While trying to understand why a fix in PKA that guards against multiple
destroys (https://github.com/Mellanox/pka/pull/37/files) didn't bypass
this issue, I found the following.

bind() operation of engines is expected to populate the pmeths and
ameths of an existing engine (https://github.com/gost-
engine/engine/blob/df3ead272bd2019f98d16e6787f5df51556c0603/gost_eng.c#L375,
https://github.com/Mellanox/pka/blob/master/engine/e_bluefield.c#L1615).
This means that the engine uses EVP_PKEY_meth_new (for instance) as part
of this registration.

However, on teardown, OpenSSL's engine_free_util() is invoking
engine_pkey_meths_free() and engine_pkey_asn1_meths_free(). Both of
which iterate the list of registered methods, and invoke
EVP_PKEY_meth_free() on each on of them. Only after OpenSSL freed these
methods it calls the engine's destroy() method which allows the
registered engine to do its own cleanup.

As long as this design is used, an engine using pkey methods can't
protect itself against multiple destroy operations, because OpenSSL is
the one freeing it's methods and there isn't much the engine can do
about it. For future versions, it might be recommended to update this
API and grant the engine the ownership on clearing up the memory that it
allocated on the first place.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921518

Title:
  OpenSSL "double free" error

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to