Bug 2039993
| Summary: | httpd fails to start with double free after updating to openssl-1.0.2k-23.el7_9 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Aaron Ogburn <aogburn> |
| Component: | openssl | Assignee: | Sahana Prasad <sahana> |
| Status: | CLOSED ERRATA | QA Contact: | Stanislav Zidek <szidek> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.9 | CC: | aakhtar, aferreir, aivaraslaimikis, dbelyavs, deriamis, dries.verachtert, hajek, hkario, iversen, jorton, jrd-rhbz, jreznik, kahara, lkonno, mark, michael.buchfink, michael.sessions, mihai.petracovici, nico.van.roijen, nwildner, orion, pasik, pdwyer, pmendezh, pskhedekar, redhat-bugzilla, redhat-license, riehecky, robert.scheck, sahana, sara.golemon, sbroz, sherinmon, ssorce, szidek, tbriceno, troy.engel, voetelink, werner.klein |
| Target Milestone: | rc | Keywords: | Regression, Triaged, ZStream |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openssl-1.0.2k-24.el7_9 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: A bug in the function append_ia5() causes a double free of the emtmp parameter.
Consequence: When OCSP Stapling is enabled, and OpenSSL version is updated to openssl-1.0.2k-23.el7_9, httpd and nginx webservers crash, and the service cannot be reloaded/restarted.
Fix: The function append_ia5() is fixed to free emtmp on push failure only.
Result: No crashes are seen when httpd or nginx services are restarted/reloaded when OCSP stapling is enabled.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-01-18 09:12:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Aaron Ogburn
2022-01-12 21:42:05 UTC
This also affected Nginx webservers too. All previous build or a custom source build of nginx also fail with this bug. # /usr/local/nginx/sbin/nginx -t *** Error in `/usr/local/nginx/sbin/nginx': double free or corruption (fasttop): 0x0000000002b8aa60 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x81329)[0x7fca27588329] /lib64/libcrypto.so.10(CRYPTO_free+0x1d)[0x7fca27b5996d] /lib64/libcrypto.so.10(sk_pop_free+0x30)[0x7fca27c11360] /lib64/libcrypto.so.10(+0x170ed5)[0x7fca27c5bed5] /lib64/libcrypto.so.10(X509_get1_ocsp+0x80)[0x7fca27c5c120] /usr/local/nginx/sbin/nginx(ngx_ssl_stapling+0x4a9)[0x44377d] /usr/local/nginx/sbin/nginx[0x48ce52] /usr/local/nginx/sbin/nginx[0x4453b6] /usr/local/nginx/sbin/nginx(ngx_conf_parse+0xc73)[0x426581] /usr/local/nginx/sbin/nginx(ngx_init_cycle+0x71a)[0x423d55] /usr/local/nginx/sbin/nginx(main+0x9b6)[0x41295c] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7fca27529555] /usr/local/nginx/sbin/nginx[0x411279] ======= Memory map: ======== 00400000-004d5000 r-xp 00000000 08:03 6030667 /usr/local/nginx/sbin/nginx 006d5000-006d6000 r--p 000d5000 08:03 6030667 /usr/local/nginx/sbin/nginx 006d6000-006f1000 rw-p 000d6000 08:03 6030667 /usr/local/nginx/sbin/nginx 006f1000-00710000 rw-p 00000000 00:00 0 016a7000-02b9b000 rw-p 00000000 00:00 0 [heap] 7fca20000000-7fca20021000 rw-p 00000000 00:00 0 To solve temporary simply downgrade the openssl # yum downgrade openssl openssl-libs openssl-devel We are experiencing the same issue and filed yesterday the cases #03123297, #03123183 and #03123276 (different Red Hat customers) in the Red Hat Customer Portal for it. Our initial investigations yesterday seem to point to the OCSP Stapling being broken; the bug can be recreated like so: ## Obtain the SSL certificate from www.redhat.com openssl s_client -connect www.redhat.com:443 < /dev/null 2>&1 | sed -n '/-----BEGIN/,/-----END/p' > redhat.pem ## Ask openssl client for the OCSP Stapling URL from redhat.pem openssl x509 -noout -ocsp_uri -in redhat.pem *** Error in `openssl': double free or corruption (fasttop): 0x0000000001052d50 *** ======= Backtrace: ========= (... same backtrace as everyone else) You may be able to work around this issue by disabling the Apache/Nginx configuration to disable OCSP Stapling instead of downgrading the openssl packages (both solutions seem to work, but only minimal testing done). Disabling OCSP sapling is not an option . The easy solution is to downgrade openssl I am in doubt that disabling OCSP stapling is a good idea, in some cases it's IMHO even not possible at all, due to OCSP must-staple set by the certificate authority. We are seeing crashes in alpine - apparently related to s/mime certs. @orion Hi Orion, do you see the same backtrace as mentioned in the comments earlier? *** Bug 2040476 has been marked as a duplicate of this bug. *** This is also affected (Duplicate Bug 2040476) openssl x509 -noout -email -in cert_with_email.pem *** Error in `openssl': double free or corruption (fasttop): 0x0000000001f101e0 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x81329)[0x7f508880c329] ... Evidently I just filed a duplicate of this bug, though mine has the identified cause and how to fix it: https://bugzilla.redhat.com/show_bug.cgi?id=2040853 *** Bug 2040853 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (openssl bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:0156 |