Is there any way to enable some logs to further debug this issue?
2013/6/24 2234822 jeff <[email protected]> > Did anyone ever encounter the same issue before? > > > 2013/6/20 2234822 jeff via RT <[email protected]> > >> I am using openssl-1.0.1 in my 32bit app on 64bit Windows, I got a crash >> in >> ssleay32!freelist_extract(See "Call Stack" in the "OTHER INFO" section as >> follow), it is not easy to recreate it and we cannot find a stable way to >> recreate it, but it happened several times. After looking into the dump >> file and analyzing the heap, now I suspect it is a potential bug in >> OpenSSL, here is my analysis: >> >> 1. I check the local variables in frame >> "ssleay32!freelist_extract+0x3c" >> and found the structure of free list rbuf_freelist was corrupted, The >> length of the list is 10 (the value of len is 0xa), but there is only one >> valid node in the list -- the head, the next pointer of head is pointing >> to >> some invalid memory. The free list for write, wbuf_freelist, got the same >> problem (length is 10, but only one valid node, next pointer of head >> points >> to invalid memory). so we can reach the conclusion that the heap memory >> which the head pointer points to was corrupted.(See "Call Stack" and >> "Local >> variables for frame: ssleay32!freelist_extract+0x3c" below) >> 2. From the corrupt pattern -- the "next" pointer (the first 4 bytes of >> the user accessible part of the heap block) was corrupted, but the 8 bytes >> metadata of the heap block was not. It looks like the pointer points to >> the >> user accessible part of the heap block was still in use after the buffer >> had been released (e.g. by calling ssl3_release_read_buffer(...)), or >> caused by some other similar mistakes. >> 3. From the corrupt pattern, I think the possibility that it is caused >> by memory overrun/underrun is very low. AND given that there are 2 lists >> (rbuf_freelist & wbuf_freelist) experiencing the same issue, the >> possibility become much lower. >> 4. I think it is unlikely that the root cause of this issue is in my >> own >> code, since the rbuf_freelist and wbuf_freelist are internal structures in >> OpenSSL, my own code does not access these internal structures directly. >> >> >> OTHER INFO: >> >> -------------------------------------------------------------------------------------------------------------- >> OpenSSL version, extracted from the README file >> >> -------------------------------------------------------------------------------------------------------------- >> OpenSSL 1.0.1 14 Mar 2012 >> >> >> -------------------------------------------------------------------------------------------------------------- >> OS version and platform: >> >> -------------------------------------------------------------------------------------------------------------- >> Windows Server 2008 R2 Enterprise Edition 6.1 SP 1. >> VMware Virtual Platform. >> >> >> -------------------------------------------------------------------------------------------------------------- >> Compiler: >> >> -------------------------------------------------------------------------------------------------------------- >> VC8.0 (VS2005) >> >> >> -------------------------------------------------------------------------------------------------------------- >> Local variables for frame: ssleay32!freelist_extract+0x3c >> >> -------------------------------------------------------------------------------------------------------------- >> ctx >> |- method >> >> .... >> >> |- wbuf_freelist >> |- chucklen (0x44b0) >> |- len (0xa) >> |- head (0x00dd1098) >> |- next (0x17dd1098) >> |- next (Memory access error) >> |- next (Memory access error) >> |- next (Memory access error) >> ... >> |- rbuf_freelist >> |- chucklen (0x4548) >> |- len (0xa) >> |- head (0x00d84a20) >> |- next (0x17000316) >> |- next (Memory access error) >> |- next (Memory access error) >> |- next (Memory access error) >> ... >> >> for_read (0n1) >> sz (0n17736) >> >> >> -------------------------------------------------------------------------------------------------------------- >> Call Stack: >> >> -------------------------------------------------------------------------------------------------------------- >> ntdll!NtWaitForMultipleObjects+0x15 >> KERNELBASE!WaitForMultipleObjectsEx+0x100 >> kernel32!WaitForMultipleObjectsExImplementation+0xe0 >> kernel32!WaitForMultipleObjects+0x18 >> kernel32!WerpReportFaultInternal+0x186 >> kernel32!WerpReportFault+0x70 >> kernel32!BasepReportFault+0x20 >> kernel32!UnhandledExceptionFilter+0x1af >> ntdll!__RtlUserThreadStart+0x62 >> ntdll!_EH4_CallFilterFunc+0x12 >> ntdll!_except_handler4+0x8e >> ntdll!ExecuteHandler2+0x26 >> ntdll!ExecuteHandler+0x24 >> ntdll!RtlDispatchException+0x127 >> ntdll!KiUserExceptionDispatcher+0xf >> ssleay32!freelist_extract+0x3c [...\openssl\ssl\s3_both.c @ 691] >> ssleay32!ssl3_setup_read_buffer+0x7b [...\openssl\ssl\s3_both.c @ 760] >> ssleay32!ssl3_setup_buffers+0xb [...\openssl\ssl\s3_both.c @ 817] >> ssleay32!ssl23_get_client_hello+0x34 [...\openssl\ssl\s23_srvr.c @ 266] >> ssleay32!ssl23_accept+0x16e [...\openssl\ssl\s23_srvr.c @ 210] >> ssleay32!SSL_accept+0x1d [...\openssl\ssl\ssl_lib.c @ 938] >> (stacks in my code have been removed) >> >> >> -------------------------------------------------------------------------------------------------------------- >> Source code for freelist_extract in s3_both.c >> >> -------------------------------------------------------------------------------------------------------------- >> static void * >> freelist_extract(SSL_CTX *ctx, int for_read, int sz) >> { >> SSL3_BUF_FREELIST *list; >> SSL3_BUF_FREELIST_ENTRY *ent = NULL; >> void *result = NULL; >> >> CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); >> list = for_read ? ctx->rbuf_freelist : ctx->wbuf_freelist; >> if (list != NULL && sz == (int)list->chunklen) >> ent = list->head; >> if (ent != NULL) >> { >> list->head = ent->next; //Crash here, line 691 >> result = ent; >> if (--list->len == 0) >> list->chunklen = 0; >> } >> CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); >> if (!result) >> result = OPENSSL_malloc(sz); >> return result; >> } >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> Development Mailing List [email protected] >> Automated List Manager [email protected] >> > >
