[openssl-dev] 答复: [openssl.org #4360] [BUG] OpenSSL-1.0.1 crash on sha1_block_data_order_ssse3 asm
Hejian via RT
rt at openssl.org
Wed Mar 2 09:18:35 UTC 2016
Thank you very much for your reply!
Here is my complement:
1. I use the OpenSSL 1.0.1q, not 1.0.1r, sorry.
2.> I mean did you experience crash with openssl command (which one if so), or is it a web (or some other tls) server facing network?
--our system is C/S structure, client and server communicate by CORBA. I experience crash when CORBA calls. The following is one stack:
Program terminated with signal 11, Segmentation fault.
Thread 1 (Thread 0x7f0654871700 (LWP 22383)):
#0 0x00007f06a2cdddb8 in sha1_block_data_order_ssse3 ()
from ***/lib/libcrypto.so.1.0.0
#1 0xca62c1d6ca62c1d6 in ?? ()
#2 0xca62c1d6ca62c1d6 in ?? ()
#3 0xca62c1d6ca62c1d6 in ?? ()
#4 0xca62c1d6ca62c1d6 in ?? ()
#5 0xca62c1d6ca62c1d6 in ?? ()
#6 0xca62c1d6ca62c1d6 in ?? ()
#7 0xca62c1d6ca62c1d6 in ?? ()
#8 0xca62c1d6ca62c1d6 in ?? ()
#9 0xffffffffffffffea in ?? ()
#10 0x00007f06aee0ded0 in ?? ()
#11 0x03ffffffffffffff in ?? ()
#12 0x00007f06a2cdb173 in SHA1_Update ()
...
#16 0x00007f06a19e967b in ssl3_write_bytes ()
from ***/lib/libssl.so.1.0.0
#17 0x00007f06a0c0dc97 in ACE_SSL_SOCK_Stream::send(void const*, unsigned long, int, ACE_Time_Value const*) const ()
from ***/lib/libACE_SSL.so.6.1.0
#18 0x00007f06a0c0e001 in ACE_SSL_SOCK_Stream::sendv(iovec const*, unsigned long, ACE_Time_Value const*) const ()
from ***/lib/libACE_SSL.so.6.1.0
#19 0x00007f06a0e9ce6d in TAO::SSLIOP::Transport::send(iovec*, int, unsigned long&, ACE_Time_Value const*) ()
from ***/lib/libTAO_SSLIOP.so
...
#25 0x00007f06a8025544 in TAO_Transport::send_message_shared(TAO_Stub*, TAO_Message_Semantics, ACE_Message_Block const*, ACE_Time_Value*) ()
from ***/lib/libTAO.so.2.1.0
#26 0x00007f06a0e9cfba in TAO::SSLIOP::Transport::send_message(TAO_OutputCDR&, TAO_Stub*, TAO_Message_Semantics, ACE_Time_Value*) ()
...
#35 0x00007f06a80227bf in TAO_Transport::process_parsed_messages(TAO_Queued_Data*, TAO_Resume_Handle&) () from ***/lib/libTAO.so.2.1.0
#36 0x00007f06a8023228 in TAO_Transport::handle_input_parse_data(TAO_Resume_Handle&, ACE_Time_Value*) () from ***/lib/libTAO.so.2.1.0
#37 0x00007f06a8023a43 in TAO_Transport::handle_input(TAO_Resume_Handle&, ACE_Time_Value*) () from ***/lib/libTAO.so.2.1.0
#38 0x00007f06a0e9d0ad in TAO::SSLIOP::Transport::handle_input(TAO_Resume_Handle&, ACE_Time_Value*) () from ***/lib/libTAO_SSLIOP.so
#39 0x00007f06a7f8cf03 in TAO_Connection_Handler::svc_i() ()
from ***/lib/libTAO.so.2.1.0
#40 0x00007f06a7870497 in ACE_Task_Base::svc_run(void*) ()
...
#44 0x00007f06a6ad264d in clone () from /lib64/libc.so.6
#45 0x0000000000000000 in ?? ()
(gdb) quit
3.> You need to complement it with output from 'info reg' as well as output from 'disass' command till you see => mark pointing at failing instruction.
--I check with one coredump file.
(gdb) bt
#0 0x00002b41740e8db8 in sha1_block_data_order_ssse3 () from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0
#1 0xfdf35677747316a9 in ?? ()
#2 0x76e31e49fb938e17 in ?? ()
#3 0xda54424849480908 in ?? ()
#4 0x8169066fd99a223c in ?? ()
#5 0xd3959399c3228e53 in ?? ()
#6 0x4b40cb4385132309 in ?? ()
#7 0xe89493da4d391b51 in ?? ()
#8 0x258fe4e948e933e5 in ?? ()
#9 0xffffffffffffffe7 in ?? ()
#10 0x000055555a419c60 in ?? ()
#11 0x03ffffffffffffff in ?? ()
#12 0x00002b41740e6173 in SHA1_Update () from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0
#13 0x00002b417415b0ab in ssleay_rand_bytes () from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0
#14 0x00002aaaaabf6496 in tls1_enc () from /opt/oss/server/3rdTools/lib/libssl.so.1.0.0
#15 0x00002aaaaabeb690 in do_ssl3_write () from /opt/oss/server/3rdTools/lib/libssl.so.1.0.0
#16 0x00002aaaaabebb6b in ssl3_dispatch_alert () from /opt/oss/server/3rdTools/lib/libssl.so.1.0.0
#17 0x00002aaada93cf90 in ?? ()
#18 0x0000000000000000 in ?? ()
(gdb) i r rsp
rsp 0x50a7e100 0x50a7e100
(gdb) x /1x 0x50a7e100
0x50a7e100: 0xfdf35677747316a9
(gdb) x /30a 0x50a7e100
0x50a7e100: 0xfdf35677747316a9 0x76e31e49fb938e17
0x50a7e110: 0xda54424849480908 0x8169066fd99a223c
0x50a7e120: 0xd3959399c3228e53 0x4b40cb4385132309
0x50a7e130: 0xe89493da4d391b51 0x258fe4e948e933e5
0x50a7e140: 0xffffffffffffffe7 0x55555a419c60
0x50a7e150: 0x3ffffffffffffff 0x2b41740e6173 <SHA1_Update+275>
0x50a7e160: 0x13 0x408
0x50a7e170: 0x2aaad71c5938 0x8
0x50a7e180: 0x408 0x2b417415b0ab <ssleay_rand_bytes+555>
0x50a7e190: 0x2b41741e8f87 0x50a7e1c0
0x50a7e1a0: 0x50a7e1f0 0x1
0x50a7e1b0: 0x100000000 0x50a7e210
0x50a7e1c0: 0x2b4174328140 <sha1_md> 0x0
0x50a7e1d0: 0x0 0x55555a419c60
0x50a7e1e0: 0x0 0x2b4174165c40 <update>
(gdb) disassemble 0x2b41740e6173
Dump of assembler code for function SHA1_Update:
...
0x00002b41740e607f <+31>: sub $0x28,%rsp
...
0x00002b41740e60f5 <+149>: callq 0x2b41740e7140 <sha1_block_data_order>
...
0x00002b41740e613e <+222>: add $0x28,%rsp
0x00002b41740e6142 <+226>: retq
(gdb) disass 0x2b41740e8db8
Dump of assembler code for function sha1_block_data_order_ssse3:
0x00002b41740e8210 <+0>: push %rbx
0x00002b41740e8211 <+1>: push %rbp
0x00002b41740e8212 <+2>: push %r12
0x00002b41740e8214 <+4>: lea -0x40(%rsp),%rsp
0x00002b41740e8219 <+9>: mov %rdi,%r8
...
0x00002b41740e8da7 <+2967>: je 0x2b41740e8f40 <sha1_block_data_order_ssse3+3376>
0x00002b41740e8dad <+2973>: movdqa 0x40(%r11),%xmm6
0x00002b41740e8db3 <+2979>: movdqa (%r11),%xmm9
=> 0x00002b41740e8db8 <+2984>: movdqu (%r9),%xmm0 --is this what you want ?
0x00002b41740e8dbd <+2989>: movdqu 0x10(%r9),%xmm1
0x00002b41740e8dc3 <+2995>: movdqu 0x20(%r9),%xmm2
0x00002b41740e8dc9 <+3001>: movdqu 0x30(%r9),%xmm3
Thanks
B/R
-----邮件原件-----
发件人: Andy Polyakov via RT [mailto:rt at openssl.org]
发送时间: 2016年3月1日 20:52
收件人: Hejian (E)
抄送: openssl-dev at openssl.org<mailto:openssl-dev at openssl.org>
主题: Re: [openssl-dev] [openssl.org #4360] [BUG] OpenSSL-1.0.1 crash on sha1_block_data_order_ssse3 asm
Hi,
> we met crash of openssl (varely, 3 times i have seen) on linux x86_64.
> openSSL version is 1.0.1r.
>
> The stack is as below:
> Program terminated with signal 11, Segmentation fault.
> Thread 1 (Thread 0x7f0654871700 (LWP 22383)):
> #0 0x00007f06a2cdddb8 in sha1_block_data_order_ssse3 () from
> *****/libcrypto.so.1.0.0
> #1 0xca62c1d6ca62c1d6 in ?? ()
> #2 0xca62c1d6ca62c1d6 in ?? ()
> #3 0xca62c1d6ca62c1d6 in ?? ()
>
> We find the similar issue on https://rt.openssl.org/, the ticket id is 3191 .
> Can u help me confirm is it the same issue ?
Not with presented information :-( You need to complement it with output from 'info reg' as well as output from 'disass' command till you see => mark pointing at failing instruction. From debugger prompts that is. And since stack back-tracing is problematic here, tell approximately what was going on? I mean did you experience crash with openssl command (which one if so), or is it a web (or some other tls) server facing network?
> And where can I get the commit b77b58a398c8b9b4113f3fb6b48e162a3b8d4527 ?
It was incorporated 1.0.1 since 1.0.1f.
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4360
Please log in as guest with password guest if prompted
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4360
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list