Re: SSL: double free on reload

Sun, 15 Jul 2018 23:01:58 -0700 

Hi Thierry,

On Fri, Jul 06, 2018 at 04:28:22PM +0200, Thierry Fournier wrote:
> Hi list,
> 
> I caught a double-free whien I reload haproxy-1.8:
> 
>     writev(2, [{"*** Error in `", 14}, {"/opt/o3-haproxy/sbin/haproxy", 28}, 
> {"': ", 3}, {"double free or corruption (!prev)", 33}, {": 0x", 4}, 
> {"000000001cec2ab0", 16}, {" ***\n", 5}], 7) = 103
> 
> Decoded:
> 
>     *** Error in `/opt/o3-haproxy/sbin/haproxy': double free or corruption 
> (!prev): 0x000000001cec2ab0 ***
> 
> Gdb says:
> 
>    #0  0x00007f4bac88b067 in __GI_raise (sig=sig@entry=6) at 
> ../nptl/sysdeps/unix/sysv/linux/raise.c:56
>    #1  0x00007f4bac88c448 in __GI_abort () at abort.c:89
>    #2  0x00007f4bac8c91b4 in __libc_message (do_abort=do_abort@entry=1, 
>        fmt=fmt@entry=0x7f4bac9be210 "*** Error in `%s': %s: 0x%s ***\n")
>        at ../sysdeps/posix/libc_fatal.c:175
>    #3  0x00007f4bac8ce98e in malloc_printerr (action=1, 
>        str=0x7f4bac9be318 "double free or corruption (!prev)", ptr=<optimized 
> out>) at malloc.c:4996
>    #4  0x00007f4bac8cf696 in _int_free (av=<optimized out>, p=<optimized 
> out>, have_lock=0) at malloc.c:3840
>    #5  0x000000000042af56 in ssl_sock_destroy_bind_conf 
> (bind_conf=0x1d27e810) at src/ssl_sock.c:4819
>    #6  0x00000000004b1390 in deinit () at src/haproxy.c:2240
>    #7  0x000000000041b83c in main (argc=<optimized out>, argv=0x7ffc22f6b4d8) 
> at src/haproxy.c:3094
> 
> I use the last 1.8.12 version.

This one looks a bit strange. I looked at it a little bit and it corresponds
to the line "free(bind_conf->keys_ref->tlskeys);". Unfortunately, there is no
other line in the code appearing to perfom a free on this element, and when
passing through this code the key_ref is destroyed and properly nulled. I
checked if it was possible for this element not to be allocated and I don't
see how that could happen either. Thus I'm seeing only three possibilities :

  - this element was duplicated and appears at multiple places (multiple list
    elements) leading to a real double free

  - there is a memory corruption somewhere possibly resulting in this element
    being corrupted and not in fact victim of a double free

  - I can't read code and there is another free that I failed to detect.

Are you able to trigger this on a trivial config ? Maybe it only happens
when certain features you have in your config are enabled ?

willy

Reply via email to