[openssl-dev] [openssl.org #3916] [PATCH] Fix Uninitialized Values

Michael Wager via RT rt at openssl.org
Fri Jun 19 01:50:41 UTC 2015 

Hello

When I ran openSSL 1.0.1k under valgrind, it showed up 3 memory errors 
(below). 
I have attached a patch for 1.0.1o and verified that these errors no 
longer occur:


==30323== Conditional jump or move depends on uninitialised value(s)
==30323==    at 0x80C943F: ssl3_read_bytes (s3_pkt.c:1091)
==30323==    by 0x80CA0C2: ssl3_get_message (s3_both.c:539)
==30323==    by 0x80C9A55: ssl3_get_finished (s3_both.c:246)
==30323==    by 0x80C3586: ssl3_connect (s3_clnt.c:549)
==30323==    by 0x80DA5BB: SSL_connect (ssl_lib.c:943)
==30323==    by 0x80B9585: openSSLConnectionPb (ssl_connection.c:524)
==30323==    by 0x4050681: commsOpenClientSocket (bClientSocket.c:126)
==30323==    by 0x404F1A4: commsThread (smcomms.c:812)
==30323==    by 0x4529A48: start_thread (in /lib/libpthread-2.12.so)
==30323==    by 0x21CE1D: clone (in /lib/libc-2.12.so)
==30323==  Uninitialised value was created by a heap allocation
==30323==    at 0x40072B2: malloc (vg_replace_malloc.c:270)
==30323==    by 0x80F244B: default_malloc_ex (mem.c:79)
==30323==    by 0x80F29D7: CRYPTO_malloc (mem.c:312)
==30323==    by 0x81179E3: EVP_DigestInit_ex (digest.c:210)
==30323==    by 0x80FDA44: HMAC_Init_ex (hmac.c:130)
==30323==    by 0x815307D: pkey_hmac_ctrl (hm_pmeth.c:198)
==30323==    by 0x81207A6: EVP_PKEY_CTX_ctrl (pmeth_lib.c:408)
==30323==    by 0x811798D: EVP_DigestInit_ex (digest.c:225)
==30323==    by 0x8121C78: do_sigver_init (m_sigver.c:114)
==30323==    by 0x80D1679: tls1_PRF (t1_enc.c:179)

==29489== Conditional jump or move depends on uninitialised value(s)
==29489==    at 0x8171D09: RSA_padding_add_PKCS1_type_2 (rsa_pk1.c:169)
==29489==    by 0x816FF08: RSA_eay_public_encrypt (rsa_eay.c:198)
==29489==    by 0x810EBC2: RSA_public_encrypt (rsa_crpt.c:86)
==29489==    by 0x80C1723: ssl3_send_client_key_exchange (s3_clnt.c:2410)
==29489==    by 0x80C35C8: ssl3_connect (s3_clnt.c:406)
==29489==    by 0x80DA5BB: SSL_connect (ssl_lib.c:943)
==29489==    by 0x80CD21B: ssl23_connect (s23_clnt.c:805)
==29489==    by 0x80DA5D2: SSL_connect (ssl_lib.c:943)
==29489==    by 0x80B9585: openSSLConnectionPb (ssl_connection.c:524)
==29489==    by 0x4050681: commsOpenClientSocket (bClientSocket.c:126)
==29489==    by 0x404F1A4: commsThread (smcomms.c:812)
==29489==    by 0x4529A48: start_thread (in /lib/libpthread-2.12.so)
==29489==  Uninitialised value was created by a heap allocation
==29489==    at 0x40072B2: malloc (vg_replace_malloc.c:270)
==29489==    by 0x80F244B: default_malloc_ex (mem.c:79)
==29489==    by 0x80F29D7: CRYPTO_malloc (mem.c:312)
==29489==    by 0x816FCEA: RSA_eay_public_encrypt (rsa_eay.c:188)
==29489==    by 0x810EBC2: RSA_public_encrypt (rsa_crpt.c:86)
==29489==    by 0x80C1723: ssl3_send_client_key_exchange (s3_clnt.c:2410)
==29489==    by 0x80C35C8: ssl3_connect (s3_clnt.c:406)
==29489==    by 0x80DA5BB: SSL_connect (ssl_lib.c:943)
==29489==    by 0x80CD21B: ssl23_connect (s23_clnt.c:805)
==29489==    by 0x80DA5D2: SSL_connect (ssl_lib.c:943)
==29489==    by 0x80B9585: openSSLConnectionPb (ssl_connection.c:524)
==29489==    by 0x4050681: commsOpenClientSocket (bClientSocket.c:126)

==5127== Conditional jump or move depends on uninitialised value(s)
==5127==    at 0x8171D09: RSA_padding_add_PKCS1_type_2 (rsa_pk1.c:169)
==5127==    by 0x816FFF8: RSA_eay_public_encrypt (rsa_eay.c:199)
==5127==    by 0x810EBC2: RSA_public_encrypt (rsa_crpt.c:86)
==5127==    by 0x80C1723: ssl3_send_client_key_exchange (s3_clnt.c:2411)
==5127==    by 0x80C35C8: ssl3_connect (s3_clnt.c:406)
==5127==    by 0x80DA5BB: SSL_connect (ssl_lib.c:943)
==5127==    by 0x80CD21B: ssl23_connect (s23_clnt.c:805)
==5127==    by 0x80DA5D2: SSL_connect (ssl_lib.c:943)
==5127==    by 0x80B9585: openSSLConnectionPb (ssl_connection.c:524)
==5127==    by 0x4050681: commsOpenClientSocket (bClientSocket.c:126)
==5127==    by 0x404F1A4: commsThread (smcomms.c:812)
==5127==    by 0x4529A48: start_thread (in /lib/libpthread-2.12.so)
==5127==  Uninitialised value was created by a stack allocation
==5127==    at 0x80C1626: ssl3_send_client_key_exchange (s3_clnt.c:2341)

Thanks,
Michael



Michael Wager
 L2 1060 Hay St

Staff Software Engineer
 West Perth, 6005
Australia Development Laboratory (ADL)
 Australia
IBM Software Group, Tivoli
 

Phone:
+61-8-92618684
 

e-mail:
mwager at au1.ibm.com
 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 360 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150619/a0b2374b/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mydiffs.patch
Type: application/octet-stream
Size: 1475 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150619/a0b2374b/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mydiffs.patch.zip
Type: application/zip
Size: 71094 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150619/a0b2374b/attachment-0001.zip>
-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

More information about the openssl-dev mailing list