[openssl-dev] 答复: [openssl.org #4495] After upgrade openssl to 1.0.2g, it cause core accidently, please help me !

Hejian via RT rt at openssl.org
Fri Apr 1 06:09:43 UTC 2016 

Hi,
Thanks for reply.
Pkey is not NULL, but its memory has been freed if reference decreases to 0 when the other thread don't add it to 1. Please make sure whether this will happened.
Today I will use debug version to find this problem.
Please help check whether the other people feedback this problem. Is there any same problems to compare.



-----邮件原件-----
发件人: Matt Caswell via RT [mailto:rt at openssl.org] 
发送时间: 2016年3月31日 22:00
收件人: Hejian (E)
抄送: openssl-dev at openssl.org
主题: Re: [openssl-dev] [openssl.org #4495] After upgrade openssl to 1.0.2g, it cause core accidently, please help me !



On 31/03/16 14:00, Hejian via RT wrote:
> Hello, when upgrade openssl to 1.0.2g, If multi thread call the corba 
> interface, it will cause core accidently. Please help analyze why the 
> core is generated.
> 
> There are two kinds of core stack list below.
> 
> 
> #0  0x00007f97729ad324 in RSA_verify () from
> /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #1
> 0x00007f97729b2c13 in pkey_rsa_verify () from
> /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #2 0x00007f97729e1e6a 
> in EVP_DigestVerifyFinal () from
> /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #3
> 0x00007f97729ec0d0 in ASN1_item_verify () from
> /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #4
> 0x00007f9772a0b7f2 in internal_verify () from
> /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #5 0x00007f9772a0d03a 
> in X509_verify_cert () from
> /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #6
> 0x00007f97727aed68 in ssl_verify_cert_chain () from
> /opt/oss/server/3rdTools/lib/libssl.so.1.0.0 #7  0x00007f977278a486 in 
> ssl3_get_server_certificate () from
> /opt/oss/server/3rdTools/lib/libssl.so.1.0.0 #8  0x00007f977278da22 in 
> ssl3_connect () from /opt/oss/server/3rdTools/lib/libssl.so.1.0.0
> #9  0x00007f977279797a in ssl23_connect () from
> /opt/oss/server/3rdTools/lib/libssl.so.1.0.0 #10 0x00007f97719ad764 in 
> ACE_SSL_SOCK_Connector::ssl_connect(ACE_SSL_SOCK_Stream&,
> ACE_Time_Value const*) ()
> 
> The first core stack, we suspect there is NULL ptr use in 
> internal_verify function:
> 
> when first thread run in X509_PUBKEY_get and create key->pkey, and go 
> to EVP_PKEY_free(pkey); At same time another thread run to below 
> function find key->pkey not NULL, get the value, and not goto add 
> reference. The first thread think the reference decrease to 0 and free 
> it. The second thread will call NULL ptr and cause core. Please help 
> confirm whether my analyze is correct and why here is a core?
> 
> /* Check to see if another thread set key->pkey first */ 
> CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY); if (key->pkey) { 
> CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); EVP_PKEY_free(ret); ret =
> key->pkey; } else { key->pkey = ret;
> CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); } CRYPTO_add(&ret->references, 
> 1, CRYPTO_LOCK_EVP_PKEY);
> 

So you think pkey ends up being NULL? Is that just a theory or have you verified that in a debugger? I can't immediately see a problem with the above code - the reference counting looks ok to me. Don't forget when
EVP_PKEY_new() gets called the reference count starts off as 1, and in order to return from the X509_PUBKEY_get() function you must have incremented the reference count by an additional 1 (no matter in which order the threads complete the function). Furthermore the
ASN1_item_verify() function in the above stack trace verifies that pkey != NULL before it gets as far as calling EVP_DigestVerifyFinal().

Are you able to recompile OpenSSL with debugging symbols included (i.e.
pass the "-d" flag to "config" when building). That may help narrow things down a bit.


> 
> The second stack we can't find why it cause core, please help analyze 
> the source code where may cause core? #0  0x00007f84a332bf2d in

Without debugging symbols it is difficult to say much about this one.

Matt


--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4495
Please log in as guest with password guest if prompted


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4495
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list