[openssl-dev] [openssl.org #3909] Crash due to non-checking of return value / errno of malloc

Raghavendra Prabhu via RT rt at openssl.org
Sat Jun 13 14:05:20 UTC 2015 

Hi

While using https://github.com/libhostile/libhostile/, with

hostile.sh -m 100 curl -L http://...
(It LD_PRELOADs through that script and makes malloc fail (by returning
ENOMEM before actual malloc is invoked) every 100 invocations or so).

I started noticing a crash in every 5-6 invocations. (Other times curl
reports with error 7 - out of memory among others but there is no crash).

===========
GNU gdb (GDB) 7.9.1
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html
>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/curl...(no debugging symbols found)...done.
[New LWP 6606]

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Core was generated by `curl -L http://percona.com'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  SHA1_Update (c=0x0, data_=0x7ffc2f4dd03c, len=4) at ../md32_common.h:310
310         l = (c->Nl + (((HASH_LONG) len) << 3)) & 0xffffffffUL;
(gdb) bt
#0  SHA1_Update (c=0x0, data_=0x7ffc2f4dd03c, len=4) at ../md32_common.h:310
#1  0x00007f8a4a7b09d8 in ssleay_rand_bytes (buf=0x1071230 "", num=6,
pseudo=1, lock=1) at md_rand.c:475
#2  0x00007f8a4ab3666e in SSL_CTX_new (meth=0x7f8a4ad5daa0
<SSLv23_client_method_data.16764>) at ssl_lib.c:1992
#3  0x00007f8a4c017260 in ossl_connect_common () from /usr/lib/libcurl.so.4
#4  0x00007f8a4c01acc0 in Curl_ssl_connect_nonblocking () from
/usr/lib/libcurl.so.4
#5  0x00007f8a4bfd42ad in Curl_http_connect () from /usr/lib/libcurl.so.4
#6  0x00007f8a4bfe5471 in Curl_protocol_connect () from
/usr/lib/libcurl.so.4
#7  0x00007f8a4bff928e in multi_runsingle () from /usr/lib/libcurl.so.4
#8  0x00007f8a4bff9ead in curl_multi_perform () from /usr/lib/libcurl.so.4
#9  0x00007f8a4bff0aeb in curl_easy_perform () from /usr/lib/libcurl.so.4
#10 0x000000000040b44f in operate_do ()
#11 0x000000000040ce0d in operate ()
#12 0x000000000040245c in main ()
(gdb) info args
c = 0x0
data_ = 0x7ffc2f4dd03c
len = 4
(gdb) print *data
Cannot access memory at address 0xa
(gdb) print data
$1 = (const unsigned char *) 0xa <error: Cannot access memory at address
0xa>
(gdb) quit
=========================================


What that tool does is make malloc fail every 100 invocations with some
jitter/randomization.

Noticed with openssl 1.0.2c.

[Filed this earlier under openssl-security at openssl.org but was redirected
to file it here].

-----------
Raghavendra

-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

More information about the openssl-dev mailing list