Bug 1159429

Summary: Memory leak in PKCS11 trustdb
Product: [Fedora] Fedora Reporter: David Woodhouse <dwmw2>
Component: gnutlsAssignee: Nikos Mavrogiannopoulos <nmavrogi>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: nmavrogi, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gnutls-3.3.10-1.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-16 14:40:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Woodhouse 2014-11-01 00:21:59 UTC 
gnutls-3.3.9-2.fc21.x86_64

$ valgrind --leak-check=full gnutls-cli www.facebook.com 443 < /dev/null
==27098== Memcheck, a memory error detector
==27098== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==27098== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==27098== Command: gnutls-cli www.facebook.com 443
==27098== 
Processed 236 CA certificate(s).
Resolving 'www.facebook.com'...
Connecting to '2a03:2880:2110:cf07:face:b00c:0:1:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `C=US,ST=CA,L=Menlo Park,O=Facebook\, Inc.,CN=*.facebook.com', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', EC key 256 bits, signed using RSA-SHA1, activated `2014-08-28 00:00:00 UTC', expires `2015-10-28 12:00:00 UTC', SHA-1 fingerprint `45bfee628eec0ba06dfb860c865ffdb71502a541'
	Public Key ID:
		b686761919d18c2f4fe55554742a4eac51fc95f4
	Public key's random art:
		+--[  EC  256]----+
		|        .+ .. .=O|
		|        ..ooo .o+|
		|        ...o+o..E|
		|        .oo=...  |
		|        S+. .    |
		|       o +.      |
		|      o =        |
		|     . o         |
		|                 |
		+-----------------+

- Certificate[1] info:
 - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2008-04-02 12:00:00 UTC', expires `2022-04-03 00:00:00 UTC', SHA-1 fingerprint `42857855fb0ea43f54c9911e30e7791d8ce82705'
==27098== Conditional jump or move depends on uninitialised value(s)
==27098==    at 0x31C086C9B3: _gnutls_copy_data (common.c:1898)
==27098==    by 0x31C0890722: gnutls_x509_crt_get_subject_key_id (x509.c:838)
==27098==    by 0x31C086CCAB: _gnutls_check_valid_key_id (common.c:1982)
==27098==    by 0x31C085C109: check_found_cert (pkcs11.c:3124)
==27098==    by 0x31C085C109: find_cert_cb (pkcs11.c:3308)
==27098==    by 0x31C08602BD: _pkcs11_traverse_tokens (pkcs11.c:1162)
==27098==    by 0x31C0861180: gnutls_pkcs11_get_raw_issuer (pkcs11.c:3435)
==27098==    by 0x31C088ED24: _gnutls_pkcs11_verify_crt_status (verify.c:1128)
==27098==    by 0x31C08998FB: gnutls_x509_trust_list_verify_crt2 (verify-high.c:952)
==27098==    by 0x31C084CB6B: _gnutls_x509_cert_verify_peers (gnutls_x509.c:296)
==27098==    by 0x409808: cert_verify (common.c:325)
==27098==    by 0x4085E3: cert_verify_callback (cli.c:400)
==27098==    by 0x31C082E67B: run_verify_callback (gnutls_handshake.c:2649)
==27098== 
- Status: The certificate is trusted. 
- Description: (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-128-CBC)-(SHA1)
- Session ID: E5:53:2A:10:36:CD:BE:FC:B0:F2:82:12:0A:FC:7A:A2:C4:83:37:D7:BA:14:5B:62:36:6E:E5:56:AF:BA:F1:54
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP256R1
 - Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-ECDSA
- Server Signature: ECDSA-SHA256
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

==27098== 
==27098== HEAP SUMMARY:
==27098==     in use at exit: 3,923,965 bytes in 38,440 blocks
==27098==   total heap usage: 261,486 allocs, 223,046 frees, 34,018,442 bytes allocated
==27098== 
==27098== 294 bytes in 1 blocks are definitely lost in loss record 150 of 277
==27098==    at 0x4A06BCF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==27098==    by 0x31C0865D10: pkcs11_get_attribute_avalue (pkcs11_int.c:134)
==27098==    by 0x31C085BFDE: find_cert_cb (pkcs11.c:3316)
==27098==    by 0x31C08602BD: _pkcs11_traverse_tokens (pkcs11.c:1162)
==27098==    by 0x31C0861180: gnutls_pkcs11_get_raw_issuer (pkcs11.c:3435)
==27098==    by 0x31C088ED24: _gnutls_pkcs11_verify_crt_status (verify.c:1128)
==27098==    by 0x31C08998FB: gnutls_x509_trust_list_verify_crt2 (verify-high.c:952)
==27098==    by 0x31C084CB6B: _gnutls_x509_cert_verify_peers (gnutls_x509.c:296)
==27098==    by 0x409808: cert_verify (common.c:325)
==27098==    by 0x4085E3: cert_verify_callback (cli.c:400)
==27098==    by 0x31C082E67B: run_verify_callback (gnutls_handshake.c:2649)
==27098==    by 0x31C0832D83: handshake_client (gnutls_handshake.c:2743)
==27098==    by 0x31C0832D83: gnutls_handshake (gnutls_handshake.c:2553)
==27098== 
==27098== LEAK SUMMARY:
==27098==    definitely lost: 294 bytes in 1 blocks
==27098==    indirectly lost: 0 bytes in 0 blocks
==27098==      possibly lost: 0 bytes in 0 blocks
==27098==    still reachable: 3,923,671 bytes in 38,439 blocks
==27098==         suppressed: 0 bytes in 0 blocks
==27098== Reachable blocks (those to which a pointer was found) are not shown.
==27098== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==27098== 
==27098== For counts of detected and suppressed errors, rerun with: -v
==27098== Use --track-origins=yes to see where uninitialised values come from
==27098== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Comment 1 Nikos Mavrogiannopoulos 2014-11-02 07:45:05 UTC 
Upstream patch solving the issue:
https://gitorious.org/gnutls/gnutls/commit/02bea708d26266c0b8526badcb86bf207741ade7
Comment 2 Fedora Update System 2014-11-10 09:03:55 UTC 
gnutls-3.3.10-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/gnutls-3.3.10-1.fc21
Comment 3 Fedora Update System 2014-11-10 09:06:10 UTC 
gnutls-3.3.10-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/gnutls-3.3.10-1.fc21
Comment 4 Fedora Update System 2014-11-12 02:37:12 UTC 
Package gnutls-3.3.10-1.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gnutls-3.3.10-1.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-14734/gnutls-3.3.10-1.fc21
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2014-11-16 14:40:48 UTC 
gnutls-3.3.10-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.