Bug 809586 - Segmentation fault in libcrypto.so.10
Summary: Segmentation fault in libcrypto.so.10
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: openssl
Version: rawhide
Hardware: arm7
OS: Linux
medium
urgent
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-03 17:26 UTC by Jaromír Cápík
Modified: 2016-02-01 01:56 UTC (History)
2 users (show)

Fixed In Version: openssl-1.0.1-2.fc18
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-11 14:19:35 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
sshd-strace.txt (20.55 KB, text/plain)
2012-04-05 16:12 UTC, Jaromír Cápík
no flags Details

Description Jaromír Cápík 2012-04-03 17:26:04 UTC
Description of problem:
yum and sshd is crashing in F17 -> F17 chroot on ARM based computers. The crash is always in the OPENSSL_cleanse call. I tried to debug that and according to my diagnostic build, that unknown function in the stacktrace seems to be the following one:

crypto/fips/fips_drbg_lib.c:274
fips_cleanup_entropy(dctx, entropy, entlen);

It seems that x86 architecture masked this bug and thus it appears on ARM based computers only. My colleague discovered a similar bug in perl-Socket (appeared in chroot/mock only).

-----------------
Program received signal SIGSEGV, Segmentation fault.
0x4015d5b8 in OPENSSL_cleanse () from /lib/libcrypto.so.10
Missing separate debuginfos, use: debuginfo-install audit-libs-2.1.3-5.fc17.armv7hl cyrus-sasl-lib-2.1.23-29.fc17.armv7hl fipscheck-lib-1.3.0-3.fc17.armv7hl keyutils-libs-1.5.5-2.fc17.armv7hl krb5-libs-1.10-4.fc17.armv7hl libcom_err-1.42-2.fc17.armv7hl libgcc-4.7.0-0.16.fc17.armv7hl libselinux-2.1.9-7.fc17.armv7hl nspr-4.9-0.2.fc17.beta3.1.armv7hl nss-3.13.1-13.fc17.armv7hl nss-softokn-freebl-3.13.1-20.fc17.armv7hl nss-util-3.13.1-3.fc17.armv7hl openldap-2.4.29-3.fc17.armv7hl openssl-1.0.1-0.1.beta2.fc17.armv7hl tcp_wrappers-libs-7.6-69.fc17.armv7hl
(gdb) i th
  Id   Target Id         Frame 
* 1    Thread 0x400acf40 (LWP 28958) "sshd" 0x4015d5b8 in OPENSSL_cleanse () from /lib/libcrypto.so.10
(gdb) t a a bt

Thread 1 (Thread 0x400acf40 (LWP 28958)):
#0  0x4015d5b8 in OPENSSL_cleanse () from /lib/libcrypto.so.10
#1  0x401b9ab8 in ?? () from /lib/libcrypto.so.10
#2  0x40226cf8 in FIPS_drbg_instantiate () from /lib/libcrypto.so.10
#3  0x401b9e80 in RAND_init_fips () from /lib/libcrypto.so.10
#4  0x4015d4c4 in OPENSSL_init_library () from /lib/libcrypto.so.10
#5  0x401c5228 in OpenSSL_add_all_ciphers () from /lib/libcrypto.so.10
#6  0x401c5214 in OPENSSL_add_all_algorithms_noconf () from /lib/libcrypto.so.10
#7  0x40060528 in ssh_OpenSSL_add_all_algorithms () at openssl-compat.c:139
#8  0x4000826c in main (ac=1, av=0xbefff634) at sshd.c:1404
-----------------


Version-Release number of selected component (if applicable):
openssl-1.0.0g-4.fc17.armv7hl

How reproducible:
always

Steps to Reproduce:
1. find some ARM system (i can help with that)
2. chroot into an F17 rootfs
3. run yum or sshd

You can debug the issue easily by running:
1. gdb sshd
2. run

  
Actual results:
crashing

Expected results:
running without crashing

Comment 1 Tomas Mraz 2012-04-03 21:26:14 UTC
Fedora 17 was reverted to openssl-1.0.0h. Openssl-1.0.1 which contains the FIPS_drbg_instantiate() call is only on rawhide.

Could you please provide full backtrace with the debuginfo at least from openssl installed?

Comment 2 Jaromír Cápík 2012-04-04 09:08:14 UTC
You're right ... my mistake ... it's openssl-1.0.1-0.1.beta2.fc17.armv7hl
Version 1.0.1g works correctly ...

I accidently mixed the 1.0.1-0.1.beta2 version with debuginfo from 1.0.0g.
Let me do that again.

Comment 3 Jaromír Cápík 2012-04-04 09:29:25 UTC
Thread 1 (Thread 0x400acf40 (LWP 30953)):
#0  OPENSSL_cleanse (ptr=ptr@entry=0x0, len=20) at mem_clr.c:70
#1  0x401b9a78 in drbg_free_entropy (ctx=<optimized out>, out=0x0, olen=<optimized out>) at rand_lib.c:213
#2  0x40226a90 in fips_cleanup_entropy (olen=0, out=0x14 <Address 0x14 out of bounds>, dctx=0x4027a9a4) at fips_drbg_lib.c:187
#3  FIPS_drbg_instantiate (dctx=dctx@entry=0x4027a9a4, pers=pers@entry=0xbeffea4c "OpenSSL DRBG2.0", perslen=perslen@entry=32)
    at fips_drbg_lib.c:274
#4  0x401b9e40 in RAND_init_fips () at rand_lib.c:286
#5  0x4015d4c4 in OPENSSL_init_library () at o_init.c:106
#6  0x401c51e8 in OpenSSL_add_all_ciphers () at c_allc.c:69
#7  0x401c51d4 in OPENSSL_add_all_algorithms_noconf () at c_all.c:83
#8  0x40060528 in ssh_OpenSSL_add_all_algorithms () at openssl-compat.c:139
#9  0x4000826c in main (ac=1, av=0xbefff664) at sshd.c:1404

Comment 4 Tomas Mraz 2012-04-05 15:53:09 UTC
Great, now I know how to fix the crash. However I still do not know how it gets on the ARM that this crash appears. Can you please provide a strace of the crash? (Use some security insensitive program that uses openssl and shows this crash to produce the strace so you do not attach some personal data such as passwords etc.)

Comment 5 Jaromír Cápík 2012-04-05 16:12:16 UTC
Created attachment 575491 [details]
sshd-strace.txt


Note You need to log in before you can comment on or make changes to this bug.