Bug 809586

Summary: Segmentation fault in libcrypto.so.10
Product: [Fedora] Fedora Reporter: Jaromír Cápík <jcapik>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: medium    
Version: rawhideCC: ovasik, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: arm7   
OS: Linux   
Whiteboard:
Fixed In Version: openssl-1.0.1-2.fc18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-11 14:19:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
sshd-strace.txt none

Description Jaromír Cápík 2012-04-03 17:26:04 UTC 
Description of problem:
yum and sshd is crashing in F17 -> F17 chroot on ARM based computers. The crash is always in the OPENSSL_cleanse call. I tried to debug that and according to my diagnostic build, that unknown function in the stacktrace seems to be the following one:

crypto/fips/fips_drbg_lib.c:274
fips_cleanup_entropy(dctx, entropy, entlen);

It seems that x86 architecture masked this bug and thus it appears on ARM based computers only. My colleague discovered a similar bug in perl-Socket (appeared in chroot/mock only).

-----------------
Program received signal SIGSEGV, Segmentation fault.
0x4015d5b8 in OPENSSL_cleanse () from /lib/libcrypto.so.10
Missing separate debuginfos, use: debuginfo-install audit-libs-2.1.3-5.fc17.armv7hl cyrus-sasl-lib-2.1.23-29.fc17.armv7hl fipscheck-lib-1.3.0-3.fc17.armv7hl keyutils-libs-1.5.5-2.fc17.armv7hl krb5-libs-1.10-4.fc17.armv7hl libcom_err-1.42-2.fc17.armv7hl libgcc-4.7.0-0.16.fc17.armv7hl libselinux-2.1.9-7.fc17.armv7hl nspr-4.9-0.2.fc17.beta3.1.armv7hl nss-3.13.1-13.fc17.armv7hl nss-softokn-freebl-3.13.1-20.fc17.armv7hl nss-util-3.13.1-3.fc17.armv7hl openldap-2.4.29-3.fc17.armv7hl openssl-1.0.1-0.1.beta2.fc17.armv7hl tcp_wrappers-libs-7.6-69.fc17.armv7hl
(gdb) i th
  Id   Target Id         Frame 
* 1    Thread 0x400acf40 (LWP 28958) "sshd" 0x4015d5b8 in OPENSSL_cleanse () from /lib/libcrypto.so.10
(gdb) t a a bt

Thread 1 (Thread 0x400acf40 (LWP 28958)):
#0  0x4015d5b8 in OPENSSL_cleanse () from /lib/libcrypto.so.10
#1  0x401b9ab8 in ?? () from /lib/libcrypto.so.10
#2  0x40226cf8 in FIPS_drbg_instantiate () from /lib/libcrypto.so.10
#3  0x401b9e80 in RAND_init_fips () from /lib/libcrypto.so.10
#4  0x4015d4c4 in OPENSSL_init_library () from /lib/libcrypto.so.10
#5  0x401c5228 in OpenSSL_add_all_ciphers () from /lib/libcrypto.so.10
#6  0x401c5214 in OPENSSL_add_all_algorithms_noconf () from /lib/libcrypto.so.10
#7  0x40060528 in ssh_OpenSSL_add_all_algorithms () at openssl-compat.c:139
#8  0x4000826c in main (ac=1, av=0xbefff634) at sshd.c:1404
-----------------


Version-Release number of selected component (if applicable):
openssl-1.0.0g-4.fc17.armv7hl

How reproducible:
always

Steps to Reproduce:
1. find some ARM system (i can help with that)
2. chroot into an F17 rootfs
3. run yum or sshd

You can debug the issue easily by running:
1. gdb sshd
2. run

  
Actual results:
crashing

Expected results:
running without crashing
Comment 1 Tomas Mraz 2012-04-03 21:26:14 UTC 
Fedora 17 was reverted to openssl-1.0.0h. Openssl-1.0.1 which contains the FIPS_drbg_instantiate() call is only on rawhide.

Could you please provide full backtrace with the debuginfo at least from openssl installed?
Comment 2 Jaromír Cápík 2012-04-04 09:08:14 UTC 
You're right ... my mistake ... it's openssl-1.0.1-0.1.beta2.fc17.armv7hl
Version 1.0.1g works correctly ...

I accidently mixed the 1.0.1-0.1.beta2 version with debuginfo from 1.0.0g.
Let me do that again.
Comment 3 Jaromír Cápík 2012-04-04 09:29:25 UTC 
Thread 1 (Thread 0x400acf40 (LWP 30953)):
#0  OPENSSL_cleanse (ptr=ptr@entry=0x0, len=20) at mem_clr.c:70
#1  0x401b9a78 in drbg_free_entropy (ctx=<optimized out>, out=0x0, olen=<optimized out>) at rand_lib.c:213
#2  0x40226a90 in fips_cleanup_entropy (olen=0, out=0x14 <Address 0x14 out of bounds>, dctx=0x4027a9a4) at fips_drbg_lib.c:187
#3  FIPS_drbg_instantiate (dctx=dctx@entry=0x4027a9a4, pers=pers@entry=0xbeffea4c "OpenSSL DRBG2.0", perslen=perslen@entry=32)
    at fips_drbg_lib.c:274
#4  0x401b9e40 in RAND_init_fips () at rand_lib.c:286
#5  0x4015d4c4 in OPENSSL_init_library () at o_init.c:106
#6  0x401c51e8 in OpenSSL_add_all_ciphers () at c_allc.c:69
#7  0x401c51d4 in OPENSSL_add_all_algorithms_noconf () at c_all.c:83
#8  0x40060528 in ssh_OpenSSL_add_all_algorithms () at openssl-compat.c:139
#9  0x4000826c in main (ac=1, av=0xbefff664) at sshd.c:1404
Comment 4 Tomas Mraz 2012-04-05 15:53:09 UTC 
Great, now I know how to fix the crash. However I still do not know how it gets on the ARM that this crash appears. Can you please provide a strace of the crash? (Use some security insensitive program that uses openssl and shows this crash to produce the strace so you do not attach some personal data such as passwords etc.)
Comment 5 Jaromír Cápík 2012-04-05 16:12:16 UTC 
Created attachment 575491 [details]
sshd-strace.txt