Bug 1697915

Summary: Race/segmentation fault on process shutdown in OpenSSL
Product: Red Hat Enterprise Linux 8 Reporter: Alicja Kario <hkario>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Daiki Ueno <dueno>
Severity: high Docs Contact:
Priority: medium    
Version: 8.0CC: dueno
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssl-1.1.1b-3.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:40:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1643026    
Bug Blocks:    

Description Alicja Kario 2019-04-09 10:01:24 UTC 
Description of problem:
When process is shutting down, openssl sometimes crashes with segmentation fault.

Version-Release number of selected component (if applicable):
openssl-1.1.1-8.el8.x86_64

How reproducible:
common

Steps to Reproduce:
1. Run an application that reads a lot of data from openssl random
2. kill it with sigterm
3.

Actual results:
==29110== Memcheck, a memory error detector
==29110== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==29110== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==29110== Command: ./reproducer 40 32 0
==29110==
==29110==
==29110== Process terminating with default action of signal 15 (SIGTERM)
==29110==    at 0x4F9C115: aesni_init_key (e_aes.c:273)
==29110==    by 0x4FAC123: EVP_CipherInit_ex (evp_enc.c:233)
==29110==    by 0x4FE73AE: ctr_update (drbg_ctr.c:274)
==29110==    by 0x4FE75A4: drbg_ctr_generate (drbg_ctr.c:316)
==29110==    by 0x4FE8418: RAND_DRBG_generate (drbg_lib.c:626)
==29110==    by 0x4FE86AD: RAND_DRBG_bytes (drbg_lib.c:658)
==29110==    by 0x4009AD: runner (in /tmp/tmp.xCWicnu6ig/reproducer)
==29110==    by 0x531D2DD: start_thread (pthread_create.c:486)
==29110==    by 0x5631A62: clone (clone.S:95)
==29110== Thread 3:
==29110== Invalid read of size 8
==29110==    at 0x5B11539: check_free (dlerror.c:188)
==29110==    by 0x5B11A65: free_key_mem (dlerror.c:221)
==29110==    by 0x5B11A65: __dlerror_main_freeres (dlerror.c:239)
==29110==    by 0x56A2829: __libc_freeres (in /usr/lib64/libc-2.28.so)
==29110==    by 0x4A2B71E: _vgnU_freeres (vg_preloaded.c:77)
==29110==    by 0x730E62F: ???
==29110==  Address 0x72adfc8 is 12 bytes after a block of size 12 alloc'd
==29110==    at 0x4C30E8B: malloc (vg_replace_malloc.c:309)
==29110==    by 0x4FC2C3C: CRYPTO_zalloc (mem.c:232)
==29110==    by 0x4FBE9F5: ossl_init_get_thread_local (init.c:66)
==29110==    by 0x4FBE9F5: ossl_init_thread_start (init.c:426)
==29110==    by 0x4FE8EE9: RAND_DRBG_get0_public (drbg_lib.c:1029)
==29110==    by 0x4FE8F23: drbg_bytes (drbg_lib.c:941)
==29110==    by 0x4009AD: runner (in /tmp/tmp.xCWicnu6ig/reproducer)
==29110==    by 0x531D2DD: start_thread (pthread_create.c:486)
==29110==    by 0x5631A62: clone (clone.S:95)
==29110==
==29110== Invalid read of size 1
==29110==    at 0x5B11561: check_free (dlerror.c:189)
==29110==    by 0x5B11A65: free_key_mem (dlerror.c:221)
==29110==    by 0x5B11A65: __dlerror_main_freeres (dlerror.c:239)
==29110==    by 0x56A2829: __libc_freeres (in /usr/lib64/libc-2.28.so)
==29110==    by 0x4A2B71E: _vgnU_freeres (vg_preloaded.c:77)
==29110==    by 0x730E62F: ???
==29110==  Address 0x1000 is not stack'd, malloc'd or (recently) free'd
==29110==
==29110==
==29110== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==29110==  Access not within mapped region at address 0x1000
==29110==    at 0x5B11561: check_free (dlerror.c:189)
==29110==    by 0x5B11A65: free_key_mem (dlerror.c:221)
==29110==    by 0x5B11A65: __dlerror_main_freeres (dlerror.c:239)
==29110==    by 0x56A2829: __libc_freeres (in /usr/lib64/libc-2.28.so)
==29110==    by 0x4A2B71E: _vgnU_freeres (vg_preloaded.c:77)
==29110==    by 0x730E62F: ???
==29110==  If you believe this happened as a result of a stack
==29110==  overflow in your program's main thread (unlikely but
==29110==  possible), you can try to increase the size of the
==29110==  main thread stack using the --main-stacksize= flag.
==29110==
==29110== HEAP SUMMARY:
==29110==     in use at exit: 12,528 bytes in 28 blocks
==29110==   total heap usage: 3,550,390 allocs, 3,550,362 frees, 3,504,944,528 bytes allocated
==29110==
==29110== LEAK SUMMARY:
==29110==    definitely lost: 0 bytes in 0 blocks
==29110==    indirectly lost: 0 bytes in 0 blocks
==29110==      possibly lost: 544 bytes in 2 blocks
==29110==    still reachable: 11,984 bytes in 26 blocks
==29110==         suppressed: 0 bytes in 0 blocks
==29110== Rerun with --leak-check=full to see details of leaked memory
==29110==
==29110== For counts of detected and suppressed errors, rerun with: -v
==29110== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)

Expected results:
Orderly shutdown

Additional info:
The issue should be fixed in upstream openssl-1.1.1b release
Comment 1 Tomas Mraz 2019-04-09 11:10:12 UTC 
My testing of openssl-1.1.1b does not produce any SIGSEGVs with this test.
Comment 9 errata-xmlrpc 2019-11-05 22:40:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3700