[openssl-dev] [BUG] Data races in lhash.c

Dmitry Sobinov dmitry at addlive.com
Wed Nov 11 04:06:08 UTC 2015 

Got some reports from clang Thread Sanitizer about concurrent access to
shared variables from _LHASH structure in crypto/lhash/lhash.c. Following
members are written/read are not protected:

error, num_hash_calls, num_hash_comps, num_comp_calls, num_retrieve.


Can be reproduced by creating many SSL_CTX contexts in concurrent threads.
One of the report from TSan:

==================
WARNING: ThreadSanitizer: data race (pid=21810)
  Write of size 8 at 0x7d2c0000aff0 by thread T4:
    #0 getrn
/home/dmitry.sobinov/builds/openssl-1.0.2d/crypto/lhash/lhash.c:408
(test_app+0x0000007f9ebb)
    #1 lh_retrieve
/home/dmitry.sobinov/builds/openssl-1.0.2d/crypto/lhash/lhash.c:248
(test_app+0x0000007faa17)
    #2 OBJ_NAME_get
/home/dmitry.sobinov/builds/openssl-1.0.2d/crypto/objects/o_names.c:167
(test_app+0x000000782a05)
    #3 EVP_get_digestbyname
/home/dmitry.sobinov/builds/openssl-1.0.2d/crypto/evp/names.c:124
(test_app+0x00000081189d)
    #4 SSL_CTX_new
/home/dmitry.sobinov/builds/openssl-1.0.2d/ssl/ssl_lib.c:1963
(test_app+0x00000074fe09)

  Previous write of size 8 at 0x7d2c0000aff0 by thread T8:
    #0 getrn
/home/dmitry.sobinov/builds/openssl-1.0.2d/crypto/lhash/lhash.c:408
(test_app+0x0000007f9ebb)
    #1 lh_retrieve
/home/dmitry.sobinov/builds/openssl-1.0.2d/crypto/lhash/lhash.c:248
(test_app+0x0000007faa17)
    #2 OBJ_NAME_get
/home/dmitry.sobinov/builds/openssl-1.0.2d/crypto/objects/o_names.c:167
(test_app+0x000000782a05)
    #3 EVP_get_digestbyname
/home/dmitry.sobinov/builds/openssl-1.0.2d/crypto/evp/names.c:124
(test_app+0x00000081189d)
    #4 SSL_CTX_new
/home/dmitry.sobinov/builds/openssl-1.0.2d/ssl/ssl_lib.c:1963
(test_app+0x00000074fe09)

  Location is heap block of size 176 at 0x7d2c0000af50 allocated by main
thread:
    #0 malloc <null> (test_app+0x000000367c3d)
    #1 default_malloc_ex
/home/dmitry.sobinov/builds/openssl-1.0.2d/crypto/mem.c:79
(test_app+0x00000077bce0)
    #2 CRYPTO_malloc
/home/dmitry.sobinov/builds/openssl-1.0.2d/crypto/mem.c:342
(test_app+0x00000077cd33)
    #3 lh_new
/home/dmitry.sobinov/builds/openssl-1.0.2d/crypto/lhash/lhash.c:120
(test_app+0x0000007f8864)
    #4 OBJ_NAME_init
/home/dmitry.sobinov/builds/openssl-1.0.2d/crypto/objects/o_names.c:61
(test_app+0x0000007824a6)
    #5 OBJ_NAME_add
/home/dmitry.sobinov/builds/openssl-1.0.2d/crypto/objects/o_names.c:185
(test_app+0x000000782b39)
    #6 EVP_add_cipher
/home/dmitry.sobinov/builds/openssl-1.0.2d/crypto/evp/names.c:74
(test_app+0x00000081157d)
    #7 SSL_library_init
/home/dmitry.sobinov/builds/openssl-1.0.2d/ssl/ssl_algs.c:68
(test_app+0x0000007749f0)
    #8 do_init
/home/dmitry.sobinov/libs_tsan_cxx/include/boost/asio/ssl/detail/impl/openssl_init.ipp:39
(test_app+0x0000004000a4)
    #9 boost::asio::ssl::detail::openssl_init_base::instance()
/home/dmitry.sobinov/libs_tsan_cxx/include/boost/asio/ssl/detail/impl/openssl_init.ipp:131
(test_app+0x0000003fffb0)
    #10 openssl_init
/home/dmitry.sobinov/libs_tsan_cxx/include/boost/asio/ssl/detail/openssl_init.hpp:60
(test_app+0x0000003face9)
    #11 __cxx_global_var_init.25
/home/dmitry.sobinov/libs_tsan_cxx/include/boost/asio/ssl/detail/openssl_init.hpp:90
(test_app+0x0000003429c2)
    #12 __libc_csu_init <null> (test_app+0x000000a9862c)




---
Regards,
Dmitry Sobinov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151111/d913aabf/attachment-0001.html>

More information about the openssl-dev mailing list