1436094 – Segmentation fault / Invalid read of size 8 in EVP_CIPHER_CTX_cleanup

Bug 1436094 - Segmentation fault / Invalid read of size 8 in EVP_CIPHER_CTX_cleanup

Summary: Segmentation fault / Invalid read of size 8 in EVP_CIPHER_CTX_cleanup

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libevent
Sub Component:
Version:	26
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Steve Dickson
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	1423849
Blocks:
TreeView+	depends on / blocked

Reported:	2017-03-27 07:20 UTC by Remi Collet
Modified:	2017-04-01 17:32 UTC (History)
CC List:	2 users (show)
Fixed In Version:	libevent-2.0.22-3.fc26
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-04-01 17:32:31 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Remi Collet 2017-03-27 07:20:11 UTC

Working in php-pecl-event extension, which uses libevent and openssl

openssl-devel-1.1.0e-1.fc26.x86_64
libevent-devel-2.0.22-1.fc25.x86_64
php-devel-7.1.3-1.fc26.x86_64

$ gdb php
(gdb) run  -n  -d "output_handler=" -d "open_basedir=" -d "disable_functions=" -d "output_buffering=Off" -d "error_reporting=32767" -d "display_errors=1" -d "display_startup_errors=1" -d "log_errors=0" -d "html_errors=0" -d "track_errors=1" -d "report_memleaks=1" -d "report_zend_debug=0" -d "docref_root=" -d "docref_ext=.html" -d "error_prepend_string=" -d "error_append_string=" -d "auto_prepend_file=" -d "auto_append_file=" -d "ignore_repeated_errors=0" -d "precision=14" -d "memory_limit=128M" -d "log_errors_max_len=0" -d "opcache.fast_shutdown=0" -d "opcache.file_update_protection=0" -d "extension=sockets.so" -d "extension=/home/remi/pecl-event/modules/event.so" -d "session.auto_start=0" -d "zlib.output_compression=Off" -f "/home/remi/pecl-event/tests/21-bevent-sslfilter.php"
(gdb) bt
#0  0x00007fffebfb2d61 in EVP_CIPHER_CTX_cleanup () from /lib64/libcrypto.so.10
#1  0x00007fffec32ca5d in ssl_clear_cipher_ctx () from /lib64/libssl.so.10
#2  0x00007fffec32e23a in SSL_set_accept_state () from /lib64/libssl.so.10
#3  0x00007fffec9a4ea2 in bufferevent_openssl_new_impl (base=0x555555cf6380, underlying=0x555555cd6750, fd=fd@entry=-1, ssl=0x555555ced850, state=BUFFEREVENT_SSL_ACCEPTING, 
    options=<optimized out>) at bufferevent_openssl.c:1337
#4  0x00007fffec9a5b8e in bufferevent_openssl_filter_new (base=<optimized out>, underlying=<optimized out>, ssl=<optimized out>, state=<optimized out>, options=<optimized out>)
    at bufferevent_openssl.c:1396
#5  0x00007fffecbbe9ce in _create_ssl_filter (execute_data=<optimized out>, return_value=0x7fffffffa210, deprecated=<optimized out>)
    at /home/remi/pecl-event/php7/classes/buffer_event.c:308
#6  0x0000555555853e80 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER () at /usr/src/debug/php-7.1.3/Zend/zend_vm_execute.h:970
#7  0x00005555557fb14b in execute_ex (ex=<optimized out>) at /usr/src/debug/php-7.1.3/Zend/zend_vm_execute.h:429
#8  0x0000555555855ec0 in zend_execute (op_array=op_array@entry=0x555555cf5e40, return_value=return_value@entry=0x555555cf6310)
    at /usr/src/debug/php-7.1.3/Zend/zend_vm_execute.h:474
#9  0x00005555557b1972 in zend_execute_scripts (type=type@entry=8, retval=0x555555cf6310, retval@entry=0x0, file_count=-134995904, file_count@entry=3)
    at /usr/src/debug/php-7.1.3/Zend/zend.c:1476
#10 0x000055555574e670 in php_execute_script (primary_file=0x7fffffffc830) at /usr/src/debug/php-7.1.3/main/main.c:2537
#11 0x00005555558581f8 in do_cli (argc=60, argv=0x555555bd1db0) at /usr/src/debug/php-7.1.3/sapi/cli/php_cli.c:993
#12 0x0000555555621558 in main (argc=60, argv=0x555555bd1db0) at /usr/src/debug/php-7.1.3/sapi/cli/php_cli.c:1381

Using valgrind (ensuring we are not using PHP allocator)
$ export USE_ZEND_ALLOC=0
$ valgrind /usr/bin/php  -n  -d "output_handler=" -d "open_basedir=" -d "disable_functions=" -d "output_buffering=Off" -d "error_reporting=32767" -d "display_errors=1" -d "display_startup_errors=1" -d "log_errors=0" -d "html_errors=0" -d "track_errors=1" -d "report_memleaks=1" -d "report_zend_debug=0" -d "docref_root=" -d "docref_ext=.html" -d "error_prepend_string=" -d "error_append_string=" -d "auto_prepend_file=" -d "auto_append_file=" -d "ignore_repeated_errors=0" -d "precision=14" -d "memory_limit=128M" -d "log_errors_max_len=0" -d "opcache.fast_shutdown=0" -d "opcache.file_update_protection=0" -d "extension=sockets.so" -d "extension=/home/remi/pecl-event/modules/event.so" -d "session.auto_start=0" -d "zlib.output_compression=Off" -f "/home/remi/pecl-event/tests/21-bevent-sslfilter.php" 
==20455== Memcheck, a memory error detector
==20455== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==20455== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==20455== Command: /usr/bin/php -n -d output_handler= -d open_basedir= -d disable_functions= -d output_buffering=Off -d error_reporting=32767 -d display_errors=1 -d display_startup_errors=1 -d log_errors=0 -d html_errors=0 -d track_errors=1 -d report_memleaks=1 -d report_zend_debug=0 -d docref_root= -d docref_ext=.html -d error_prepend_string= -d error_append_string= -d auto_prepend_file= -d auto_append_file= -d ignore_repeated_errors=0 -d precision=14 -d memory_limit=128M -d log_errors_max_len=0 -d opcache.fast_shutdown=0 -d opcache.file_update_protection=0 -d extension=sockets.so -d extension=/home/remi/pecl-event/modules/event.so -d session.auto_start=0 -d zlib.output_compression=Off -f /home/remi/pecl-event/tests/21-bevent-sslfilter.php
==20455== 
==20455== Invalid read of size 8
==20455==    at 0x10E50D61: EVP_CIPHER_CTX_cleanup (in /usr/lib64/libcrypto.so.1.0.2j)
==20455==    by 0x10AFDA5C: ssl_clear_cipher_ctx (in /usr/lib64/libssl.so.1.0.2j)
==20455==    by 0x10AFF239: SSL_set_accept_state (in /usr/lib64/libssl.so.1.0.2j)
==20455==    by 0x1046BEA1: bufferevent_openssl_new_impl (bufferevent_openssl.c:1337)
==20455==    by 0x102539CD: _create_ssl_filter (buffer_event.c:308)
==20455==    by 0x407E7F: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:970)
==20455==    by 0x3AF14A: execute_ex (zend_vm_execute.h:429)
==20455==    by 0x409EBF: zend_execute (zend_vm_execute.h:474)
==20455==    by 0x365971: zend_execute_scripts (zend.c:1476)
==20455==    by 0x30266F: php_execute_script (main.c:2537)
==20455==    by 0x40C1F7: do_cli (php_cli.c:993)
==20455==    by 0x1D5557: main (php_cli.c:1381)
==20455==  Address 0xffffffff00000000 is not stack'd, malloc'd or (recently) free'd
==20455== 

I'm not sure where the bug is (php-pecl-event, libevent or openssl), but this only happen with OpenSSL 1.1, everything works as expected with OpenSSL 1.0.

Any help welcome on this issue.

Comment 1 Remi Collet 2017-03-27 07:21:38 UTC

BTW, just noticed libevent is FTBFS in rawhide... so still use older openssl library... see #1423849

Comment 2 Tomas Mraz 2017-03-27 07:35:47 UTC

This is most probably a conflict between the old and new openssl being simultaneously used in a single process. In most cases this works fine, but there might be use-cases where it does not. I'll look at patching libevent to use the 1.1.0.

Comment 3 Remi Collet 2017-03-27 07:49:02 UTC

Notice: from a quick test

- latest libevent 2.1.8 just build fine in F26 (but introduce a soname bump from 5 to 6)

- the pecl/event test suite passes without any segfault


> This is most probably a conflict between the old and new openssl being simultaneously used in a single process.

Indeed.

Comment 4 Remi Collet 2017-03-27 16:37:45 UTC

php-pecl-event rebuild in rawhide, "full" test suite passes without any segfault.

Thanks for the quick fix.

Comment 5 Fedora Update System 2017-03-27 19:22:18 UTC

libevent-2.0.22-3.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f1d16808df

Comment 6 Tomas Mraz 2017-03-28 07:41:42 UTC

Of course at least in Rawhide it would be much better if libevent was updated to current upstream version. But I suppose doing soname bump in F26 branch is not a good idea.

Comment 7 Remi Collet 2017-03-28 07:44:04 UTC

(In reply to Tomas Mraz from comment #6)
> Of course at least in Rawhide it would be much better if libevent was
> updated to current upstream version. But I suppose doing soname bump in F26
> branch is not a good idea.

+1

Comment 8 Fedora Update System 2017-04-01 17:32:31 UTC

libevent-2.0.22-3.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.