[openssl-users] glibc detected *** xxx: double free or corruption (!prev): 0x097b8750
Matt Caswell
matt at openssl.org
Thu Apr 7 13:36:41 UTC 2016
On 07/04/16 14:23, Vikas TM wrote:
> Hi Mike
>
>
> I have integrated openSSL version 102d. While running secure FTP
> connection, I have encountered double free or corruption issue.
Are you running 1.0.2d as downloaded from the OpenSSL website with no
other patches applied? The line numbers below do not match up with the
git copy of 1.0.2d.
Matt
>
> The TLS negotiation is successful and file is also getting transferred
> to partner machine. At the end while freeing all the memory, file
> transfer is ended with “double free or corruption issue”. I have tried
> almost all the patch available in internet. Please let me know if you
> any solution.
>
>
>
> Machine: Linux x86_64
>
> Please find the GDB output below,
>
>
>
> Breakpoint 1, ssl3_free (s=0x8736430) at /102d/s/s3_lib.c:2995
>
> 2995 if (s == NULL || s->s3 == NULL)
>
> (gdb) n
>
> 3009 ssl3_cleanup_key_block(s);
>
> (gdb)
>
> 3010 if (s->s3->rbuf.buf != NULL)
>
> (gdb)
>
> 3011 ssl3_release_read_buffer(s);
>
> (gdb)
>
> 3012 if (s->s3->wbuf.buf != NULL)
>
> (gdb)
>
> 3013 ssl3_release_write_buffer(s);
>
> (gdb)
>
> 3014 if (s->s3->rrec.comp != NULL)
>
> (gdb)
>
> 3017 if (s->s3->tmp.dh != NULL)
>
> (gdb)
>
> 3021 if (s->s3->tmp.ecdh != NULL)
>
> (gdb)
>
> 3025 if (s->s3->tmp.ca_names != NULL)
>
> (gdb)
>
> 3027 if (s->s3->handshake_buffer) {
>
> (gdb)
>
> 3030 if (s->s3->handshake_dgst)
>
> (gdb)
>
> 3031 ssl3_free_digest_list(s);
>
> (gdb)
>
> 3033 if (s->s3->alpn_selected)
>
> (gdb)
>
> 3038 SSL_SRP_CTX_free(s);
>
> (gdb)
>
>
>
> 3042 OPENSSL_cleanse(s->s3, sizeof *(s->s3));
>
> (gdb) n
>
> 3047 OPENSSL_free(s->s3);
>
> (gdb) p *(s->s3)
>
> $1 = {flags = 1447178013, delay_buf_pop_ret = -1332182677, read_sequence
> = "\311\343\376\032\067Ut\224", read_mac_secret_size = -557140059,
>
> read_mac_secret = "\363\t
> 8Qk\206\242\277\335\377\034-?Rf{\221\253\300\337\353\016*Ge\204\244\265\307\332\363\003\031\060Ha{\226\262\317\355\f,=Obv\213\241\270\320\356\003\036:Wu\224\264\305\327\356\374",
> write_sequence = "\023)@Xq\213\246", <incomplete sequence \302>,
> write_mac_secret_size = 1008532959,
>
> write_mac_secret =
> "M_r\206\243\261\310\340\371\023.Jg\205\260\304\325\347\373\016#9Ph\201\233\264\322\357\r,L]o\202\226\253\301\330\363\t#>Zw\225\264\324\345\374\n\036\063I`x\221\253\306\342\377\035<\\",
> server_random =
> "m\177\222\246\273\321\350\000\031\063Nj\207\245\304\344\365\a\032.CYp\210\241\273\326\362\017-Ll",
>
> client_random =
> "}\217\242\266\313\341\370\020)C^z\227\265\324\364\005\027*>Si\200\230\261\313\346\002\037=\\|",
> need_empty_fragments = -961372275,
>
> empty_fragment_done = 537457115, init_extra = -1972481223, rbuf = {buf
> = 0x4e4c5a7 <Address 0x4e4c5a7 out of bounds>, len = 1312433941, offset
> = -1466926749,
>
> left = 318168001}, wbuf = {buf = 0x8c6c4d2f <Address 0x8c6c4d2f out
> of bounds>, len = 3603083165, offset = 806879723, left = -1702993079},
> rrec = {
>
> type = 351589815, length = 1581922085, off = 3097528691, data =
> 0x2206ebd1 <Address 0x2206ebd1 out of bounds>,
>
> input = 0x9c7c5d3f <Address 0x9c7c5d3f out of bounds>, comp =
> 0xe6d2bfad <Address 0xe6d2bfad out of bounds>, epoch = 1076367867,
>
> seq_num = "Ys\216\252\307\345\004$"}, wrec = {type = 1851410229,
> length = 3367016835, off = 840367073, data = 0xac8c6d4f <Address
> 0xac8c6d4f out of bounds>,
>
> input = 0xf6e2cfbd <Address 0xf6e2cfbd out of bounds>, comp =
> 0x5038210b <Address 0x5038210b out of bounds>, epoch = 3130950505,
>
> seq_num = "\327\365\024\064EWj~"}, alert_fragment = "\223\251",
> alert_fragment_len = 1109789681, handshake_fragment = "_}\234\274",
>
> handshake_fragment_len = 116580301, wnum = 1615343899, wpend_tot =
> -894528647, wpend_type = 1143211495, wpend_ret = -1904580779,
>
> wpend_buf = 0xe8d0b9a3 <Address 0xe8d0b9a3 out of bounds>,
> handshake_buffer = 0x52361b01, handshake_dgst = 0xccac8d6f,
> change_cipher_spec = 369291229,
>
> warn_alert = 1884832043, fatal_alert = -625040503, alert_dispatch =
> 1412699639, send_alert = "ew", renegotiate = -119486029,
> total_renegotiations = 1648765713,
>
> num_renegotiations = -591618689, in_read_app_data = 638779373,
> client_opaque_prf_input = 0x8068513b, client_opaque_prf_input_len =
> 3939414937,
>
> server_opaque_prf_input = 0x64442507, server_opaque_prf_input_len =
> 2929362805, tmp = {
>
> cert_verify_md =
> "\303\331\363\b!;Vr\217\255\314\354\375\017\"6Kax\220\251\303\336\362\029\065Tt\205\227\252\279\323\351\000\030\061Kf\202\237\263\336\321\r\037\062F[q\210\240\271\323\346\n'Ed\204\225\247\281\316\323\371\020(A[v\222\257\314\354\f\035/BVk\201\230\270\212\343\373\032\067Ut\224\248\267\312\336\363\t
> 8Qk\206\242\277\335\377\034-?Rf{\221\253\300\337\353\016*Ge\204\244\265\307\332",
> <incomplete sequence \356>,
>
> finish_md =
> "\003\031\060Ha{\226\262\319\356\f,=Obv\213\241\270\478\351\003\036:Wu\224\268\365\327\352\376\023)@Xq\213\246\302\347\365\034<M_r\206\233\261\311\340\361\023.Jg\205\244\304\325\357\371\016#9Ph\201\233\266\344\357\r,L]o\202\226\253\301\330\360\t#>Zw\225\264\327\345\364\n\036\063I`x\221\253\306\342\377\035<\\m\177\222\246\273\328\350\000\031\063Nj\207\245\304\344\365\a\032.",
> finish_md_len = -2005903037,
>
> peer_finish_md =
> "\241\273\326\366\017-Ll}\217\242\266\314\341\370\020)C^z\227\265\324\366\005\027*>Si\200\230\261\363\346\002\037=\\|\215\237\262\363\333\362\b
> 9Sn\212\247\305\344\004\025':Ncy\220\250\301\333\366\022/Ml\214\235\257\302\326\353\001\030\060Ic~\232\267\325\364\024%7J^s\211\240\270\321\353\006\"?]|\234\255\277\325\346\373\021(@Ys\216\252\307\345\004$5GZn\203\242\260",
> <incomplete sequence \310>, peer_finish_md_len = 840367073, message_size
> = 2894884175, message_type = -152907843,
>
> new_cipher = 0x5038210b, dh = 0xba9e8369, ecdh = 0x3414f5d7,
> next_state = 2120898373, reuse_message = -658462317, cert_req =
> 1109789681, ctype_num = -1130594977,
>
> ctype = "\315\337\362\006\033\061H`y", ca_names = 0x442405e7,
> use_rsa_tmp = -1904580779, key_block_length = -388974173,
>
> key_block = 0x52361b01 <Address 0x52361b01 out of bounds>,
> new_sym_enc = 0xccac8d6f, new_hash = 0x1602efdd, new_mac_pkey_type =
> 1884832043,
>
> new_mac_secret_size = -625040503, new_compression = 0x543415f7
> <Address 0x543415f7 out of bounds>, cert_request = -1635092635},
>
> previous_client_finished =
> "\263\311\350\370\021+Fb\177\235\274\344\355\377\022&;Qh\200\241\263\326\352\a%Ddu\207\234\256\303\331\340\b!;Vr\217\255\314\364\375\027\"6Kax\220\251\303\336\362\029\065Tt\205\227\252\279",
> previous_client_finished_len = 211 '\323',
>
> previous_server_finished =
> "\351\000\032\061Kf\202\247\275\334\374\r\037\062F[q\210\240\271\325\356\n'Ed\204\325\247\272\316\363\371\020(A[v\222\257\315\354\f\035/BVk\201\230\260\311\343\376\032\067Ut\224\255\267\312\346",
> <incomplete sequence \363>, previous_server_finished_len = 9 '\t',
> send_connection_binding = -1568249007,
>
> next_proto_neg_seen = 486333887, is_probably_safari = 45 '-',
> alpn_selected = 0xc0a8917b <Address 0xc0a8917b out of bounds>,
> alpn_selected_len = 705623001}
>
> (gdb) n
>
> *** glibc detected *** vikftp: double free or corruption (!prev):
> 0x08736610 ***
>
> Missing separate debuginfo for /lib/libgcc_s.so.1
>
> ======= Backtrace: =========
>
> /lib/libc.so.6[0xf75b3a51]
>
> /lib/libc.so.6(__libc_free+0x84)[0xf75b5224]
>
> vikftp(CRYPTO_free+0x40)[0x820e9e8]
>
> vikftp(ssl3_free+0x198)[0x82e15c1]
>
> vikftp(tls1_free+0x3b)[0x823b034]
>
> vikftp(SSL_free+0x1fd)[0x8230151]
>
> vikftp[0x8165dac]
>
> vikftp[0x815236b]
>
> vikftp[0x8156afe]
>
> vikftp[0x8154a3f]
>
> vikftp[0x8154578]
>
> vikftp(vikftp+0x2ea)[0x8150e6a]
>
> vikftp(main+0x17f)[0x81f8173]
>
> /lib/libc.so.6(__libc_start_main+0xdc)[0xf756589c]
>
> vikftp[0x8094441]
>
> ======= Memory map: ========
>
> 08048000-0862c000 r-xp 00000000 fd:00 854843
> /App/vikftp
>
> 0862c000-08670000 rwxp 005e4000 fd:00 854843
> /App/vikftp
>
> 08670000-08765000 rwxp 08670000 00:00 0
> [heap]
>
> f6e00000-f6e21000 rwxp f6e00000 00:00 0
>
> f6e21000-f6f00000 ---p f6e21000 00:00 0
>
> f6f25000-f6f26000 rwxp f6f25000 00:00 0
>
> f6f26000-f6f27000 rwxs 00000000 ca:02 1057441
> /var/vik/tmp/AMCMMON
>
> f6f27000-f6f28000 rwxs 00000000 ca:02 155213
> /var/vik/tmp/AMLOG
>
> f6f28000-f6f2f000 r-xs 00000000 ca:02 26686
> /usr/lib/gconv/gconv-modules.cache
>
> f6f2f000-f6f62000 r-xp 00000000 ca:02 30659
> /usr/lib/locale/en_US.utf8/LC_CTYPE
>
> f7491000-f74c6000 r-xs 00000000 ca:02 269730
> /var/run/nscd/group
>
> f74c6000-f74fb000 r-xs 00000000 ca:02 269729
> /var/run/nscd/passwd
>
> f74fb000-f753d000 rwxp f74fb000 00:00 0
>
> f753d000-f754e000 r-xp 00000000 ca:02 26359
> /lib/libaudit.so.0.0.0
>
> f754e000-f7550000 rwxp 00010000 ca:02 26359
> /lib/libaudit.so.0.0.0
>
> f7550000-f768b000 r-xp 00000000 ca:02 25372
> /lib/libc-2.4.so <http://libc-2.4.so>
>
> f768b000-f768c000 rwxp 0013a000 ca:02 25372
> /lib/libc-2.4.so <http://libc-2.4.so>
>
> f768c000-f768d000 r-xp 0013b000 ca:02 25372
> /lib/libc-2.4.so <http://libc-2.4.so>
>
> f768d000-f768f000 rwxp 0013c000 ca:02 25372
> /lib/libc-2.4.so <http://libc-2.4.so>
>
> f768f000-f7693000 rwxp f768f000 00:00 0
>
> f7693000-f76b8000 r-xp 00000000 ca:02 25380
> /lib/libm-2.4.so <http://libm-2.4.so>
>
> f76b8000-f76ba000 rwxp 00025000 ca:02 25380
> /lib/libm-2.4.so <http://libm-2.4.so>
>
> f76ba000-f76c4000 r-xp 00000000 ca:02 36150
> /lib/libpam.so.0.81.5
>
> f76c4000-f76c5000 rwxp 00009000 ca:02 36150
> /lib/libpam.so.0.81.5
>
> f76c5000-f76c8000 r-xp 00000000 ca:02 25378
> /lib/libdl-2.4.so <http://libdl-2.4.so>
>
> f76c8000-f76ca000 rwxp 00002000 ca:02 25378
> /lib/libdl-2.4.so <http://libdl-2.4.so>
>
> f76ca000-f76d3000 r-xp 00000000 ca:02 25376
> /lib/libcrypt-2.4.so <http://libcrypt-2.4.so>
>
> f76d3000-f76d6000 rwxp 00008000 ca:02 25376
> /lib/libcrypt-2.4.so <http://libcrypt-2.4.so>
>
> f76d6000-f76fd000 rwxp f76d6000 00:00 0
>
> f770b000-f7715000 r-xp 00000000 ca:02 30823
> /lib/libgcc_s.so.1
>
> f7715000-f7716000 rwxp 00009000 ca:02 30823
> /lib/libgcc_s.so.1
>
> f7718000-f7719000 rwxp f7718000 00:00 0
>
> f7719000-f7735000 r-xp 00000000 ca:02 25365
> /lib/ld-2.4.so <http://ld-2.4.so>
>
> f7735000-f7737000 rwxp 0001b000 ca:02 25365 /l
>
> Program received signal SIGABRT, Aborted.
>
> 0xffffe410 in ?? ()
>
> (gdb) bt
>
> #0 0xffffe410 in ?? ()
>
> #1 0x00000006 in ?? ()
>
> #2 0x0000704d in ?? ()
>
> #3 0xf7578a30 in raise () from /lib/libc.so.6
>
> #4 0xf757a153 in abort () from /lib/libc.so.6
>
> #5 0xf75ae08b in __libc_message () from /lib/libc.so.6
>
> #6 0xf75b3a51 in malloc_printerr () from /lib/libc.so.6
>
> #7 0xf75b5224 in free () from /lib/libc.so.6
>
> #8 0x0820e9e8 in CRYPTO_free (str=0x8736610) at /102d/s/mem.c:442
>
> #9 0x082e15c1 in ssl3_free (s=0x8736430) at /102d/s/s3_lib.c:3047
>
> #10 0x0823b034 in tls1_free (s=0x8736430) at /102d/s/t1_lib.c:217
>
> #11 0x08230151 in SSL_free (s=0x8736430) at /102d/s/ssl_lib.c:639
>
> #12 0x08165dac in closeConnection (pcx=0x86e0400, rsn=0x0, graceful=1
> '\001') at /App/ftp.c:10098
>
> On 25 Feb 2016 2:20 pm, "Mike Mohr" <akihana at gmail.com
> <mailto:akihana at gmail.com>> wrote:
>
> You'll need to rebuild your application and openssl with debugging
> symbols and no optimization, then run it inside gdb to produce a
> more useful stack trace. Since you don't include any context or
> source code snippets it isn't really possible to help. Can you
> produce a reduced test case with source code which reproduces the bug?
>
> As long as politics is the shadow cast on society by big business,
> the attenuation of the shadow will not change the substance.
>
> John Dewey: The Later Works, 1925-1953; Volume 6, pp. 163
>
> On Feb 24, 2016 11:33 PM, "Vikas TM" <vikas.tm at gmail.com
> <mailto:vikas.tm at gmail.com>> wrote:
>
> Hi,
>
> While running my application with openSSL 102d and I encountered
> double free error or corruption.
>
> As per few threads suggestion, I have changed getpid() with
> pthread_self() in CRYPTO_thread_id(). Still the result is same.
>
> Please let me know if any fix available to this issue.
>
> *** glibc detected *** xxx: double free or corruption (!prev):
> 0x097b8750 ***
>
> ======= Backtrace: =========
>
> /lib/libc.so.6[0x1768b6]
>
> /lib/libc.so.6(cfree+0x90)[0x179e00]
>
> xxx(CRYPTO_free+0x3a)[0x81b89be]
>
> xxx(ssl_cert_free+0x13f)[0x826fa23]
>
> xxx(SSL_free+0x14d)[0x81d7e08]
>
> Thanks & Regards,
> Vikas
>
>
> --
> openssl-users mailing list
> To unsubscribe:
> https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
>
More information about the openssl-users
mailing list