Bug 521342 - perl-Crypt-SSLeay / openssl 1.0 has memory corruption issue
Summary: perl-Crypt-SSLeay / openssl 1.0 has memory corruption issue
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: perl-Crypt-SSLeay
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Stepan Kasal
QA Contact: Fedora Extras Quality Assurance
URL: https://rt.cpan.org/Ticket/Display.ht...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-04 21:34 UTC by Jonathan Kamens
Modified: 2009-10-19 13:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-16 12:02:45 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
perl script to demonstrate this issue (308 bytes, text/plain)
2009-10-16 02:26 UTC, Jonathan Kamens
no flags Details

Description Jonathan Kamens 2009-09-04 21:34:53 UTC
perl script that uses Crypt::SSLeay is crashing since upgrade to openssl 1.0.  Backtrace head with various debuginfo installed:

#0  freelist_insert (ctx=0xa18c140, for_read=1, sz=34120, mem=0xa0d6a80)
    at s3_both.c:645
#1  0x0072f305 in ssl3_release_read_buffer (s=0xa0c4780) at s3_both.c:762
#2  0x0072b60c in ssl3_free (s=0xa0c4780) at s3_lib.c:2151
#3  0x00733d75 in tls1_free (s=0xa0c4780) at t1_lib.c:163
#4  0x00742041 in SSL_free (s=0xa0c4780) at ssl_lib.c:581
#5  0x00a6a7c5 in XS_Crypt__SSLeay__Conn_free (my_perl=0x9242008, cv=0xa002d54)
    at SSLeay.c:521

Comment 1 Jonathan Kamens 2009-09-04 21:35:51 UTC
Forgot to mention that running the same script with MALLOC_CHECK=1 makes the crash go away.

Comment 2 Tomas Mraz 2009-09-07 06:40:34 UTC
Could you please attach the script preferably in as minimal version as possible that still causes the crash?

Comment 3 Jonathan Kamens 2009-10-16 02:26:46 UTC
Created attachment 365004 [details]
perl script to demonstrate this issue

Save the attached file as /tmp/test.pl.  All it does is fetch the login page of Red Hat bugzilla and log in.  Run "valgrind perl /tmp/test.pl [redhat-bugzilla-username] [redhat-bugzilla-password] >| /tmp/valgrind.out 2>&1".  Load /tmp/valgrind.out into an editor and search for "Invalid write of size".  You will find it near the end, and this is what is causing the core dump.

I'm doing this on a 32-bit system.  Since memory profiles are obviously very different on 64-bit systems, you may or may not see the issue there.

Comment 4 Marcela Mašláňová 2009-10-16 11:15:37 UTC
It is reproduced also on 64b. I filed an upstream ticket with proposed solution.

Comment 5 Tomas Mraz 2009-10-16 12:02:45 UTC
It is fixed in openssl-1.0.0-0.10.beta3.fc12.

I'll make tag request to F12 as well.

The fix in perl-Crypt-SSLeay should not break anything although it is not necessary with fixed openssl.

Comment 6 Marcela Mašláňová 2009-10-19 13:08:44 UTC
Upstream ticket at cpan:
https://rt.cpan.org/Ticket/Display.html?id=50557


Note You need to log in before you can comment on or make changes to this bug.