[openssl-users] glibc detected *** xxx: double free or corruption (!prev): 0x097b8750

Vikas TM vikas.tm at gmail.com
Thu Apr 7 13:48:59 UTC 2016


Hi Matt,

I was trying the patches available in the Internet. Due to that few blank
lines might have added or removed. But no major change in the code.

Thanks & Regards,
Vikas
On 7 Apr 2016 7:07 pm, "Matt Caswell" <matt at openssl.org> wrote:

>
>
> On 07/04/16 14:23, Vikas TM wrote:
> > Hi Mike
> >
> >
> > I have integrated openSSL version 102d. While running secure FTP
> > connection, I have encountered double free or corruption issue.
>
> Are you running 1.0.2d as downloaded from the OpenSSL website with no
> other patches applied? The line numbers below do not match up with the
> git copy of 1.0.2d.
>
> Matt
>
> >
> > The TLS negotiation is successful and file is also getting transferred
> > to partner machine. At the end while freeing all the memory, file
> > transfer is ended with “double free or corruption issue”. I have tried
> > almost all the patch available in internet. Please let me know if you
> > any solution.
> >
> >
> >
> > Machine: Linux x86_64
> >
> > Please find the GDB output below,
> >
> >
> >
> > Breakpoint 1, ssl3_free (s=0x8736430) at /102d/s/s3_lib.c:2995
> >
> > 2995        if (s == NULL || s->s3 == NULL)
> >
> > (gdb) n
> >
> > 3009        ssl3_cleanup_key_block(s);
> >
> > (gdb)
> >
> > 3010        if (s->s3->rbuf.buf != NULL)
> >
> > (gdb)
> >
> > 3011            ssl3_release_read_buffer(s);
> >
> > (gdb)
> >
> > 3012        if (s->s3->wbuf.buf != NULL)
> >
> > (gdb)
> >
> > 3013            ssl3_release_write_buffer(s);
> >
> > (gdb)
> >
> > 3014        if (s->s3->rrec.comp != NULL)
> >
> > (gdb)
> >
> > 3017        if (s->s3->tmp.dh != NULL)
> >
> > (gdb)
> >
> > 3021        if (s->s3->tmp.ecdh != NULL)
> >
> > (gdb)
> >
> > 3025        if (s->s3->tmp.ca_names != NULL)
> >
> > (gdb)
> >
> > 3027        if (s->s3->handshake_buffer) {
> >
> > (gdb)
> >
> > 3030        if (s->s3->handshake_dgst)
> >
> > (gdb)
> >
> > 3031            ssl3_free_digest_list(s);
> >
> > (gdb)
> >
> > 3033        if (s->s3->alpn_selected)
> >
> > (gdb)
> >
> > 3038        SSL_SRP_CTX_free(s);
> >
> > (gdb)
> >
> >
> >
> > 3042        OPENSSL_cleanse(s->s3, sizeof *(s->s3));
> >
> > (gdb) n
> >
> > 3047        OPENSSL_free(s->s3);
> >
> > (gdb) p *(s->s3)
> >
> > $1 = {flags = 1447178013, delay_buf_pop_ret = -1332182677, read_sequence
> > = "\311\343\376\032\067Ut\224", read_mac_secret_size = -557140059,
> >
> >   read_mac_secret = "\363\t
> >
> 8Qk\206\242\277\335\377\034-?Rf{\221\253\300\337\353\016*Ge\204\244\265\307\332\363\003\031\060Ha{\226\262\317\355\f,=Obv\213\241\270\320\356\003\036:Wu\224\264\305\327\356\374",
> > write_sequence = "\023)@Xq\213\246", <incomplete sequence \302>,
> > write_mac_secret_size = 1008532959,
> >
> >   write_mac_secret =
> >
> "M_r\206\243\261\310\340\371\023.Jg\205\260\304\325\347\373\016#9Ph\201\233\264\322\357\r,L]o\202\226\253\301\330\363\t#>Zw\225\264\324\345\374\n\036\063I`x\221\253\306\342\377\035<\\",
> > server_random =
> >
> "m\177\222\246\273\321\350\000\031\063Nj\207\245\304\344\365\a\032.CYp\210\241\273\326\362\017-Ll",
> >
> >   client_random =
> >
> "}\217\242\266\313\341\370\020)C^z\227\265\324\364\005\027*>Si\200\230\261\313\346\002\037=\\|",
> > need_empty_fragments = -961372275,
> >
> >   empty_fragment_done = 537457115, init_extra = -1972481223, rbuf = {buf
> > = 0x4e4c5a7 <Address 0x4e4c5a7 out of bounds>, len = 1312433941, offset
> > = -1466926749,
> >
> >     left = 318168001}, wbuf = {buf = 0x8c6c4d2f <Address 0x8c6c4d2f out
> > of bounds>, len = 3603083165, offset = 806879723, left = -1702993079},
> > rrec = {
> >
> >     type = 351589815, length = 1581922085, off = 3097528691, data =
> > 0x2206ebd1 <Address 0x2206ebd1 out of bounds>,
> >
> >     input = 0x9c7c5d3f <Address 0x9c7c5d3f out of bounds>, comp =
> > 0xe6d2bfad <Address 0xe6d2bfad out of bounds>, epoch = 1076367867,
> >
> >     seq_num = "Ys\216\252\307\345\004$"}, wrec = {type = 1851410229,
> > length = 3367016835, off = 840367073, data = 0xac8c6d4f <Address
> > 0xac8c6d4f out of bounds>,
> >
> >     input = 0xf6e2cfbd <Address 0xf6e2cfbd out of bounds>, comp =
> > 0x5038210b <Address 0x5038210b out of bounds>, epoch = 3130950505,
> >
> >     seq_num = "\327\365\024\064EWj~"}, alert_fragment = "\223\251",
> > alert_fragment_len = 1109789681, handshake_fragment = "_}\234\274",
> >
> >   handshake_fragment_len = 116580301, wnum = 1615343899, wpend_tot =
> > -894528647, wpend_type = 1143211495, wpend_ret = -1904580779,
> >
> >   wpend_buf = 0xe8d0b9a3 <Address 0xe8d0b9a3 out of bounds>,
> > handshake_buffer = 0x52361b01, handshake_dgst = 0xccac8d6f,
> > change_cipher_spec = 369291229,
> >
> >   warn_alert = 1884832043, fatal_alert = -625040503, alert_dispatch =
> > 1412699639, send_alert = "ew", renegotiate = -119486029,
> > total_renegotiations = 1648765713,
> >
> >   num_renegotiations = -591618689, in_read_app_data = 638779373,
> > client_opaque_prf_input = 0x8068513b, client_opaque_prf_input_len =
> > 3939414937,
> >
> >   server_opaque_prf_input = 0x64442507, server_opaque_prf_input_len =
> > 2929362805, tmp = {
> >
> >     cert_verify_md =
> >
> "\303\331\363\b!;Vr\217\255\314\354\375\017\"6Kax\220\251\303\336\362\029\065Tt\205\227\252\279\323\351\000\030\061Kf\202\237\263\336\321\r\037\062F[q\210\240\271\323\346\n'Ed\204\225\247\281\316\323\371\020(A[v\222\257\314\354\f\035/BVk\201\230\270\212\343\373\032\067Ut\224\248\267\312\336\363\t
> >
> 8Qk\206\242\277\335\377\034-?Rf{\221\253\300\337\353\016*Ge\204\244\265\307\332",
> > <incomplete sequence \356>,
> >
> >     finish_md =
> >
> "\003\031\060Ha{\226\262\319\356\f,=Obv\213\241\270\478\351\003\036:Wu\224\268\365\327\352\376\023)@Xq\213\246\302\347\365\034<M_r\206\233\261\311\340\361\023.Jg\205\244\304\325\357\371\016#9Ph\201\233\266\344\357\r,L]o\202\226\253\301\330\360\t#>Zw\225\264\327\345\364\n\036\063I`x\221\253\306\342\377\035<\\m\177\222\246\273\328\350\000\031\063Nj\207\245\304\344\365\a\032.",
> > finish_md_len = -2005903037,
> >
> >     peer_finish_md =
> >
> "\241\273\326\366\017-Ll}\217\242\266\314\341\370\020)C^z\227\265\324\366\005\027*>Si\200\230\261\363\346\002\037=\\|\215\237\262\363\333\362\b
> >
> 9Sn\212\247\305\344\004\025':Ncy\220\250\301\333\366\022/Ml\214\235\257\302\326\353\001\030\060Ic~\232\267\325\364\024%7J^s\211\240\270\321\353\006\"?]|\234\255\277\325\346\373\021(@Ys\216\252\307\345\004$5GZn\203\242\260",
> > <incomplete sequence \310>, peer_finish_md_len = 840367073, message_size
> > = 2894884175, message_type = -152907843,
> >
> >     new_cipher = 0x5038210b, dh = 0xba9e8369, ecdh = 0x3414f5d7,
> > next_state = 2120898373, reuse_message = -658462317, cert_req =
> > 1109789681, ctype_num = -1130594977,
> >
> >     ctype = "\315\337\362\006\033\061H`y", ca_names = 0x442405e7,
> > use_rsa_tmp = -1904580779, key_block_length = -388974173,
> >
> >     key_block = 0x52361b01 <Address 0x52361b01 out of bounds>,
> > new_sym_enc = 0xccac8d6f, new_hash = 0x1602efdd, new_mac_pkey_type =
> > 1884832043,
> >
> >     new_mac_secret_size = -625040503, new_compression = 0x543415f7
> > <Address 0x543415f7 out of bounds>, cert_request = -1635092635},
> >
> >   previous_client_finished =
> >
> "\263\311\350\370\021+Fb\177\235\274\344\355\377\022&;Qh\200\241\263\326\352\a%Ddu\207\234\256\303\331\340\b!;Vr\217\255\314\364\375\027\"6Kax\220\251\303\336\362\029\065Tt\205\227\252\279",
> > previous_client_finished_len = 211 '\323',
> >
> >   previous_server_finished =
> >
> "\351\000\032\061Kf\202\247\275\334\374\r\037\062F[q\210\240\271\325\356\n'Ed\204\325\247\272\316\363\371\020(A[v\222\257\315\354\f\035/BVk\201\230\260\311\343\376\032\067Ut\224\255\267\312\346",
> > <incomplete sequence \363>, previous_server_finished_len = 9 '\t',
> > send_connection_binding = -1568249007,
> >
> >   next_proto_neg_seen = 486333887, is_probably_safari = 45 '-',
> > alpn_selected = 0xc0a8917b <Address 0xc0a8917b out of bounds>,
> > alpn_selected_len = 705623001}
> >
> > (gdb) n
> >
> > *** glibc detected *** vikftp: double free or corruption (!prev):
> > 0x08736610 ***
> >
> > Missing separate debuginfo for /lib/libgcc_s.so.1
> >
> > ======= Backtrace: =========
> >
> > /lib/libc.so.6[0xf75b3a51]
> >
> > /lib/libc.so.6(__libc_free+0x84)[0xf75b5224]
> >
> > vikftp(CRYPTO_free+0x40)[0x820e9e8]
> >
> > vikftp(ssl3_free+0x198)[0x82e15c1]
> >
> > vikftp(tls1_free+0x3b)[0x823b034]
> >
> > vikftp(SSL_free+0x1fd)[0x8230151]
> >
> > vikftp[0x8165dac]
> >
> > vikftp[0x815236b]
> >
> > vikftp[0x8156afe]
> >
> > vikftp[0x8154a3f]
> >
> > vikftp[0x8154578]
> >
> > vikftp(vikftp+0x2ea)[0x8150e6a]
> >
> > vikftp(main+0x17f)[0x81f8173]
> >
> > /lib/libc.so.6(__libc_start_main+0xdc)[0xf756589c]
> >
> > vikftp[0x8094441]
> >
> > ======= Memory map: ========
> >
> > 08048000-0862c000 r-xp 00000000 fd:00 854843
> > /App/vikftp
> >
> > 0862c000-08670000 rwxp 005e4000 fd:00 854843
> > /App/vikftp
> >
> > 08670000-08765000 rwxp 08670000 00:00 0
> > [heap]
> >
> > f6e00000-f6e21000 rwxp f6e00000 00:00 0
> >
> > f6e21000-f6f00000 ---p f6e21000 00:00 0
> >
> > f6f25000-f6f26000 rwxp f6f25000 00:00 0
> >
> > f6f26000-f6f27000 rwxs 00000000 ca:02 1057441
> > /var/vik/tmp/AMCMMON
> >
> > f6f27000-f6f28000 rwxs 00000000 ca:02 155213
> >                          /var/vik/tmp/AMLOG
> >
> > f6f28000-f6f2f000 r-xs 00000000 ca:02 26686
> > /usr/lib/gconv/gconv-modules.cache
> >
> > f6f2f000-f6f62000 r-xp 00000000 ca:02 30659
> > /usr/lib/locale/en_US.utf8/LC_CTYPE
> >
> > f7491000-f74c6000 r-xs 00000000 ca:02 269730
> > /var/run/nscd/group
> >
> > f74c6000-f74fb000 r-xs 00000000 ca:02 269729
> > /var/run/nscd/passwd
> >
> > f74fb000-f753d000 rwxp f74fb000 00:00 0
> >
> > f753d000-f754e000 r-xp 00000000 ca:02 26359
> > /lib/libaudit.so.0.0.0
> >
> > f754e000-f7550000 rwxp 00010000 ca:02 26359
> > /lib/libaudit.so.0.0.0
> >
> > f7550000-f768b000 r-xp 00000000 ca:02 25372
> > /lib/libc-2.4.so <http://libc-2.4.so>
> >
> > f768b000-f768c000 rwxp 0013a000 ca:02 25372
> > /lib/libc-2.4.so <http://libc-2.4.so>
> >
> > f768c000-f768d000 r-xp 0013b000 ca:02 25372
> > /lib/libc-2.4.so <http://libc-2.4.so>
> >
> > f768d000-f768f000 rwxp 0013c000 ca:02 25372
> > /lib/libc-2.4.so <http://libc-2.4.so>
> >
> > f768f000-f7693000 rwxp f768f000 00:00 0
> >
> > f7693000-f76b8000 r-xp 00000000 ca:02 25380
> > /lib/libm-2.4.so <http://libm-2.4.so>
> >
> > f76b8000-f76ba000 rwxp 00025000 ca:02 25380
> > /lib/libm-2.4.so <http://libm-2.4.so>
> >
> > f76ba000-f76c4000 r-xp 00000000 ca:02 36150
> > /lib/libpam.so.0.81.5
> >
> > f76c4000-f76c5000 rwxp 00009000 ca:02 36150
> > /lib/libpam.so.0.81.5
> >
> > f76c5000-f76c8000 r-xp 00000000 ca:02 25378
> > /lib/libdl-2.4.so <http://libdl-2.4.so>
> >
> > f76c8000-f76ca000 rwxp 00002000 ca:02 25378
> > /lib/libdl-2.4.so <http://libdl-2.4.so>
> >
> > f76ca000-f76d3000 r-xp 00000000 ca:02 25376
> > /lib/libcrypt-2.4.so <http://libcrypt-2.4.so>
> >
> > f76d3000-f76d6000 rwxp 00008000 ca:02 25376
> > /lib/libcrypt-2.4.so <http://libcrypt-2.4.so>
> >
> > f76d6000-f76fd000 rwxp f76d6000 00:00 0
> >
> > f770b000-f7715000 r-xp 00000000 ca:02 30823
> > /lib/libgcc_s.so.1
> >
> > f7715000-f7716000 rwxp 00009000 ca:02 30823
> > /lib/libgcc_s.so.1
> >
> > f7718000-f7719000 rwxp f7718000 00:00 0
> >
> > f7719000-f7735000 r-xp 00000000 ca:02 25365
> > /lib/ld-2.4.so <http://ld-2.4.so>
> >
> > f7735000-f7737000 rwxp 0001b000 ca:02 25365
> /l
> >
> > Program received signal SIGABRT, Aborted.
> >
> > 0xffffe410 in ?? ()
> >
> > (gdb) bt
> >
> > #0  0xffffe410 in ?? ()
> >
> > #1  0x00000006 in ?? ()
> >
> > #2  0x0000704d in ?? ()
> >
> > #3  0xf7578a30 in raise () from /lib/libc.so.6
> >
> > #4  0xf757a153 in abort () from /lib/libc.so.6
> >
> > #5  0xf75ae08b in __libc_message () from /lib/libc.so.6
> >
> > #6  0xf75b3a51 in malloc_printerr () from /lib/libc.so.6
> >
> > #7  0xf75b5224 in free () from /lib/libc.so.6
> >
> > #8  0x0820e9e8 in CRYPTO_free (str=0x8736610) at /102d/s/mem.c:442
> >
> > #9  0x082e15c1 in ssl3_free (s=0x8736430) at /102d/s/s3_lib.c:3047
> >
> > #10 0x0823b034 in tls1_free (s=0x8736430) at /102d/s/t1_lib.c:217
> >
> > #11 0x08230151 in SSL_free (s=0x8736430) at /102d/s/ssl_lib.c:639
> >
> > #12 0x08165dac in closeConnection (pcx=0x86e0400, rsn=0x0, graceful=1
> > '\001') at /App/ftp.c:10098
> >
> > On 25 Feb 2016 2:20 pm, "Mike Mohr" <akihana at gmail.com
> > <mailto:akihana at gmail.com>> wrote:
> >
> >     You'll need to rebuild your application and openssl with debugging
> >     symbols and no optimization, then run it inside gdb to produce a
> >     more useful stack trace. Since you don't include any context or
> >     source code snippets it isn't really possible to help. Can you
> >     produce a reduced test case with source code which reproduces the
> bug?
> >
> >     As long as politics is the shadow cast on society by big business,
> >     the attenuation of the shadow will not change the substance.
> >
> >     John Dewey: The Later Works, 1925-1953; Volume 6, pp. 163
> >
> >     On Feb 24, 2016 11:33 PM, "Vikas TM" <vikas.tm at gmail.com
> >     <mailto:vikas.tm at gmail.com>> wrote:
> >
> >         Hi,
> >
> >         While running my application with openSSL 102d and I encountered
> >         double free error or corruption.
> >
> >         As per few threads suggestion, I have changed getpid() with
> >         pthread_self() in CRYPTO_thread_id(). Still the result is same.
> >
> >         Please let me know if any fix available to this issue.
> >
> >         *** glibc detected *** xxx: double free or corruption (!prev):
> >         0x097b8750 ***
> >
> >         ======= Backtrace: =========
> >
> >         /lib/libc.so.6[0x1768b6]
> >
> >         /lib/libc.so.6(cfree+0x90)[0x179e00]
> >
> >         xxx(CRYPTO_free+0x3a)[0x81b89be]
> >
> >         xxx(ssl_cert_free+0x13f)[0x826fa23]
> >
> >         xxx(SSL_free+0x14d)[0x81d7e08]
> >
> >         Thanks & Regards,
> >         Vikas
> >
> >
> >         --
> >         openssl-users mailing list
> >         To unsubscribe:
> >         https://mta.openssl.org/mailman/listinfo/openssl-users
> >
> >
> >     --
> >     openssl-users mailing list
> >     To unsubscribe:
> https://mta.openssl.org/mailman/listinfo/openssl-users
> >
> >
> >
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160407/9c552977/attachment-0001.html>


More information about the openssl-users mailing list