Hi libcurl folks, In my journey to send emails in a multi-threaded C program, I encountered a use-of-uninitialized-value memory issue. MemorySanitizer detects use of uninitialized memory during the SSL initialization phase.
Importantly, this issue was discovered using the official multi-threading example code from the libcurl documentation (https://curl.se/libcurl/c/multithread.html), suggesting this could affect many implementations that follow the official guidance. Steps to Reproduce: 1. Save the code from https://curl.se/libcurl/c/multithread.html to main.c 2. clang -fsanitize=memory main.c -lcurl -g 3. ./a.out 4. MemorySanitizer reports use of uninitialized memory in the following call stack --- Uninitialized bytes in __interceptor_fopen64 at offset 0 inside [0x70200000f820, 25) ==186400==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x7f8423d11a12 in BIO_new_file (/lib/x86_64-linux-gnu/libcrypto.so.3+0x111a12) (BuildId: 72c05a16f686d285265b1e1a135706b21e0fdf98) #1 0x7f8423d58748 (/lib/x86_64-linux-gnu/libcrypto.so.3+0x158748) (BuildId: 72c05a16f686d285265b1e1a135706b21e0fdf98) #2 0x7f8423d5a24d in CONF_modules_load_file_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x15a24d) (BuildId: 72c05a16f686d285265b1e1a135706b21e0fdf98) #3 0x7f8423d5a613 (/lib/x86_64-linux-gnu/libcrypto.so.3+0x15a613) (BuildId: 72c05a16f686d285265b1e1a135706b21e0fdf98) #4 0x7f8423e31eca (/lib/x86_64-linux-gnu/libcrypto.so.3+0x231eca) (BuildId: 72c05a16f686d285265b1e1a135706b21e0fdf98) #5 0x7f84242d8fa6 in __pthread_once_slow nptl/./nptl/pthread_once.c:116:7 #6 0x7f8423e3f698 in CRYPTO_THREAD_run_once (/lib/x86_64-linux-gnu/libcrypto.so.3+0x23f698) (BuildId: 72c05a16f686d285265b1e1a135706b21e0fdf98) #7 0x7f8423e326e9 in OPENSSL_init_crypto (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2326e9) (BuildId: 72c05a16f686d285265b1e1a135706b21e0fdf98) #8 0x7f84240fe6e0 in OPENSSL_init_ssl (/lib/x86_64-linux-gnu/libssl.so.3+0x326e0) (BuildId: 4f08077a451931c4c457240529eff5865919a63b) #9 0x7f84245a3c9f (/lib/x86_64-linux-gnu/libcurl.so.4+0x78c9f) (BuildId: d9749b46807207df0c2b0aaccd4179e04f587b75) #10 0x7f842454fa62 (/lib/x86_64-linux-gnu/libcurl.so.4+0x24a62) (BuildId: d9749b46807207df0c2b0aaccd4179e04f587b75) #11 0x7f842454fc59 in curl_global_init (/lib/x86_64-linux-gnu/libcurl.so.4+0x24c59) (BuildId: d9749b46807207df0c2b0aaccd4179e04f587b75) #12 0x564107c3439c in main /home/charmitro/main.c:48:3 #13 0x7f8424272249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #14 0x7f8424272304 in __libc_start_main csu/../csu/libc-start.c:360:3 #15 0x564107bae300 in _start (/home/charmitro/a.out+0x21300) (BuildId: 8a2a934a01087da0adfef87f136c489d537e3b1e) SUMMARY: MemorySanitizer: use-of-uninitialized-value (/lib/x86_64-linux-gnu/libcrypto.so.3+0x111a12) (BuildId: 72c05a16f686d285265b1e1a135706b21e0fdf98) in BIO_new_file Thank you all for your effort developing such a greate library. C. Mitrodimas -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
