openssl(1) 3.0 crash

Viktor Dukhovni openssl-users at dukhovni.org
Wed Sep 29 20:59:51 UTC 2021 

On Wed, Sep 29, 2021 at 10:30:29PM +0200, Steffen Nurpmeso wrote:

> I first thought it was musl related but the AlpineLinux bug report
> turned out to be wrong, i can easily reproduce it anywhere, it is
> just that the according script only runs there:
> 
>   #?0|kent:$ export LD_LIBRARY_PATH=~/usr-kent-crux-linux-x86_64/opt/.ossl3/lib64/
>   #?0|kent:$ ~/usr-kent-crux-linux-x86_64/opt/.ossl3/bin/openssl bla
>   Invalid command 'bla'; type "help" for a list.
>   #?1|kent:$ ~/usr-kent-crux-linux-x86_64/opt/.ossl3/bin/openssl chacha20
>   Segmentation fault
>   #?139|kent:$

You should open an issue on Github.  The immediate cause is:

   46   static void warn_deprecated(const FUNCTION *fp)
   47   {
   48       if (fp->deprecated_version != NULL)
-> 49           BIO_printf(bio_err, "The command %s was deprecated in version %s.",
   50                      fp->name, fp->deprecated_version);
   ...

but in the case of the "chacha20" command, fp->deprecated_version was
not initialised:

    $10 = {
      type = FT_cipher
      name = 0x00007ffeefbff47a "chacha20"
      func = 0x0000000100021d30 (openssl`enc_main at enc.c:105)
      help = 0x00007ffeefbff1b0
      deprecated_alternative = 0x00007ffeefbff0b0 ""
      deprecated_version = 0xef60232fcf210011 ""
    }

and so printing the version of OpenSSL in which it was deprecated
crashes.  The caller is at fault:

   392  static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[])
   393  {
   394      FUNCTION f, *fp;
   395
   396      if (argc <= 0 || argv[0] == NULL)
   397          return 0;
   398      f.name = argv[0];
   399      fp = lh_FUNCTION_retrieve(prog, &f);
   400      if (fp == NULL) {
   401          if (EVP_get_digestbyname(argv[0])) {
   402              f.type = FT_md;
   403              f.func = dgst_main;
   404              fp = &f;
   405          } else if (EVP_get_cipherbyname(argv[0])) {
   406              f.type = FT_cipher;
   407              f.func = enc_main;
   408              fp = &f;
   409          }
   410      }
   411      if (fp != NULL) {
   412          if (fp->deprecated_alternative != NULL)
   413              warn_deprecated(fp);
   414          return fp->func(argc, argv);
   415      }

The code is missing "f.deprecated_alternative = NULL" between lines
409 and 410, or else after each of 403 and 407.

-- 
    Viktor.

More information about the openssl-users mailing list