[openssl-dev] [openssl.org #4541] Re: [PATCH] Fix Uninitialized Values in OpenSSL 1.0.1o
Tim Culhane via RT
rt at openssl.org
Tue May 17 16:21:01 UTC 2016
Hi Michael,
Apologies for contacting you directly, but I had a query about a patch you submitted to OpenSSL recently.
I recently upgraded the version of OpenSSL we are using in our mail server to 1.0.2g. I then noticed valgrind errors like the below, which seem similar to a patch you submitted for 1.0.1o at:
https://mta.openssl.org/pipermail/openssl-bugs-mod/2015-June/000023.html
==00:00:00:29.159 26520== Uninitialised value was created by a heap allocation
==00:00:00:29.159 26520== at 0x4A069EE: malloc (vg_replace_malloc.c:270)
==00:00:00:29.159 26520== by 0x828977: CRYPTO_malloc (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520== by 0x85AE76: EVP_DigestInit_ex (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520== by 0x83BCB5: HMAC_Init_ex (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520== by 0x8BB608: pkey_hmac_ctrl (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520== by 0x869119: EVP_PKEY_CTX_ctrl (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520== by 0x85AE13: EVP_DigestInit_ex (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520== by 0x86A6C5: EVP_DigestSignInit (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520== by 0x7F2812: tls1_P_hash.constprop.3 (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520== by 0x7F2F20: tls1_PRF.constprop.2 (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520== by 0x7F3C52: tls1_setup_key_block (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520== by 0x819D4F: ssl3_do_change_cipher_spec (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520== by 0x81AAF2: ssl3_read_bytes (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520== by 0x81BE7C: ssl3_get_message (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520== by 0x81B99F: ssl3_get_finished (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520== by 0x80DF18: ssl3_accept (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520== by 0x7EB3D3: ssl23_accept (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520== by 0x783209: tls_negotiation (ssl_openssl.c:1878)
==00:00:00:29.159 26520== by 0x5D889C: process_starttls_command (receiver.c:2086)
==00:00:00:29.159 26520== by 0x5D7B12: run_smtp_server (receiver.c:1765)
==00:00:00:29.159 26520== by 0x5D32B1: smtp_recv_thread (receiver.c:318)
I looked at the relevant files in the 1.0.2g version of OpenSSL, but didn't see the new calls to memset() added.
Would you happen to know the status of this patch?
Do you expect it to be added to the master version of OpenSSL any time soon?
Many thanks,
Tim
---------------
Tim Culhane
Senior Software Engineer
Synchronoss Technologies Inc.
First Floor, Simmonscourt House
Simmonscourt Road
Ballsbridge
Dublin 4
Phone: +353 1 241 5107
www.synchronoss.com
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4541
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list