Re: [openssl.org #2971] AutoReply: ENGINE_cleanup() crash

m...@netbsd.org via RT Sun, 03 Feb 2013 10:15:07 -0800

Here is a backtrace with debug symbols:

Program received signal SIGSEGV, Segmentation fault.
0xbb7376c3 in EVP_PKEY_meth_free (pmeth=0xbb1d0f94) at 
/opnenssl/crypto/evp/pmeth_lib.c:295
295             if (pmeth && (pmeth->flags & EVP_PKEY_FLAG_DYNAMIC))
(gdb) bt
#0  0xbb7376c3 in EVP_PKEY_meth_free (pmeth=0xbb1d0f94) at 
/openssl/crypto/evp/pmeth_lib.c:295
#1  0xbb7407c6 in engine_pkey_meths_free (e=0xbb0c8f90) at 
/openssl/crypto/engine/tb_pkmeth.c:163
#2  0xbb777ff8 in engine_free_util (e=0xbb0c8f90, locked=0) at 
/openssl/crypto/engine/eng_lib.c:129
#3  0xbb741a96 in engine_list_remove (e=0xbb0c8f90) at 
/openssl/crypto/engine/eng_list.c:187
#4  ENGINE_remove (e=0xbb0c8f90) at /openssl/crypto/engine/eng_list.c:306
#5  0xbb741b00 in engine_list_cleanup () at /openssl/crypto/engine/eng_list.c:88
#6  0xbb777e4d in engine_cleanup_cb_free (item=0xbb3d7ffc) at 
/openssl/crypto/engine/eng_lib.c:186
#7  0xbb720c44 in sk_pop_free (st=0xbb3d3fec, func=0xbb777e44 
<engine_cleanup_cb_free>)
    at /openssl/crypto/stack/stack.c:283
#8  0xbb778122 in ENGINE_cleanup () at /openssl/crypto/engine/eng_lib.c:193
#9  0x080487e2 in main () at test.c:9


Logging EVP_PKEY_meth_new / EVP_PKEY_meth_free shows this 
is a double free, and probably a malloc leak as well that gets unnoticed
if we do not crash:

EVP_PKEY_meth_new => 0xbb0dcf94
EVP_PKEY_meth_new => 0xbb0e0f94
EVP_PKEY_meth_new => 0xbb0e2f94
EVP_PKEY_meth_new => 0xbb1d0f94
EVP_PKEY_meth_new => 0xbb1d2f94
EVP_PKEY_meth_new => 0xbb1d4f94
EVP_PKEY_meth_free(0xbb1d0f94)
EVP_PKEY_meth_free(0xbb1d2f94)
EVP_PKEY_meth_free(0xbb1d4f94)
EVP_PKEY_meth_free(0xbb1d0f94)

gdb tells me this about it, in case it helps:
(gdb) print pmeth_GostR3410_94
$3 = (EVP_PKEY_METHOD *) 0xbb1d0f94


Here is the first EVP_PKEY_meth_free(0xbb1d0f94) call backtrace:
#0  EVP_PKEY_meth_free (pmeth=0xbb1d0f94) at /openssl/crypto/evp/pmeth_lib.c:294
#1  0xbb7407c6 in engine_pkey_meths_free (e=0xbb2e8f90) at 
/openssl/crypto/engine/tb_pkmeth.c:163
#2  0xbb778038 in engine_free_util (e=0xbb2e8f90, locked=1) at 
/openssl/crypto/engine/eng_lib.c:129
#3  0xbb7780c2 in ENGINE_free (e=0xbb2e8f90) at 
/openssl/crypto/engine/eng_lib.c:142
#4  0xbb6dc4eb in ENGINE_load_gost () at /openssl/engines/ccgost/gost_eng.c:269
#5  0xbb6d2e9a in ENGINE_load_builtin_engines () at 
/openssl/crypto/engine/eng_all.c:117

The patch below avoid the crash, but worsen the leak as no 
EVP_PKEY_meth_free() are called anymore. 

--- engines/ccgost/gost_eng.c.orig      2013-02-03 18:57:18.000000000 +0100
+++ engines/ccgost/gost_eng.c   2013-02-03 18:57:34.000000000 +0100
@@ -265,9 +265,8 @@
        {
        ENGINE *toadd =engine_gost();
        if (!toadd) return;
        ENGINE_add(toadd);
-       ENGINE_free(toadd);
        ERR_clear_error();
        }
 #endif 



-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
m...@netbsd.org


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Re: [openssl.org #2971] AutoReply: ENGINE_cleanup() crash

Reply via email to