-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
rhel-9.3.0
-
None
-
sst_security_crypto
-
ssg_security
-
False
-
-
Red Hat Enterprise Linux
-
x86_64
What were you trying to do that didn't work?
Use OSSL_LIB_CTX in threads and load the standard config
/etc/pki/tls/openssl.cnf
Please provide the package NVR for which bug is seen:
openssl-3.0.7-24.el9.x86_64
How reproducible:
Always; Fedora 39 too; upstream master (3.3.-dev), upstream 3.0.x
Goes away if I comment out ssl_conf in /etc/pki/tls/openssl.cnf
// breaker1.c// gcc -o breaker1 breaker1.c -fsanitize=address -lcrypto
#include <pthread.h>#include <openssl/conf.h>
#include <openssl/ssl.h>void *worker(void * arg)
{{{}}
char *file = CONF_get1_default_config_file(); printf("starting thread...%s\n", file); OSSL_LIB_CTX *newlib = OSSL_LIB_CTX_new();
OSSL_LIB_CTX_load_config(newlib, file);
printf("ending thread...\n");
OSSL_LIB_CTX_free(newlib);
OPENSSL_free(file);
}int main(int argc, char** argv)
}{{ pthread_t tids[16]; OPENSSL_init_crypto(OPENSSL_INIT_NO_ATEXIT, NULL);
for (int i = 0; i < 16; i++) {
pthread_create(tids+i, NULL, worker, NULL);
{{ }}}
for (int i = 0; i < 16; i++) {
pthread_join(tids[i], NULL);
{{ }}}
}
Steps to reproduce
- ./breaker1
Expected results
# works if you comment out ssl_conf
starting thread...openssl-nossl.cnf
starting thread...openssl-nossl.cnf
starting thread...openssl-nossl.cnf
starting thread...openssl-nossl.cnf
starting thread...openssl-nossl.cnf
starting thread...openssl-nossl.cnf
starting thread...openssl-nossl.cnf
starting thread...openssl-nossl.cnf
starting thread...openssl-nossl.cnf
starting thread...openssl-nossl.cnf
starting thread...openssl-nossl.cnf
starting thread...openssl-nossl.cnf
starting thread...openssl-nossl.cnf
starting thread...openssl-nossl.cnf
starting thread...openssl-nossl.cnf
starting thread...openssl-nossl.cnf
ending thread...
ending thread...
ending thread...
ending thread...
ending thread...
ending thread...
ending thread...
ending thread...
ending thread...
ending thread...
ending thread...
ending thread...
ending thread...
ending thread...
ending thread...
ending thread...```
Actual results
=================================================================
==67816==ERROR: AddressSanitizer: attempting double-free on 0x602000016c30 in thread T8:
#0 0x7f566e4d7fb8 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xd7fb8) (BuildId: 7fcb7759bc17ef47f9682414b6d99732d6a6ab0c)
#1 0x7f566df10ff2 in ssl_module_free.part.0 (/lib64/libcrypto.so.3+0x110ff2) (BuildId: 5d012dcc6f62f35dabb8a129d641e3df7b731f11)
#2 0x7f566df14c50 in ssl_module_init (/lib64/libcrypto.so.3+0x114c50) (BuildId: 5d012dcc6f62f35dabb8a129d641e3df7b731f11)
#3 0x7f566df17c24 in CONF_modules_load (/lib64/libcrypto.so.3+0x117c24) (BuildId: 5d012dcc6f62f35dabb8a129d641e3df7b731f11)
#4 0x7f566df181d9 in CONF_modules_load_file_ex (/lib64/libcrypto.so.3+0x1181d9) (BuildId: 5d012dcc6f62f35dabb8a129d641e3df7b731f11)
#5 0x7f566dfb90b0 in OSSL_LIB_CTX_load_config (/lib64/libcrypto.so.3+0x1b90b0) (BuildId: 5d012dcc6f62f35dabb8a129d641e3df7b731f11)
#6 0x4013cf in openssl/tests/breaker1.c:13
#7 0x7f566eb30896 in start_thread (/lib64/libc.so.6+0x8e896) (BuildId: 7ea8d85df0e89b90c63ac7ed2b3578b2e7728756)
#8 0x7f566ebb780b in clone3 (/lib64/libc.so.6+0x11580b) (BuildId: 7ea8d85df0e89b90c63ac7ed2b3578b2e7728756)0x602000016c30 is located 0 bytes inside of 15-byte region [0x602000016c30,0x602000016c3f)
freed by thread T15 here:
#0 0x7f566e4d7fb8 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xd7fb8) (BuildId: 7fcb7759bc17ef47f9682414b6d99732d6a6ab0c)
#1 0x7f566df10ff2 in ssl_module_free.part.0 (/lib64/libcrypto.so.3+0x110ff2) (BuildId: 5d012dcc6f62f35dabb8a129d641e3df7b731f11)
#2 0x7f566df14c50 in ssl_module_init (/lib64/libcrypto.so.3+0x114c50) (BuildId: 5d012dcc6f62f35dabb8a129d641e3df7b731f11)
#3 0x7f566df17c24 in CONF_modules_load (/lib64/libcrypto.so.3+0x117c24) (BuildId: 5d012dcc6f62f35dabb8a129d641e3df7b731f11)
#4 0x7f566df181d9 in CONF_modules_load_file_ex (/lib64/libcrypto.so.3+0x1181d9) (BuildId: 5d012dcc6f62f35dabb8a129d641e3df7b731f11)
#5 0x7f566dfb90b0 in OSSL_LIB_CTX_load_config (/lib64/libcrypto.so.3+0x1b90b0) (BuildId: 5d012dcc6f62f35dabb8a129d641e3df7b731f11)
#6 0x4013cf in openssl/tests/breaker1.c:13previously allocated by thread T11 here:
#0 0x7f566e4d92ef in malloc (/lib64/libasan.so.8+0xd92ef) (BuildId: 7fcb7759bc17ef47f9682414b6d99732d6a6ab0c)
#1 0x7f566dfb6672 in CRYPTO_strdup (/lib64/libcrypto.so.3+0x1b6672) (BuildId: 5d012dcc6f62f35dabb8a129d641e3df7b731f11)
#2 0x7f566df14ce3 in ssl_module_init (/lib64/libcrypto.so.3+0x114ce3) (BuildId: 5d012dcc6f62f35dabb8a129d641e3df7b731f11)
#3 0x7f566df17c24 in CONF_modules_load (/lib64/libcrypto.so.3+0x117c24) (BuildId: 5d012dcc6f62f35dabb8a129d641e3df7b731f11)
#4 0x7f566df181d9 in CONF_modules_load_file_ex (/lib64/libcrypto.so.3+0x1181d9) (BuildId: 5d012dcc6f62f35dabb8a129d641e3df7b731f11)
#5 0x7f566dfb90b0 in OSSL_LIB_CTX_load_config (/lib64/libcrypto.so.3+0x1b90b0) (BuildId: 5d012dcc6f62f35dabb8a129d641e3df7b731f11)
#6 0x4013cf in openssl/tests/breaker1.c:13Thread T8 created by T0 here:
#0 0x7f566e448956 in pthread_create (/lib64/libasan.so.8+0x48956) (BuildId: 7fcb7759bc17ef47f9682414b6d99732d6a6ab0c)
#1 0x4011c8 in main /openssl/tests/breaker1.c:26Thread T15 created by T0 here:
#0 0x7f566e448956 in pthread_create (/lib64/libasan.so.8+0x48956) (BuildId: 7fcb7759bc17ef47f9682414b6d99732d6a6ab0c)
#1 0x4011c8 in main /openssl/tests/breaker1.c:26Thread T11 created by T0 here:
#0 0x7f566e448956 in pthread_create (/lib64/libasan.so.8+0x48956) (BuildId: 7fcb7759bc17ef47f9682414b6d99732d6a6ab0c)
#1 0x4011c8 in main /openssl/tests/breaker1.c:26SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.8+0xd7fb8) (BuildId: 7fcb7759bc17ef47f9682414b6d99732d6a6ab0c) in __interceptor_free.part.0
==67816==ABORTING
Upstream report (upstream cannot reproduce on master, openssl-3.2 branches but i can easily reproduce)
https://github.com/openssl/openssl/issues/23772