[openssl-dev] [openssl.org #4571] SegFault when OBJ_create is called from multiple threads (despite setting up locking_function)

Tue, 14 Jun 2016 09:25:23 -0700 

Hi,

I may, or may not, stumbled upon an issue with OpenSSL multihreading when
calling OBJ_create to define a new extension.

Briefly, calling below code from several threads at once - despite setting
up of locking functions - may cause segmentation fault due to supposedly
double free/corruption.

   char CUSTOM_EXTENSION_OID_VALUE[] = "1.2.345.678901.2.3.4";
   OBJ_create(CUSTOM_EXTENSION_OID_VALUE, "customExtension", "Custom
Extension");

Though this may not be a recommended set of calls to be executed over and
over again, I'd expect proper locking_function to guard against critical
failures.

The error is output when the crash happens as:
   *** Error in `./openssl_object_add_segfault_test': double free or
corruption (fasttop): 0x00007f50ac002620 ***

gdb used to look at the dumped core reveals:
   (gdb) bt
   #0  0x00007f50feea8cc9 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
   #1  0x00007f50feeac0d8 in __GI_abort () at abort.c:89
   #2  0x00007f50feee5394 in __libc_message (do_abort=do_abort@entry=1,
fmt=fmt@entry=0x7f50feff3b28 "*** Error in `%s': %s: 0x%s ***\n") at
../sysdeps/posix/libc_fatal.c:175
   #3  0x00007f50feef166e in malloc_printerr (ptr=<optimized out>,
str=0x7f50feff3cf0 "double free or corruption (fasttop)", action=1) at
malloc.c:4996
   #4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at
malloc.c:3840
   #5  0x000000000044a12d in CRYPTO_free ()
   #6  0x000000000044d921 in OBJ_add_object ()
   #7  0x000000000044ebcd in OBJ_create ()
   #8  0x000000000040364c in run()::{lambda()#1}::operator()() const ()

OpenSSL versions tested were: openssl-1.0.1t, openssl-1.0.1s and
openssl-1.0.2h.Above or similar occurred on all the tested versions.
I've noticed the behaviour on Ubuntu 14.04, using gcc 4.8.4, compiling
C++11 code. I first noticed the issue using clang, so I suppose compiler is
irrelevant.

I do have a minimal example (just a main, initOpenSSL and runThreads
functions, 70 lines of code + a Makefile) reproducing the issue. I am not
sure if emailing them here is the right way, if it is please let me know
and I'll paste it in.

Kind regards,
Maciej

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4571
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to