[openssl-dev] [openssl.org #4495] After upgrade openssl to 1.0.2g, it cause core accidently, please help me !

Hejian via RT rt at openssl.org
Thu Mar 31 13:00:48 UTC 2016 

Hello,
when upgrade openssl to 1.0.2g, If multi thread call the corba interface, it will cause core accidently.
Please help analyze why the core is generated.

There are two kinds of core stack list below.


#0  0x00007f97729ad324 in RSA_verify ()
   from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0
#1  0x00007f97729b2c13 in pkey_rsa_verify ()
   from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0
#2  0x00007f97729e1e6a in EVP_DigestVerifyFinal ()
   from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0
#3  0x00007f97729ec0d0 in ASN1_item_verify ()
   from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0
#4  0x00007f9772a0b7f2 in internal_verify ()
   from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0
#5  0x00007f9772a0d03a in X509_verify_cert ()
   from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0
#6  0x00007f97727aed68 in ssl_verify_cert_chain ()
   from /opt/oss/server/3rdTools/lib/libssl.so.1.0.0
#7  0x00007f977278a486 in ssl3_get_server_certificate ()
   from /opt/oss/server/3rdTools/lib/libssl.so.1.0.0
#8  0x00007f977278da22 in ssl3_connect ()
   from /opt/oss/server/3rdTools/lib/libssl.so.1.0.0
#9  0x00007f977279797a in ssl23_connect ()
   from /opt/oss/server/3rdTools/lib/libssl.so.1.0.0
#10 0x00007f97719ad764 in ACE_SSL_SOCK_Connector::ssl_connect(ACE_SSL_SOCK_Stream&, ACE_Time_Value const*) ()

The first core stack, we suspect there is NULL ptr use in  internal_verify function:

when first thread run in X509_PUBKEY_get and create key->pkey, and go to EVP_PKEY_free(pkey); At same time another thread run to below function find key->pkey not NULL, get the value, and not goto add reference. The first thread think the reference decrease to 0 and free it. The second thread will call NULL ptr and cause core.
Please help confirm whether my analyze is correct and why here is a core?

    /* Check to see if another thread set key->pkey first */
    CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY);
    if (key->pkey) {
        CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
        EVP_PKEY_free(ret);
        ret = key->pkey;
    } else {
        key->pkey = ret;
        CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
    }
    CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY);


The second stack we can't find why it cause core, please help analyze the source code where may cause core?
#0  0x00007f84a332bf2d in sha1_block_data_order_ssse3 ()
   from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0
#1  0x78c793de7ab6c677 in ?? ()
#2  0x3113a1d9ca62c7fa in ?? ()
#3  0x9e7d9b9f3531665e in ?? ()
#4  0x36c547d69b42ed31 in ?? ()
#5  0x95b7ad7d683b2cde in ?? ()
#6  0x10e7cadd8a63d9da in ?? ()
#7  0x457d99208e4f622d in ?? ()
#8  0xb831aa9466c530cc in ?? ()
#9  0x00007f84322c49bc in ?? ()
#10 0x00007f84a35c59f2 in state ()
   from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0
#11 0xffffffffffffffed in ?? ()
#12 0x00007f84322c49a0 in ?? ()
#13 0x03ffffffffffffff in ?? ()
#14 0x00007f84a3329103 in SHA1_Update ()
   from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0
#15 0x00007f84a33b283b in ssleay_rand_bytes ()
   from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0
#16 0x00007f84a317a353 in ssl23_connect ()

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4495
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list