Bug 1436094

Summary: Segmentation fault / Invalid read of size 8 in EVP_CIPHER_CTX_cleanup
Product: [Fedora] Fedora Reporter: Remi Collet <fedora>
Component: libeventAssignee: Steve Dickson <steved>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: steved, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libevent-2.0.22-3.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-01 17:32:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1423849    
Bug Blocks:    

Description Remi Collet 2017-03-27 07:20:11 UTC 
Working in php-pecl-event extension, which uses libevent and openssl

openssl-devel-1.1.0e-1.fc26.x86_64
libevent-devel-2.0.22-1.fc25.x86_64
php-devel-7.1.3-1.fc26.x86_64

$ gdb php
(gdb) run  -n  -d "output_handler=" -d "open_basedir=" -d "disable_functions=" -d "output_buffering=Off" -d "error_reporting=32767" -d "display_errors=1" -d "display_startup_errors=1" -d "log_errors=0" -d "html_errors=0" -d "track_errors=1" -d "report_memleaks=1" -d "report_zend_debug=0" -d "docref_root=" -d "docref_ext=.html" -d "error_prepend_string=" -d "error_append_string=" -d "auto_prepend_file=" -d "auto_append_file=" -d "ignore_repeated_errors=0" -d "precision=14" -d "memory_limit=128M" -d "log_errors_max_len=0" -d "opcache.fast_shutdown=0" -d "opcache.file_update_protection=0" -d "extension=sockets.so" -d "extension=/home/remi/pecl-event/modules/event.so" -d "session.auto_start=0" -d "zlib.output_compression=Off" -f "/home/remi/pecl-event/tests/21-bevent-sslfilter.php"
(gdb) bt
#0  0x00007fffebfb2d61 in EVP_CIPHER_CTX_cleanup () from /lib64/libcrypto.so.10
#1  0x00007fffec32ca5d in ssl_clear_cipher_ctx () from /lib64/libssl.so.10
#2  0x00007fffec32e23a in SSL_set_accept_state () from /lib64/libssl.so.10
#3  0x00007fffec9a4ea2 in bufferevent_openssl_new_impl (base=0x555555cf6380, underlying=0x555555cd6750, fd=fd@entry=-1, ssl=0x555555ced850, state=BUFFEREVENT_SSL_ACCEPTING, 
    options=<optimized out>) at bufferevent_openssl.c:1337
#4  0x00007fffec9a5b8e in bufferevent_openssl_filter_new (base=<optimized out>, underlying=<optimized out>, ssl=<optimized out>, state=<optimized out>, options=<optimized out>)
    at bufferevent_openssl.c:1396
#5  0x00007fffecbbe9ce in _create_ssl_filter (execute_data=<optimized out>, return_value=0x7fffffffa210, deprecated=<optimized out>)
    at /home/remi/pecl-event/php7/classes/buffer_event.c:308
#6  0x0000555555853e80 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /usr/src/debug/php-7.1.3/Zend/zend_vm_execute.h:970
#7  0x00005555557fb14b in execute_ex (ex=<optimized out>) at /usr/src/debug/php-7.1.3/Zend/zend_vm_execute.h:429
#8  0x0000555555855ec0 in zend_execute (op_array=op_array@entry=0x555555cf5e40, return_value=return_value@entry=0x555555cf6310)
    at /usr/src/debug/php-7.1.3/Zend/zend_vm_execute.h:474
#9  0x00005555557b1972 in zend_execute_scripts (type=type@entry=8, retval=0x555555cf6310, retval@entry=0x0, file_count=-134995904, file_count@entry=3)
    at /usr/src/debug/php-7.1.3/Zend/zend.c:1476
#10 0x000055555574e670 in php_execute_script (primary_file=0x7fffffffc830) at /usr/src/debug/php-7.1.3/main/main.c:2537
#11 0x00005555558581f8 in do_cli (argc=60, argv=0x555555bd1db0) at /usr/src/debug/php-7.1.3/sapi/cli/php_cli.c:993
#12 0x0000555555621558 in main (argc=60, argv=0x555555bd1db0) at /usr/src/debug/php-7.1.3/sapi/cli/php_cli.c:1381

Using valgrind (ensuring we are not using PHP allocator)
$ export USE_ZEND_ALLOC=0
$ valgrind /usr/bin/php  -n  -d "output_handler=" -d "open_basedir=" -d "disable_functions=" -d "output_buffering=Off" -d "error_reporting=32767" -d "display_errors=1" -d "display_startup_errors=1" -d "log_errors=0" -d "html_errors=0" -d "track_errors=1" -d "report_memleaks=1" -d "report_zend_debug=0" -d "docref_root=" -d "docref_ext=.html" -d "error_prepend_string=" -d "error_append_string=" -d "auto_prepend_file=" -d "auto_append_file=" -d "ignore_repeated_errors=0" -d "precision=14" -d "memory_limit=128M" -d "log_errors_max_len=0" -d "opcache.fast_shutdown=0" -d "opcache.file_update_protection=0" -d "extension=sockets.so" -d "extension=/home/remi/pecl-event/modules/event.so" -d "session.auto_start=0" -d "zlib.output_compression=Off" -f "/home/remi/pecl-event/tests/21-bevent-sslfilter.php" 
==20455== Memcheck, a memory error detector
==20455== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==20455== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==20455== Command: /usr/bin/php -n -d output_handler= -d open_basedir= -d disable_functions= -d output_buffering=Off -d error_reporting=32767 -d display_errors=1 -d display_startup_errors=1 -d log_errors=0 -d html_errors=0 -d track_errors=1 -d report_memleaks=1 -d report_zend_debug=0 -d docref_root= -d docref_ext=.html -d error_prepend_string= -d error_append_string= -d auto_prepend_file= -d auto_append_file= -d ignore_repeated_errors=0 -d precision=14 -d memory_limit=128M -d log_errors_max_len=0 -d opcache.fast_shutdown=0 -d opcache.file_update_protection=0 -d extension=sockets.so -d extension=/home/remi/pecl-event/modules/event.so -d session.auto_start=0 -d zlib.output_compression=Off -f /home/remi/pecl-event/tests/21-bevent-sslfilter.php
==20455== 
==20455== Invalid read of size 8
==20455==    at 0x10E50D61: EVP_CIPHER_CTX_cleanup (in /usr/lib64/libcrypto.so.1.0.2j)
==20455==    by 0x10AFDA5C: ssl_clear_cipher_ctx (in /usr/lib64/libssl.so.1.0.2j)
==20455==    by 0x10AFF239: SSL_set_accept_state (in /usr/lib64/libssl.so.1.0.2j)
==20455==    by 0x1046BEA1: bufferevent_openssl_new_impl (bufferevent_openssl.c:1337)
==20455==    by 0x102539CD: _create_ssl_filter (buffer_event.c:308)
==20455==    by 0x407E7F: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:970)
==20455==    by 0x3AF14A: execute_ex (zend_vm_execute.h:429)
==20455==    by 0x409EBF: zend_execute (zend_vm_execute.h:474)
==20455==    by 0x365971: zend_execute_scripts (zend.c:1476)
==20455==    by 0x30266F: php_execute_script (main.c:2537)
==20455==    by 0x40C1F7: do_cli (php_cli.c:993)
==20455==    by 0x1D5557: main (php_cli.c:1381)
==20455==  Address 0xffffffff00000000 is not stack'd, malloc'd or (recently) free'd
==20455== 

I'm not sure where the bug is (php-pecl-event, libevent or openssl), but this only happen with OpenSSL 1.1, everything works as expected with OpenSSL 1.0.

Any help welcome on this issue.
Comment 1 Remi Collet 2017-03-27 07:21:38 UTC 
BTW, just noticed libevent is FTBFS in rawhide... so still use older openssl library... see #1423849
Comment 2 Tomas Mraz 2017-03-27 07:35:47 UTC 
This is most probably a conflict between the old and new openssl being simultaneously used in a single process. In most cases this works fine, but there might be use-cases where it does not. I'll look at patching libevent to use the 1.1.0.
Comment 3 Remi Collet 2017-03-27 07:49:02 UTC 
Notice: from a quick test

- latest libevent 2.1.8 just build fine in F26 (but introduce a soname bump from 5 to 6)

- the pecl/event test suite passes without any segfault


> This is most probably a conflict between the old and new openssl being simultaneously used in a single process.

Indeed.
Comment 4 Remi Collet 2017-03-27 16:37:45 UTC 
php-pecl-event rebuild in rawhide, "full" test suite passes without any segfault.

Thanks for the quick fix.
Comment 5 Fedora Update System 2017-03-27 19:22:18 UTC 
libevent-2.0.22-3.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f1d16808df
Comment 6 Tomas Mraz 2017-03-28 07:41:42 UTC 
Of course at least in Rawhide it would be much better if libevent was updated to current upstream version. But I suppose doing soname bump in F26 branch is not a good idea.
Comment 7 Remi Collet 2017-03-28 07:44:04 UTC 
(In reply to Tomas Mraz from comment #6)
> Of course at least in Rawhide it would be much better if libevent was
> updated to current upstream version. But I suppose doing soname bump in F26
> branch is not a good idea.

+1
Comment 8 Fedora Update System 2017-04-01 17:32:31 UTC 
libevent-2.0.22-3.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.