[Pkg-openssl-devel] Bug#1013441: openssl crashes with "munmap_chunk(): invalid pointer"

Sébastien Noel sebastien at twolife.be
Fri Jun 24 12:07:59 BST 2022 

Hi,

I had a similar crash with the same error message with openvpn.
Downgrading libssl3 to version 3.0.3-8 did fix the issue.

It seems to be related to this upstream bug:
https://github.com/openssl/openssl/issues/18625

br,

Sébastien

On Thu, 23 Jun 2022 19:28:11 +0200 Philippe Daouadi <philippe at ud2.org>
wrote:
> Package: libssl3
> Version: 3.0.4-1
> 
> Hello,
> 
> openssl crashes when it signs things with RSA.
> I discovered the bug with sbtool and sign-file, but found out that I
can reproduce it with just openssl.
> My system worked fine before I ran `apt full-upgrade`, I probably
didn't run it for a month or so.
> 
> $ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -
keyout PK.key \
>          -out PK.crt -days 3650 -nodes -sha256
>
..+......+....+..+....+...+..+...+.+......+............................
..+.....+......+...+....+...+..+...+...+.+...++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++*..+.+++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++*.....+..........+...........+...
.+.....+....+......+.....+.+.....+...............+.++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++
>
....+.+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++*.+...+......+.+......+.....+.......+......+.........+..+...+++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+........+.
...+...+......+.....+.+...........+.......+...........+.........+......
.+......+..+...+.........+.+............+..+...++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++
> -----
> munmap_chunk(): invalid pointer
> [1]    462685 IOT instruction  openssl req -new -x509 -newkey
rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key
> 
> I tried getting a backtrace from gdb:
> 
> Thread 1 (Thread 0x7ffff7ec5740 (LWP 468166) "openssl"):
> #0  __GI_raise (sig=sig at entry=6) at
../sysdeps/unix/sysv/linux/raise.c:49
> #1  0x00007ffff7849546 in __GI_abort () at abort.c:79
> #2  0x00007ffff78a0eb8 in __libc_message
(action=action at entry=do_abort, fmt=fmt at entry=0x7ffff79bea78 "%s\n") at
../sysdeps/posix/libc_fatal.c:155
> #3  0x00007ffff78a891a in malloc_printerr
(str=str at entry=0x7ffff79c0a20 "munmap_chunk(): invalid pointer") at
malloc.c:5628
> #4  0x00007ffff78a8d6c in munmap_chunk (p=<optimized out>) at
malloc.c:2995
> #5  0x00007ffff78ad9e3 in __GI___libc_free (mem=<optimized out>) at
malloc.c:3302
> #6  0x00007ffff7b2bd2c in ?? () from /lib/x86_64-linux-
gnu/libcrypto.so.3
> #7  0x00007ffff7b1858e in BN_mod_exp_mont_consttime_x2 () from
/lib/x86_64-linux-gnu/libcrypto.so.3
> #8  0x00007ffff7c77b6d in ?? () from /lib/x86_64-linux-
gnu/libcrypto.so.3
> #9  0x00007ffff7c79010 in ?? () from /lib/x86_64-linux-
gnu/libcrypto.so.3
> #10 0x00007ffff7c7d0d1 in RSA_sign () from /lib/x86_64-linux-
gnu/libcrypto.so.3
> #11 0x00007ffff7d31aec in ?? () from /lib/x86_64-linux-
gnu/libcrypto.so.3
> #12 0x00007ffff7d31d7f in ?? () from /lib/x86_64-linux-
gnu/libcrypto.so.3
> #13 0x00007ffff7c135fc in EVP_DigestSignFinal () from /lib/x86_64-
linux-gnu/libcrypto.so.3
> #14 0x00007ffff7ae9d40 in ASN1_item_sign_ctx () from /lib/x86_64-
linux-gnu/libcrypto.so.3
> #15 0x00005555555eeb7e in ?? ()
> #16 0x00005555555c5a42 in ?? ()
> #17 0x00005555555ba9d2 in ?? ()
> #18 0x0000555555596358 in ?? ()
> #19 0x00007ffff784a7fd in __libc_start_main (main=0x555555596190,
argc=16, argv=0x7fffffffdb28, init=<optimized out>, fini=<optimized
out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdb18) at
../csu/libc-start.c:332
> #20 0x000055555559647a in ?? ()
> 
> I tried running it in valgrind but it doesn't crash in that case.
> 
> Thanks,
> Philippe
> 
> -- System Information:
> Debian Release: bookworm/sid
>    APT prefers stable-security
>    APT policy: (500, 'stable-security'), (500, 'unstable'), (500,
'testing'), (500, 'stable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 5.18.0-2-amd64 (SMP w/8 CPU threads; PREEMPT)
> Kernel taint flags: TAINT_OOT_MODULE
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled

More information about the Pkg-openssl-devel mailing list