[openssl-dev] [openssl.org #4541] Re: [PATCH] Fix Uninitialized Values in OpenSSL 1.0.1o

Tim Culhane via RT rt at openssl.org
Tue May 17 16:21:01 UTC 2016 

	Hi Michael,

Apologies for contacting you directly, but I had a query about a patch you submitted to OpenSSL recently.

I recently upgraded the version of OpenSSL we are using in our mail server to 1.0.2g.  I then noticed  valgrind errors like the below, which seem similar to a patch you submitted for 1.0.1o at:


https://mta.openssl.org/pipermail/openssl-bugs-mod/2015-June/000023.html



==00:00:00:29.159 26520==  Uninitialised value was created by a heap allocation
==00:00:00:29.159 26520==    at 0x4A069EE: malloc (vg_replace_malloc.c:270)
==00:00:00:29.159 26520==    by 0x828977: CRYPTO_malloc (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520==    by 0x85AE76: EVP_DigestInit_ex (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520==    by 0x83BCB5: HMAC_Init_ex (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520==    by 0x8BB608: pkey_hmac_ctrl (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520==    by 0x869119: EVP_PKEY_CTX_ctrl (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520==    by 0x85AE13: EVP_DigestInit_ex (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520==    by 0x86A6C5: EVP_DigestSignInit (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520==    by 0x7F2812: tls1_P_hash.constprop.3 (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520==    by 0x7F2F20: tls1_PRF.constprop.2 (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520==    by 0x7F3C52: tls1_setup_key_block (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520==    by 0x819D4F: ssl3_do_change_cipher_spec (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520==    by 0x81AAF2: ssl3_read_bytes (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520==    by 0x81BE7C: ssl3_get_message (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520==    by 0x81B99F: ssl3_get_finished (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520==    by 0x80DF18: ssl3_accept (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520==    by 0x7EB3D3: ssl23_accept (in /opt/automation/rg-572/remote/10_128_19_9/razorgate-HEAD/install/mira/opt/criticalpath/global/bin/smtpd)
==00:00:00:29.159 26520==    by 0x783209: tls_negotiation (ssl_openssl.c:1878)
==00:00:00:29.159 26520==    by 0x5D889C: process_starttls_command (receiver.c:2086)
==00:00:00:29.159 26520==    by 0x5D7B12: run_smtp_server (receiver.c:1765)
==00:00:00:29.159 26520==    by 0x5D32B1: smtp_recv_thread (receiver.c:318)

I looked at the relevant files  in the 1.0.2g version of OpenSSL, but didn't see the new calls to memset() added.

Would you happen to know the status of this patch?

Do you expect it to be added to the master version of OpenSSL any time soon?

Many thanks,

Tim

---------------

Tim Culhane
Senior Software Engineer

Synchronoss Technologies Inc.
First Floor, Simmonscourt House
Simmonscourt Road
Ballsbridge
Dublin 4

Phone: +353 1 241 5107
www.synchronoss.com




-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4541
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list