from /lib/x86_64-linux-gnu/libcrypto.so.3
#14 0x00007ffff7ae9d40 in ASN1_item_sign_ctx () from /lib/x86_64-linux-gnu/libcrypto.so.3
#15 0x00005555555eeb7e in ?? ()
#16 0x00005555555c5a42 in ?? ()
#17 0x00005555555ba9d2 in ?? ()
#18 0x0000555555596358 in ?? ()
#19 0x00007ffff784a7fd in __libc_start_main (main=0x555555596190, argc=16, argv=0x7fffffffdb28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdb18) at ../csu/libc-start.c:332
#20 0x000055555559647a in ?? ()

I tried running it in valgrind but it doesn't crash in that case.

Thanks,
Philippe

-- System Information:
Debian Release: bookworm/sid
   APT prefers stable-security
   APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.18.0-2-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libssl3 depends on:
ii  libc6  2.33-7

libssl3 recommends no packages.

libssl3 suggests no packages.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20220623/1b86be46/attachment-0001.htm>

More information about the Pkg-openssl-devel mailing list