[openssl-users] glibc detected *** xxx: double free or corruption (!prev): 0x097b8750
Vikas TM
vikas.tm at gmail.com
Thu Apr 7 13:23:50 UTC 2016
Hi Mike
I have integrated openSSL version 102d. While running secure FTP
connection, I have encountered double free or corruption issue.
The TLS negotiation is successful and file is also getting transferred to
partner machine. At the end while freeing all the memory, file transfer is
ended with “double free or corruption issue”. I have tried almost all the
patch available in internet. Please let me know if you any solution.
Machine: Linux x86_64
Please find the GDB output below,
Breakpoint 1, ssl3_free (s=0x8736430) at /102d/s/s3_lib.c:2995
2995 if (s == NULL || s->s3 == NULL)
(gdb) n
3009 ssl3_cleanup_key_block(s);
(gdb)
3010 if (s->s3->rbuf.buf != NULL)
(gdb)
3011 ssl3_release_read_buffer(s);
(gdb)
3012 if (s->s3->wbuf.buf != NULL)
(gdb)
3013 ssl3_release_write_buffer(s);
(gdb)
3014 if (s->s3->rrec.comp != NULL)
(gdb)
3017 if (s->s3->tmp.dh != NULL)
(gdb)
3021 if (s->s3->tmp.ecdh != NULL)
(gdb)
3025 if (s->s3->tmp.ca_names != NULL)
(gdb)
3027 if (s->s3->handshake_buffer) {
(gdb)
3030 if (s->s3->handshake_dgst)
(gdb)
3031 ssl3_free_digest_list(s);
(gdb)
3033 if (s->s3->alpn_selected)
(gdb)
3038 SSL_SRP_CTX_free(s);
(gdb)
3042 OPENSSL_cleanse(s->s3, sizeof *(s->s3));
(gdb) n
3047 OPENSSL_free(s->s3);
(gdb) p *(s->s3)
$1 = {flags = 1447178013, delay_buf_pop_ret = -1332182677, read_sequence =
"\311\343\376\032\067Ut\224", read_mac_secret_size = -557140059,
read_mac_secret = "\363\t
8Qk\206\242\277\335\377\034-?Rf{\221\253\300\337\353\016*Ge\204\244\265\307\332\363\003\031\060Ha{\226\262\317\355\f,=Obv\213\241\270\320\356\003\036:Wu\224\264\305\327\356\374",
write_sequence = "\023)@Xq\213\246", <incomplete sequence \302>,
write_mac_secret_size = 1008532959,
write_mac_secret =
"M_r\206\243\261\310\340\371\023.Jg\205\260\304\325\347\373\016#9Ph\201\233\264\322\357\r,L]o\202\226\253\301\330\363\t#>Zw\225\264\324\345\374\n\036\063I`x\221\253\306\342\377\035<\\",
server_random =
"m\177\222\246\273\321\350\000\031\063Nj\207\245\304\344\365\a\032.CYp\210\241\273\326\362\017-Ll",
client_random =
"}\217\242\266\313\341\370\020)C^z\227\265\324\364\005\027*>Si\200\230\261\313\346\002\037=\\|",
need_empty_fragments = -961372275,
empty_fragment_done = 537457115, init_extra = -1972481223, rbuf = {buf =
0x4e4c5a7 <Address 0x4e4c5a7 out of bounds>, len = 1312433941, offset =
-1466926749,
left = 318168001}, wbuf = {buf = 0x8c6c4d2f <Address 0x8c6c4d2f out of
bounds>, len = 3603083165, offset = 806879723, left = -1702993079}, rrec = {
type = 351589815, length = 1581922085, off = 3097528691, data =
0x2206ebd1 <Address 0x2206ebd1 out of bounds>,
input = 0x9c7c5d3f <Address 0x9c7c5d3f out of bounds>, comp =
0xe6d2bfad <Address 0xe6d2bfad out of bounds>, epoch = 1076367867,
seq_num = "Ys\216\252\307\345\004$"}, wrec = {type = 1851410229, length
= 3367016835, off = 840367073, data = 0xac8c6d4f <Address 0xac8c6d4f out of
bounds>,
input = 0xf6e2cfbd <Address 0xf6e2cfbd out of bounds>, comp =
0x5038210b <Address 0x5038210b out of bounds>, epoch = 3130950505,
seq_num = "\327\365\024\064EWj~"}, alert_fragment = "\223\251",
alert_fragment_len = 1109789681, handshake_fragment = "_}\234\274",
handshake_fragment_len = 116580301, wnum = 1615343899, wpend_tot =
-894528647, wpend_type = 1143211495, wpend_ret = -1904580779,
wpend_buf = 0xe8d0b9a3 <Address 0xe8d0b9a3 out of bounds>,
handshake_buffer = 0x52361b01, handshake_dgst = 0xccac8d6f,
change_cipher_spec = 369291229,
warn_alert = 1884832043, fatal_alert = -625040503, alert_dispatch =
1412699639, send_alert = "ew", renegotiate = -119486029,
total_renegotiations = 1648765713,
num_renegotiations = -591618689, in_read_app_data = 638779373,
client_opaque_prf_input = 0x8068513b, client_opaque_prf_input_len =
3939414937,
server_opaque_prf_input = 0x64442507, server_opaque_prf_input_len =
2929362805, tmp = {
cert_verify_md =
"\303\331\363\b!;Vr\217\255\314\354\375\017\"6Kax\220\251\303\336\362\029\065Tt\205\227\252\279\323\351\000\030\061Kf\202\237\263\336\321\r\037\062F[q\210\240\271\323\346\n'Ed\204\225\247\281\316\323\371\020(A[v\222\257\314\354\f\035/BVk\201\230\270\212\343\373\032\067Ut\224\248\267\312\336\363\t
8Qk\206\242\277\335\377\034-?Rf{\221\253\300\337\353\016*Ge\204\244\265\307\332",
<incomplete sequence \356>,
finish_md =
"\003\031\060Ha{\226\262\319\356\f,=Obv\213\241\270\478\351\003\036:Wu\224\268\365\327\352\376\023)@Xq\213\246\302\347\365\034<M_r\206\233\261\311\340\361\023.Jg\205\244\304\325\357\371\016#9Ph\201\233\266\344\357\r,L]o\202\226\253\301\330\360\t#>Zw\225\264\327\345\364\n\036\063I`x\221\253\306\342\377\035<\\m\177\222\246\273\328\350\000\031\063Nj\207\245\304\344\365\a\032.",
finish_md_len = -2005903037,
peer_finish_md =
"\241\273\326\366\017-Ll}\217\242\266\314\341\370\020)C^z\227\265\324\366\005\027*>Si\200\230\261\363\346\002\037=\\|\215\237\262\363\333\362\b
9Sn\212\247\305\344\004\025':Ncy\220\250\301\333\366\022/Ml\214\235\257\302\326\353\001\030\060Ic~\232\267\325\364\024%7J^s\211\240\270\321\353\006\"?]|\234\255\277\325\346\373\021(@Ys\216\252\307\345\004$5GZn\203\242\260",
<incomplete sequence \310>, peer_finish_md_len = 840367073, message_size =
2894884175, message_type = -152907843,
new_cipher = 0x5038210b, dh = 0xba9e8369, ecdh = 0x3414f5d7, next_state
= 2120898373, reuse_message = -658462317, cert_req = 1109789681, ctype_num
= -1130594977,
ctype = "\315\337\362\006\033\061H`y", ca_names = 0x442405e7,
use_rsa_tmp = -1904580779, key_block_length = -388974173,
key_block = 0x52361b01 <Address 0x52361b01 out of bounds>, new_sym_enc
= 0xccac8d6f, new_hash = 0x1602efdd, new_mac_pkey_type = 1884832043,
new_mac_secret_size = -625040503, new_compression = 0x543415f7 <Address
0x543415f7 out of bounds>, cert_request = -1635092635},
previous_client_finished =
"\263\311\350\370\021+Fb\177\235\274\344\355\377\022&;Qh\200\241\263\326\352\a%Ddu\207\234\256\303\331\340\b!;Vr\217\255\314\364\375\027\"6Kax\220\251\303\336\362\029\065Tt\205\227\252\279",
previous_client_finished_len = 211 '\323',
previous_server_finished =
"\351\000\032\061Kf\202\247\275\334\374\r\037\062F[q\210\240\271\325\356\n'Ed\204\325\247\272\316\363\371\020(A[v\222\257\315\354\f\035/BVk\201\230\260\311\343\376\032\067Ut\224\255\267\312\346",
<incomplete sequence \363>, previous_server_finished_len = 9 '\t',
send_connection_binding = -1568249007,
next_proto_neg_seen = 486333887, is_probably_safari = 45 '-',
alpn_selected = 0xc0a8917b <Address 0xc0a8917b out of bounds>,
alpn_selected_len = 705623001}
(gdb) n
*** glibc detected *** vikftp: double free or corruption (!prev):
0x08736610 ***
Missing separate debuginfo for /lib/libgcc_s.so.1
======= Backtrace: =========
/lib/libc.so.6[0xf75b3a51]
/lib/libc.so.6(__libc_free+0x84)[0xf75b5224]
vikftp(CRYPTO_free+0x40)[0x820e9e8]
vikftp(ssl3_free+0x198)[0x82e15c1]
vikftp(tls1_free+0x3b)[0x823b034]
vikftp(SSL_free+0x1fd)[0x8230151]
vikftp[0x8165dac]
vikftp[0x815236b]
vikftp[0x8156afe]
vikftp[0x8154a3f]
vikftp[0x8154578]
vikftp(vikftp+0x2ea)[0x8150e6a]
vikftp(main+0x17f)[0x81f8173]
/lib/libc.so.6(__libc_start_main+0xdc)[0xf756589c]
vikftp[0x8094441]
======= Memory map: ========
08048000-0862c000 r-xp 00000000 fd:00 854843
/App/vikftp
0862c000-08670000 rwxp 005e4000 fd:00 854843
/App/vikftp
08670000-08765000 rwxp 08670000 00:00 0
[heap]
f6e00000-f6e21000 rwxp f6e00000 00:00 0
f6e21000-f6f00000 ---p f6e21000 00:00 0
f6f25000-f6f26000 rwxp f6f25000 00:00 0
f6f26000-f6f27000 rwxs 00000000 ca:02 1057441
/var/vik/tmp/AMCMMON
f6f27000-f6f28000 rwxs 00000000 ca:02 155213
/var/vik/tmp/AMLOG
f6f28000-f6f2f000 r-xs 00000000 ca:02 26686
/usr/lib/gconv/gconv-modules.cache
f6f2f000-f6f62000 r-xp 00000000 ca:02 30659
/usr/lib/locale/en_US.utf8/LC_CTYPE
f7491000-f74c6000 r-xs 00000000 ca:02 269730
/var/run/nscd/group
f74c6000-f74fb000 r-xs 00000000 ca:02 269729
/var/run/nscd/passwd
f74fb000-f753d000 rwxp f74fb000 00:00 0
f753d000-f754e000 r-xp 00000000 ca:02 26359
/lib/libaudit.so.0.0.0
f754e000-f7550000 rwxp 00010000 ca:02 26359
/lib/libaudit.so.0.0.0
f7550000-f768b000 r-xp 00000000 ca:02 25372
/lib/libc-2.4.so
f768b000-f768c000 rwxp 0013a000 ca:02 25372
/lib/libc-2.4.so
f768c000-f768d000 r-xp 0013b000 ca:02 25372
/lib/libc-2.4.so
f768d000-f768f000 rwxp 0013c000 ca:02 25372
/lib/libc-2.4.so
f768f000-f7693000 rwxp f768f000 00:00 0
f7693000-f76b8000 r-xp 00000000 ca:02 25380
/lib/libm-2.4.so
f76b8000-f76ba000 rwxp 00025000 ca:02 25380
/lib/libm-2.4.so
f76ba000-f76c4000 r-xp 00000000 ca:02 36150
/lib/libpam.so.0.81.5
f76c4000-f76c5000 rwxp 00009000 ca:02 36150
/lib/libpam.so.0.81.5
f76c5000-f76c8000 r-xp 00000000 ca:02 25378
/lib/libdl-2.4.so
f76c8000-f76ca000 rwxp 00002000 ca:02 25378
/lib/libdl-2.4.so
f76ca000-f76d3000 r-xp 00000000 ca:02 25376
/lib/libcrypt-2.4.so
f76d3000-f76d6000 rwxp 00008000 ca:02 25376
/lib/libcrypt-2.4.so
f76d6000-f76fd000 rwxp f76d6000 00:00 0
f770b000-f7715000 r-xp 00000000 ca:02 30823
/lib/libgcc_s.so.1
f7715000-f7716000 rwxp 00009000 ca:02 30823
/lib/libgcc_s.so.1
f7718000-f7719000 rwxp f7718000 00:00 0
f7719000-f7735000 r-xp 00000000 ca:02 25365
/lib/ld-2.4.so
f7735000-f7737000 rwxp 0001b000 ca:02 25365 /l
Program received signal SIGABRT, Aborted.
0xffffe410 in ?? ()
(gdb) bt
#0 0xffffe410 in ?? ()
#1 0x00000006 in ?? ()
#2 0x0000704d in ?? ()
#3 0xf7578a30 in raise () from /lib/libc.so.6
#4 0xf757a153 in abort () from /lib/libc.so.6
#5 0xf75ae08b in __libc_message () from /lib/libc.so.6
#6 0xf75b3a51 in malloc_printerr () from /lib/libc.so.6
#7 0xf75b5224 in free () from /lib/libc.so.6
#8 0x0820e9e8 in CRYPTO_free (str=0x8736610) at /102d/s/mem.c:442
#9 0x082e15c1 in ssl3_free (s=0x8736430) at /102d/s/s3_lib.c:3047
#10 0x0823b034 in tls1_free (s=0x8736430) at /102d/s/t1_lib.c:217
#11 0x08230151 in SSL_free (s=0x8736430) at /102d/s/ssl_lib.c:639
#12 0x08165dac in closeConnection (pcx=0x86e0400, rsn=0x0, graceful=1
'\001') at /App/ftp.c:10098
On 25 Feb 2016 2:20 pm, "Mike Mohr" <akihana at gmail.com> wrote:
> You'll need to rebuild your application and openssl with debugging symbols
> and no optimization, then run it inside gdb to produce a more useful stack
> trace. Since you don't include any context or source code snippets it isn't
> really possible to help. Can you produce a reduced test case with source
> code which reproduces the bug?
>
> As long as politics is the shadow cast on society by big business, the
> attenuation of the shadow will not change the substance.
>
> John Dewey: The Later Works, 1925-1953; Volume 6, pp. 163
> On Feb 24, 2016 11:33 PM, "Vikas TM" <vikas.tm at gmail.com> wrote:
>
>> Hi,
>>
>> While running my application with openSSL 102d and I encountered double
>> free error or corruption.
>>
>> As per few threads suggestion, I have changed getpid() with
>> pthread_self() in CRYPTO_thread_id(). Still the result is same.
>>
>> Please let me know if any fix available to this issue.
>>
>> *** glibc detected *** xxx: double free or corruption (!prev): 0x097b8750
>> ***
>>
>> ======= Backtrace: =========
>>
>> /lib/libc.so.6[0x1768b6]
>>
>> /lib/libc.so.6(cfree+0x90)[0x179e00]
>>
>> xxx(CRYPTO_free+0x3a)[0x81b89be]
>>
>> xxx(ssl_cert_free+0x13f)[0x826fa23]
>>
>> xxx(SSL_free+0x14d)[0x81d7e08]
>>
>> Thanks & Regards,
>> Vikas
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160407/02e9d15d/attachment-0001.html>
More information about the openssl-users
mailing list