[openssl-dev] [openssl.org #4526] bug: use of ExitProcess on Windows platforms, 1.0.2g

[Ty Baen-Price via RT]

Hi,

I'm working in the 1.0.2g version of OpenSSL, in a Windows desktop environment, specifically Win 7, 8.1, and 10 (and their equivalent server and R2 versions). 

Problem and Resolution:
The following lines of code make use of the Microsoft API ExitProcess:

Apps\Speed.c line 335:	ExitProcess(ret);
Ms\uplink.c line 22: ExitProcess(1);

These function calls are made after fatal errors are detected and program termination is desired. ExitProcess(), however causes *orderly* shutdown of a process and all its threads, i.e. it unloads all dlls and runs all destructors. See MSDN for details of exactly what happens (https://msdn.microsoft.com/en-us/library/windows/desktop/ms682658(v=vs.85).aspx). The MSDN page states that ExitProcess should never be called unless it is *known to be safe* to call it. These calls should simply be replaced with calls to TerminateProcess(), which is what should be called for *disorderly* shutdown.

An example of usage:
TerminateProcess(GetCurrentProcess(), exitcode);


Effect of Problem:
Because of a compilation error (wrong c++ runtime), my program executed the uplink.c ExitProcess() call. This caused the single OpenSSL thread to start executing the destructors of all my dlls, and their objects. Unfortunately, about 30 other threads were happily using those objects at that time, eventually causing a 0xC0000005 ACCESS_VIOLATION. Obviously an ACCESS_VIOLATION is the best case scenario, as I'm sure you can imagine at the consequences of undiscovered memory corruption, even in a terminating process.

Regards,

Ty Baen-Price
JADE Development Team Leader
Wynyard Group

DDI +64 3 367 8453

Powerful Software. Connecting the Dots.
wynyardgroup.com



-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4526
Please log in as guest with password guest if prompted