Bug 521342

Summary: perl-Crypt-SSLeay / openssl 1.0 has memory corruption issue
Product: [Fedora] Fedora Reporter: Jonathan Kamens <jik>
Component: perl-Crypt-SSLeayAssignee: Stepan Kasal <kasal>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: kasal, mmaslano, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://rt.cpan.org/Ticket/Display.html?id=50557
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-16 12:02:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
perl script to demonstrate this issue none

Description Jonathan Kamens 2009-09-04 21:34:53 UTC 
perl script that uses Crypt::SSLeay is crashing since upgrade to openssl 1.0.  Backtrace head with various debuginfo installed:

#0  freelist_insert (ctx=0xa18c140, for_read=1, sz=34120, mem=0xa0d6a80)
    at s3_both.c:645
#1  0x0072f305 in ssl3_release_read_buffer (s=0xa0c4780) at s3_both.c:762
#2  0x0072b60c in ssl3_free (s=0xa0c4780) at s3_lib.c:2151
#3  0x00733d75 in tls1_free (s=0xa0c4780) at t1_lib.c:163
#4  0x00742041 in SSL_free (s=0xa0c4780) at ssl_lib.c:581
#5  0x00a6a7c5 in XS_Crypt__SSLeay__Conn_free (my_perl=0x9242008, cv=0xa002d54)
    at SSLeay.c:521
Comment 1 Jonathan Kamens 2009-09-04 21:35:51 UTC 
Forgot to mention that running the same script with MALLOC_CHECK=1 makes the crash go away.
Comment 2 Tomas Mraz 2009-09-07 06:40:34 UTC 
Could you please attach the script preferably in as minimal version as possible that still causes the crash?
Comment 3 Jonathan Kamens 2009-10-16 02:26:46 UTC 
Created attachment 365004 [details]
perl script to demonstrate this issue

Save the attached file as /tmp/test.pl.  All it does is fetch the login page of Red Hat bugzilla and log in.  Run "valgrind perl /tmp/test.pl [redhat-bugzilla-username] [redhat-bugzilla-password] >| /tmp/valgrind.out 2>&1".  Load /tmp/valgrind.out into an editor and search for "Invalid write of size".  You will find it near the end, and this is what is causing the core dump.

I'm doing this on a 32-bit system.  Since memory profiles are obviously very different on 64-bit systems, you may or may not see the issue there.
Comment 4 Marcela Mašláňová 2009-10-16 11:15:37 UTC 
It is reproduced also on 64b. I filed an upstream ticket with proposed solution.
Comment 5 Tomas Mraz 2009-10-16 12:02:45 UTC 
It is fixed in openssl-1.0.0-0.10.beta3.fc12.

I'll make tag request to F12 as well.

The fix in perl-Crypt-SSLeay should not break anything although it is not necessary with fixed openssl.
Comment 6 Marcela Mašláňová 2009-10-19 13:08:44 UTC 
Upstream ticket at cpan:
https://rt.cpan.org/Ticket/Display.html?id=50557