[openssl-dev] [openssl.org #4658] bug: Abort() in 1.0.2h parsing server cert in ASN.1 routine

Quanah Gibson-Mount via RT rt at openssl.org
Wed Aug 24 23:17:21 UTC 2016 

A customer of ours has a server cert where the CSR was generated with 
1.0.2h but was signed with 1.0.0j.

When a process (nginx in this case) has this as the server cert, it core 
dumps with an abort() when clients request the cert:

[root at zre-ldap005 q]# gdb /opt/zimbra/common/sbin/nginx 
core-nginx-sig6-user1004-group1004-pid8084-time1471924181
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-80.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /opt/zimbra/common/sbin/nginx...Reading symbols from 
/usr/lib/debug/opt/zimbra/common/sbin/nginx.debug...done.
done.
[New LWP 8084]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `nginx: worker process 
'.
Program terminated with signal 6, Aborted.
#0  0x00007f22ba1245f7 in __GI_raise (sig=sig at entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
Missing separate debuginfos, use: debuginfo-install 
pcre-8.32-15.el7_2.1.x86_64 
zimbra-cyrus-sasl-libs-2.1.26-1zimbra8.7b1.el7.x86_64 
zlib-1.2.7-15.el7.x86_64
(gdb) bt
#0  0x00007f22ba1245f7 in __GI_raise (sig=sig at entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007f22ba125ce8 in __GI_abort () at abort.c:90
#2  0x00007f22ba164327 in __libc_message (do_abort=do_abort at entry=2, 
fmt=fmt at entry=0x7f22ba26e488 "*** Error in `%s': %s: 0x%s ***\n") at 
../sysdeps/unix/sysv/linux/libc_fatal.c:196
#3  0x00007f22ba16ada5 in malloc_printerr (ar_ptr=0x7f22ba4aa760 
<main_arena>, ptr=<optimized out>, str=0x7f22ba26bb57 "corrupted 
double-linked list", action=3) at malloc.c:5022
#4  malloc_consolidate (av=av at entry=0x7f22ba4aa760 <main_arena>) at 
malloc.c:4169
#5  0x00007f22ba16ced5 in _int_malloc (av=av at entry=0x7f22ba4aa760 
<main_arena>, bytes=bytes at entry=1366) at malloc.c:3443
#6  0x00007f22ba16f26c in __GI___libc_malloc (bytes=1366) at malloc.c:2895
#7  0x00007f22bab51048 in CRYPTO_malloc (num=num at entry=1366, 
file=file at entry=0x7f22bace2220 "tasn_utl.c", line=line at entry=174) at 
mem.c:342
#8  0x00007f22bac4be94 in asn1_enc_save (pval=pval at entry=0x21302b0, 
in=0x214c6ce 
"0\202\005R\240\003\002\001\002\002\002\022x0\r\006\t*\206H\206\367\r\001\001\v\005", 
inlen=1366,
    it=it at entry=0x7f22baf35f60 <X509_CINF_it>) at tasn_utl.c:174
#9  0x00007f22bac4b14e in ASN1_item_ex_d2i (pval=<optimized out>, 
in=0x7ffc53c497e0, len=0, it=0x7f22baf35f60 <X509_CINF_it>, tag=<optimized 
out>, tag at entry=-1, aclass=<optimized out>,
    opt=0 '\000', ctx=0x7ffc53c49a10) at tasn_dec.c:492
#10 0x00007f22bac4b4f2 in asn1_template_noexp_d2i (val=0x21302b0, 
in=0x7ffc53c499a0, len=1513, tt=0x7f22baf3cd20 <X509_seq_tt>, 
opt=<optimized out>, ctx=0x7ffc53c49a10) at tasn_dec.c:694
#11 0x00007f22bac4b735 in asn1_template_ex_d2i (val=0x21302b0, 
in=0x7ffc53c499a0, inlen=1513, tt=0x7f22baf3cd20 <X509_seq_tt>, 
opt=<optimized out>, ctx=<optimized out>) at tasn_dec.c:582
#12 0x00007f22bac4ae9b in ASN1_item_ex_d2i (pval=pval at entry=0x7ffc53c49a00, 
in=in at entry=0x7ffc53c49a60, len=1513, len at entry=1517, 
it=it at entry=0x7f22baf35ee0 <X509_it>,
    tag=<optimized out>, tag at entry=-1, aclass=<optimized out>, 
aclass at entry=0, opt=opt at entry=0 '\000', ctx=ctx at entry=0x7ffc53c49a10) at 
tasn_dec.c:445
#13 0x00007f22bac4b294 in ASN1_item_d2i (pval=0x7ffc53c49a00, 
pval at entry=0x0, in=in at entry=0x7ffc53c49a60, len=len at entry=1517, 
it=it at entry=0x7f22baf35ee0 <X509_it>) at tasn_dec.c:146
#14 0x00007f22bac435ec in d2i_X509 (a=a at entry=0x0, 
in=in at entry=0x7ffc53c49a60, len=len at entry=1517) at x_x509.c:143
#15 0x00007f22baf71da2 in ssl3_get_server_certificate (s=s at entry=0x2167a50) 
at s3_clnt.c:1228
#16 0x00007f22baf76cee in ssl3_connect (s=0x2167a50) at s3_clnt.c:345
#17 0x00007f22baf8166e in ssl23_get_server_hello (s=0x2167a50) at 
s23_clnt.c:799
#18 ssl23_connect (s=0x2167a50) at s23_clnt.c:228
#19 0x000000000044a755 in ngx_ssl_handshake (c=0x7f22b8ca0f60) at 
src/event/ngx_event_openssl.c:791
#20 0x000000000044adbf in ngx_ssl_handshake_handler (ev=0x7f22b8b99640) at 
src/event/ngx_event_openssl.c:939
#21 0x000000000043a8da in ngx_event_process_posted (cycle=0x1e86db0, 
posted=0x73d4e8 <ngx_posted_events>) at src/event/ngx_event_posted.c:40
#22 0x000000000043843a in ngx_process_events_and_timers (cycle=0x1e86db0) 
at src/event/ngx_event.c:275
#23 0x0000000000445dad in ngx_worker_process_cycle (cycle=0x1e86db0, 
data=0x1) at src/os/unix/ngx_process_cycle.c:879
#24 0x00000000004423cb in ngx_spawn_process (cycle=0x1e86db0, proc=0x445bca 
<ngx_worker_process_cycle>, data=0x1, name=0x4ff02f "worker process", 
respawn=1)
    at src/os/unix/ngx_process.c:198
#25 0x000000000044579d in ngx_reap_children (cycle=0x1e86db0) at 
src/os/unix/ngx_process_cycle.c:688
#26 0x0000000000444443 in ngx_master_process_cycle (cycle=0x1e86db0) at 
src/os/unix/ngx_process_cycle.c:241
#27 0x00000000004075fb in main (argc=3, argv=0x7ffc53c4a278) at 
src/core/nginx.c:407

Let me know what further information I can provide.

--Quanah

--

Quanah Gibson-Mount


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4658
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list