Public bug reported: [Impact]
* curl 7.68 does not correctly use OpenSSL 1.1.0+ api to init OpenSSL global state prior to executing any OpenSSL APIs. This may lead to duplicate engine initiation, which upon engine unload may cause use- after-free or double-free of any methods that engine installs. This has been fixed in curl 7.74 by correctly calling OpenSSL init api prior to any other calls to OpenSSL apis. [Test Plan] * This should be reproducible with any engines that allocate & register methods, and free them upon engine unload. Then use curl with openssl backend to test for corrupted stack. * I.e. on arm64, compile and configure pka engine from https://github.com/Mellanox/pka/commit/b0f32fa05298bf9e3997ea43fc1c11b90e0d662f (i.e. without the double-free protections proposed in https://github.com/Mellanox/pka/pull/37 ) on any arm64 hardware, there is no need for the engine to actually work or have access to anything, as the issue is reproducible when engine is enabled but cannot be effectively used. * curl any https website ... PKA_DEV: pka_dev_open_ring_vfio: error: failed to get ring 50 device name PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 338 0 0 3520 0 --:--:-- --:--:-- --:--:-- 3520 (exit status 0) is good output from fixed curl. Whereas: PKA_ENGINE: PKA instance is invalid PKA_ENGINE: failed to retrieve valid instance 100 338 100 338 0 0 1169 0 --:--:-- --:--:-- --:--:-- 1169 Segmentation fault (core dumped) (exit status non-zero) is bad output from currently broken curl. [Where problems could occur] * Correctly calling OpenSSL init function prior to any other OpenSSL apis changes the behaviour of the library slightly - specifically openssl configuration file and engines are initialised and loaded earlier, meaning that site-local customizations are applied correctly whenever using curl cli utility or libcurl4 (the openssl version of curl). This will make engine support working correctly across the board. However, if one has missconfigured openssl conf and missconfigured engines which are now actually attempted to be used one may experience unexpected behaviour changes (since potentially existing configuration was not actually taking effect). [Other Info] * References: https://github.com/curl/curl/commit/1835cb916e0d40eb8bc1165d5627a0b64f911bac https://github.com/openssl/openssl/issues/13548 https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518 ** Affects: curl (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: curl (Ubuntu Bionic) Importance: Undecided Status: New ** Affects: curl (Ubuntu Focal) Importance: Undecided Status: Confirmed ** Also affects: curl (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: curl (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: curl (Ubuntu Focal) Status: New => Confirmed ** Changed in: curl (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940528 Title: curl 7.68 does not init OpenSSL correctly To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
