Red Hat Bugzilla – Bug 809586
Segmentation fault in libcrypto.so.10
Last modified: 2016-01-31 20:56:22 EST
Description of problem:
yum and sshd is crashing in F17 -> F17 chroot on ARM based computers. The crash is always in the OPENSSL_cleanse call. I tried to debug that and according to my diagnostic build, that unknown function in the stacktrace seems to be the following one:
fips_cleanup_entropy(dctx, entropy, entlen);
It seems that x86 architecture masked this bug and thus it appears on ARM based computers only. My colleague discovered a similar bug in perl-Socket (appeared in chroot/mock only).
Program received signal SIGSEGV, Segmentation fault.
0x4015d5b8 in OPENSSL_cleanse () from /lib/libcrypto.so.10
Missing separate debuginfos, use: debuginfo-install audit-libs-2.1.3-5.fc17.armv7hl cyrus-sasl-lib-2.1.23-29.fc17.armv7hl fipscheck-lib-1.3.0-3.fc17.armv7hl keyutils-libs-1.5.5-2.fc17.armv7hl krb5-libs-1.10-4.fc17.armv7hl libcom_err-1.42-2.fc17.armv7hl libgcc-4.7.0-0.16.fc17.armv7hl libselinux-2.1.9-7.fc17.armv7hl nspr-4.9-0.2.fc17.beta3.1.armv7hl nss-3.13.1-13.fc17.armv7hl nss-softokn-freebl-3.13.1-20.fc17.armv7hl nss-util-3.13.1-3.fc17.armv7hl openldap-2.4.29-3.fc17.armv7hl openssl-1.0.1-0.1.beta2.fc17.armv7hl tcp_wrappers-libs-7.6-69.fc17.armv7hl
(gdb) i th
Id Target Id Frame
* 1 Thread 0x400acf40 (LWP 28958) "sshd" 0x4015d5b8 in OPENSSL_cleanse () from /lib/libcrypto.so.10
(gdb) t a a bt
Thread 1 (Thread 0x400acf40 (LWP 28958)):
#0 0x4015d5b8 in OPENSSL_cleanse () from /lib/libcrypto.so.10
#1 0x401b9ab8 in ?? () from /lib/libcrypto.so.10
#2 0x40226cf8 in FIPS_drbg_instantiate () from /lib/libcrypto.so.10
#3 0x401b9e80 in RAND_init_fips () from /lib/libcrypto.so.10
#4 0x4015d4c4 in OPENSSL_init_library () from /lib/libcrypto.so.10
#5 0x401c5228 in OpenSSL_add_all_ciphers () from /lib/libcrypto.so.10
#6 0x401c5214 in OPENSSL_add_all_algorithms_noconf () from /lib/libcrypto.so.10
#7 0x40060528 in ssh_OpenSSL_add_all_algorithms () at openssl-compat.c:139
#8 0x4000826c in main (ac=1, av=0xbefff634) at sshd.c:1404
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. find some ARM system (i can help with that)
2. chroot into an F17 rootfs
3. run yum or sshd
You can debug the issue easily by running:
1. gdb sshd
running without crashing
Fedora 17 was reverted to openssl-1.0.0h. Openssl-1.0.1 which contains the FIPS_drbg_instantiate() call is only on rawhide.
Could you please provide full backtrace with the debuginfo at least from openssl installed?
You're right ... my mistake ... it's openssl-1.0.1-0.1.beta2.fc17.armv7hl
Version 1.0.1g works correctly ...
I accidently mixed the 1.0.1-0.1.beta2 version with debuginfo from 1.0.0g.
Let me do that again.
Thread 1 (Thread 0x400acf40 (LWP 30953)):
#0 OPENSSL_cleanse (ptr=ptr@entry=0x0, len=20) at mem_clr.c:70
#1 0x401b9a78 in drbg_free_entropy (ctx=<optimized out>, out=0x0, olen=<optimized out>) at rand_lib.c:213
#2 0x40226a90 in fips_cleanup_entropy (olen=0, out=0x14 <Address 0x14 out of bounds>, dctx=0x4027a9a4) at fips_drbg_lib.c:187
#3 FIPS_drbg_instantiate (dctx=dctx@entry=0x4027a9a4, pers=pers@entry=0xbeffea4c "OpenSSL DRBG2.0", perslen=perslen@entry=32)
#4 0x401b9e40 in RAND_init_fips () at rand_lib.c:286
#5 0x4015d4c4 in OPENSSL_init_library () at o_init.c:106
#6 0x401c51e8 in OpenSSL_add_all_ciphers () at c_allc.c:69
#7 0x401c51d4 in OPENSSL_add_all_algorithms_noconf () at c_all.c:83
#8 0x40060528 in ssh_OpenSSL_add_all_algorithms () at openssl-compat.c:139
#9 0x4000826c in main (ac=1, av=0xbefff664) at sshd.c:1404
Great, now I know how to fix the crash. However I still do not know how it gets on the ARM that this crash appears. Can you please provide a strace of the crash? (Use some security insensitive program that uses openssl and shows this crash to produce the strace so you do not attach some personal data such as passwords etc.)
Created attachment 575491 [details]