Memory leak in openssl 1.1.1d

Dr Paul Dale paul.dale at oracle.com
Wed Sep 30 07:08:18 UTC 2020


This isn’t enough information to diagnose the issue.  Which of the leak summary records is the problem?
Are you sure that your application is cleaning up properly (hint: it isn’t, e.g. OpenSSL never calls operator new() from the second record).

Pauli
-- 
Dr Paul Dale | Distinguished Architect | Cryptographic Foundations 
Phone +61 7 3031 7217
Oracle Australia




> On 10 Sep 2020, at 1:39 am, Abhi Arora <engr.abhiarora at gmail.com> wrote:
> 
> I am using openssl 1.1.1d. I found out around 228 bytes are being directly lost (as per valgrind) report. I have one application which uses curl (7.64) and I wrote the same application using POCO HTTPS and I got the same result.
> 
> I thought it could be related to the cipher suit. I can see the leak is dependent on the URL being used (all were https). For one of the urls, it was leaking 228 (directly) per connection and disconnection. For one of the urls, the same code doesn't leak atall (no matter how many times you run that code in a for loop).
> 
> For the urls which were leaking, the following cipher suites were being used:
> 1. SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> 2. SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> 
> Here is the valgrind summary:
> ==8620== HEAP SUMMARY:
> ==8620==     in use at exit: 121,777 bytes in 1,097 blocks
> ==8620==   total heap usage: 129,382 allocs, 128,285 frees, 10,635,842 bytes allocated
> ==8620==
> ==8620== 8 bytes in 1 blocks are possibly lost in loss record 16 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E75523: ??? (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 8 bytes in 1 blocks are definitely lost in loss record 17 of 372
> ==8620==    at 0x483F310: operator new(unsigned int) (vg_replace_malloc.c:336)
> ==8620==    by 0x36D15: main (sample_pki.cpp:27)
> ==8620==
> ==8620== 8 bytes in 1 blocks are definitely lost in loss record 18 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4CBF14B: CRYPTO_zalloc (mem.c:230)
> ==8620==    by 0x4C76E07: ECDSA_SIG_new (ec_asn1.c:1214)
> ==8620==    by 0x537064B: pkcs11_try_pkey_ec_sign (p11_pkey.c:546)
> ==8620==    by 0x537064B: pkcs11_pkey_ec_sign (p11_pkey.c:634)
> ==8620==    by 0x4CB70CD: EVP_DigestSignFinal (m_sigver.c:148)
> ==8620==    by 0x4BA9FF3: tls_construct_cert_verify (statem_lib.c:307)
> ==8620==    by 0x4BA42C7: write_state_machine (statem.c:843)
> ==8620==    by 0x4BA42C7: state_machine (statem.c:443)
> ==8620==    by 0x4B8BABB: ssl3_read_bytes (rec_layer_s3.c:1278)
> ==8620==    by 0x4B900E1: ssl3_read_internal (s3_lib.c:4473)
> ==8620==    by 0x4B9013F: ssl3_read (s3_lib.c:4497)
> ==8620==    by 0x4B96A6D: ssl_read_internal (ssl_lib.c:1761)
> ==8620==    by 0x4B96B09: SSL_read (ssl_lib.c:1775)
> ==8620==
> ==8620== 16 bytes in 2 blocks are possibly lost in loss record 55 of 372
> ==8620==    at 0x483EA30: malloc (vg_replace_malloc.c:306)
> ==8620==    by 0x48419FF: realloc (vg_replace_malloc.c:834)
> ==8620==    by 0x4E73B5D: amqpvalue_set_map_value (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 40 bytes in 10 blocks are possibly lost in loss record 182 of 372
> ==8620==    at 0x483EA30: malloc (vg_replace_malloc.c:306)
> ==8620==    by 0x48419FF: realloc (vg_replace_malloc.c:834)
> ==8620==    by 0x4E738BB: amqpvalue_set_list_item (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 48 bytes in 1 blocks are possibly lost in loss record 210 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E7582D: ??? (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 48 bytes in 2 blocks are possibly lost in loss record 211 of 372
> ==8620==    at 0x48419B0: realloc (vg_replace_malloc.c:834)
> ==8620==    by 0x4E73B5D: amqpvalue_set_map_value (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 56 bytes in 1 blocks are possibly lost in loss record 215 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E74FF9: ??? (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 64 bytes in 2 blocks are possibly lost in loss record 228 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E74477: ??? (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 64 bytes in 1 blocks are definitely lost in loss record 229 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4A8D411: __libc_alloc_buffer_allocate (alloc_buffer_allocate.c:26)
> ==8620==    by 0x4AE2B51: alloc_buffer_allocate (alloc_buffer.h:143)
> ==8620==    by 0x4AE2B51: __resolv_conf_allocate (resolv_conf.c:411)
> ==8620==    by 0x4AE147D: __resolv_conf_load (res_init.c:592)
> ==8620==    by 0x4AE292B: __resolv_conf_get_current (resolv_conf.c:163)
> ==8620==    by 0x4AE19D7: __res_vinit (res_init.c:614)
> ==8620==    by 0x4AE24B1: maybe_init (resolv_context.c:122)
> ==8620==    by 0x4AE24B1: context_get.part.1 (resolv_context.c:184)
> ==8620==    by 0x4ABBAE7: gaih_inet.constprop.6 (getaddrinfo.c:751)
> ==8620==    by 0x4ABC90B: getaddrinfo (getaddrinfo.c:2265)
> ==8620==    by 0x4B4AA17: Curl_getaddrinfo_ex (in /usr/lib/libcurl.so.4.5.0)
> ==8620==
> ==8620== 80 bytes in 3 blocks are possibly lost in loss record 246 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E7547D: ??? (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 92 bytes in 3 blocks are possibly lost in loss record 256 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E74E3D: ??? (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 128 bytes in 4 blocks are possibly lost in loss record 278 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E74ABF: ??? (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 128 bytes in 4 blocks are possibly lost in loss record 279 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E74DF1: ??? (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 128 bytes in 4 blocks are possibly lost in loss record 280 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E70EC5: amqpvalue_create_map (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 152 bytes in 1 blocks are possibly lost in loss record 291 of 372
> ==8620==    at 0x4841748: calloc (vg_replace_malloc.c:760)
> ==8620==    by 0x400C871: allocate_dtv (dl-tls.c:286)
> ==8620==    by 0x400CEB3: _dl_allocate_tls (dl-tls.c:530)
> ==8620==    by 0x4A18585: allocate_stack (allocatestack.c:621)
> ==8620==    by 0x4A18585: pthread_create@@GLIBC_2.4 (pthread_create.c:669)
> ==8620==    by 0x4B4B507: Curl_thread_create (in /usr/lib/libcurl.so.4.5.0)
> ==8620==
> ==8620== 192 bytes in 6 blocks are possibly lost in loss record 303 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E75329: ??? (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 242 bytes in 8 blocks are possibly lost in loss record 310 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E70C33: amqpvalue_create_symbol (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 256 bytes in 8 blocks are possibly lost in loss record 322 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E70C1B: amqpvalue_create_symbol (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 320 bytes in 10 blocks are possibly lost in loss record 326 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E7611B: amqpvalue_create_composite_with_ulong_descriptor (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 320 bytes in 10 blocks are possibly lost in loss record 327 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E6FD95: amqpvalue_create_ulong (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 320 bytes in 10 blocks are possibly lost in loss record 328 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E70DBD: amqpvalue_create_list (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 360 bytes in 6 blocks are possibly lost in loss record 331 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E7467F: ??? (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 576 bytes in 18 blocks are possibly lost in loss record 337 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E70A6B: amqpvalue_create_string (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 1,024 bytes in 4 blocks are indirectly lost in loss record 351 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4CBF14B: CRYPTO_zalloc (mem.c:230)
> ==8620==    by 0x4C498EB: bn_expand_internal (bn_lib.c:268)
> ==8620==    by 0x4C498EB: bn_expand2 (bn_lib.c:292)
> ==8620==    by 0x4C499B3: BN_copy (bn_lib.c:329)
> ==8620==    by 0x4C4A5D7: BN_MONT_CTX_set (bn_mont.c:275)
> ==8620==    by 0x4C4A7F7: BN_MONT_CTX_set_locked (bn_mont.c:450)
> ==8620==    by 0x4CDC003: rsa_ossl_public_decrypt (rsa_ossl.c:559)
> ==8620==    by 0x4CDE4AF: int_rsa_verify (rsa_sign.c:143)
> ==8620==    by 0x4CDE703: RSA_verify (rsa_sign.c:247)
> ==8620==    by 0x4CDD8F5: pkey_rsa_verify (rsa_pmeth.c:251)
> ==8620==    by 0x4CB722D: EVP_DigestVerifyFinal (m_sigver.c:207)
> ==8620==    by 0x4BA824D: tls_process_key_exchange (statem_clnt.c:2401)
> ==8620==
> ==8620== 1,039 bytes in 18 blocks are possibly lost in loss record 352 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E70A83: amqpvalue_create_string (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 1,088 bytes in 34 blocks are possibly lost in loss record 353 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4E754A9: ??? (in /usr/lib/libuamqp.so.1.2.12)
> ==8620==
> ==8620== 2,064 bytes in 4 blocks are indirectly lost in loss record 359 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4CBF14B: CRYPTO_zalloc (mem.c:230)
> ==8620==    by 0x4C498EB: bn_expand_internal (bn_lib.c:268)
> ==8620==    by 0x4C498EB: bn_expand2 (bn_lib.c:292)
> ==8620==    by 0x4C49A4B: BN_set_bit (bn_lib.c:659)
> ==8620==    by 0x4C4A6FB: BN_MONT_CTX_set (bn_mont.c:395)
> ==8620==    by 0x4C4A7F7: BN_MONT_CTX_set_locked (bn_mont.c:450)
> ==8620==    by 0x4CDC003: rsa_ossl_public_decrypt (rsa_ossl.c:559)
> ==8620==    by 0x4CDE4AF: int_rsa_verify (rsa_sign.c:143)
> ==8620==    by 0x4CDE703: RSA_verify (rsa_sign.c:247)
> ==8620==    by 0x4CDD8F5: pkey_rsa_verify (rsa_pmeth.c:251)
> ==8620==    by 0x4CB722D: EVP_DigestVerifyFinal (m_sigver.c:207)
> ==8620==    by 0x4BA824D: tls_process_key_exchange (statem_clnt.c:2401)
> ==8620==
> ==8620== 2,304 bytes in 7 blocks are indirectly lost in loss record 362 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4CBF14B: CRYPTO_zalloc (mem.c:230)
> ==8620==    by 0x4C498EB: bn_expand_internal (bn_lib.c:268)
> ==8620==    by 0x4C498EB: bn_expand2 (bn_lib.c:292)
> ==8620==    by 0x4C499B3: BN_copy (bn_lib.c:329)
> ==8620==    by 0x4C4A5D7: BN_MONT_CTX_set (bn_mont.c:275)
> ==8620==    by 0x4C4A7F7: BN_MONT_CTX_set_locked (bn_mont.c:450)
> ==8620==    by 0x4CDC003: rsa_ossl_public_decrypt (rsa_ossl.c:559)
> ==8620==    by 0x4CDE4AF: int_rsa_verify (rsa_sign.c:143)
> ==8620==    by 0x4CDE703: RSA_verify (rsa_sign.c:247)
> ==8620==    by 0x4CDD8F5: pkey_rsa_verify (rsa_pmeth.c:251)
> ==8620==    by 0x4CB722D: EVP_DigestVerifyFinal (m_sigver.c:207)
> ==8620==    by 0x4C27D59: ASN1_item_verify (a_verify.c:167)
> ==8620==
> ==8620== 3,392 (304 direct, 3,088 indirect) bytes in 4 blocks are definitely lost in loss record 365 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4C4A531: BN_MONT_CTX_new (bn_mont.c:232)
> ==8620==    by 0x4C4A7E9: BN_MONT_CTX_set_locked (bn_mont.c:447)
> ==8620==    by 0x4CDC003: rsa_ossl_public_decrypt (rsa_ossl.c:559)
> ==8620==    by 0x4CDE4AF: int_rsa_verify (rsa_sign.c:143)
> ==8620==    by 0x4CDE703: RSA_verify (rsa_sign.c:247)
> ==8620==    by 0x4CDD8F5: pkey_rsa_verify (rsa_pmeth.c:251)
> ==8620==    by 0x4CB722D: EVP_DigestVerifyFinal (m_sigver.c:207)
> ==8620==    by 0x4BA824D: tls_process_key_exchange (statem_clnt.c:2401)
> ==8620==    by 0x4BA8725: ossl_statem_client_process_message (statem_clnt.c:1048)
> ==8620==    by 0x4BA4653: read_state_machine (statem.c:636)
> ==8620==    by 0x4BA4653: state_machine (statem.c:434)
> ==8620==    by 0x4B980B1: SSL_do_handshake (ssl_lib.c:3607)
> ==8620==
> ==8620== 4,636 bytes in 7 blocks are indirectly lost in loss record 367 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4CBF14B: CRYPTO_zalloc (mem.c:230)
> ==8620==    by 0x4C498EB: bn_expand_internal (bn_lib.c:268)
> ==8620==    by 0x4C498EB: bn_expand2 (bn_lib.c:292)
> ==8620==    by 0x4C49A4B: BN_set_bit (bn_lib.c:659)
> ==8620==    by 0x4C4A6FB: BN_MONT_CTX_set (bn_mont.c:395)
> ==8620==    by 0x4C4A7F7: BN_MONT_CTX_set_locked (bn_mont.c:450)
> ==8620==    by 0x4CDC003: rsa_ossl_public_decrypt (rsa_ossl.c:559)
> ==8620==    by 0x4CDE4AF: int_rsa_verify (rsa_sign.c:143)
> ==8620==    by 0x4CDE703: RSA_verify (rsa_sign.c:247)
> ==8620==    by 0x4CDD8F5: pkey_rsa_verify (rsa_pmeth.c:251)
> ==8620==    by 0x4CB722D: EVP_DigestVerifyFinal (m_sigver.c:207)
> ==8620==    by 0x4C27D59: ASN1_item_verify (a_verify.c:167)
> ==8620==
> ==8620== 7,472 (532 direct, 6,940 indirect) bytes in 7 blocks are definitely lost in loss record 369 of 372
> ==8620==    at 0x483EB28: malloc (vg_replace_malloc.c:307)
> ==8620==    by 0x4C4A531: BN_MONT_CTX_new (bn_mont.c:232)
> ==8620==    by 0x4C4A7E9: BN_MONT_CTX_set_locked (bn_mont.c:447)
> ==8620==    by 0x4CDC003: rsa_ossl_public_decrypt (rsa_ossl.c:559)
> ==8620==    by 0x4CDE4AF: int_rsa_verify (rsa_sign.c:143)
> ==8620==    by 0x4CDE703: RSA_verify (rsa_sign.c:247)
> ==8620==    by 0x4CDD8F5: pkey_rsa_verify (rsa_pmeth.c:251)
> ==8620==    by 0x4CB722D: EVP_DigestVerifyFinal (m_sigver.c:207)
> ==8620==    by 0x4C27D59: ASN1_item_verify (a_verify.c:167)
> ==8620==    by 0x4CFFF4B: X509_verify (x_all.c:26)
> ==8620==    by 0x4CFCE63: internal_verify (x509_vfy.c:1750)
> ==8620==    by 0x4CFDF03: verify_chain (x509_vfy.c:232)
> ==8620==
> ==8620== LEAK SUMMARY:
> ==8620==    definitely lost: 916 bytes in 14 blocks
> ==8620==    indirectly lost: 10,028 bytes in 22 blocks
> ==8620==      possibly lost: 5,701 bytes in 166 blocks
> ==8620==    still reachable: 105,132 bytes in 895 blocks
> ==8620==         suppressed: 0 bytes in 0 blocks
> ==8620== Reachable blocks (those to which a pointer was found) are not shown.
> ==8620== To see them, rerun with: --leak-check=full --show-leak-kinds=all
> ==8620==
> ==8620== For lists of detected and suppressed errors, rerun with: -s
> ==8620== ERROR SUMMARY: 28 errors from 28 contexts (suppressed: 0 from 0)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-project/attachments/20200930/07935d61/attachment-0001.html>


More information about the openssl-project mailing list