Random and rare Seg faults at openssl library level

Michael Wojcik Michael.Wojcik at microfocus.com
Wed Jan 6 20:57:41 UTC 2021


> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Gimhani Uthpala
> Sent: Wednesday, 6 January, 2021 10:10

> I'm running an application which uses openssl for secure communication between
> processes. I am getting seg-faults at openssl level. This only occurred very
> randomly and the following are stacks that seg faults  at openssl level in the
> given 2 cases.

> We are using openssl 1.0.2k.

Sometimes you see a question that nearly answers itself.

You're using a release that's approaching four years old, and which is unsupported, unless you have a premium support contract from openssl.org or similar through another vendor. If you do, that's whom you should ask.

In any case, why are you using 1.0.2k? At the very least you should be using the final 1.0.2 release -- and then only if you absolutely can't move to 1.1.1 (generally because you need FIPS validation, but you don't mention FIPS). And then you need a premium support contract, if this is a commercial product. Particularly these days it's very hard to forgive a commercial-software vendor using an outdated, unsupported third-party component.

The most recent version of 1.0.2 that I happen to have lying around is 1.0.2n, and there's nothing in the changelog between 1.0.2k and 1.0.2n which looks likely to cause this particular problem (though CVE-2017-3735 is a slight contender). But that just means the cause isn't anything obvious between k and n.

> Went through the security vulnerabilities list for this version but couldn't
> find a clue. Running valgrind too didn't give an exact clue related to the issue.
> Can you please guide me how can I find the exact root cause for the seg fault?

The same way you'd track down an intermittent cause of Undefined Behavior in any other program: some combination of dynamic monitoring, symbolic execution, static code analysis, source code review, testing variants, tracing, fuzzing, post-mortem analysis, and so on. This isn't specific to OpenSSL.

But you're asking the wrong question. The correct question is: Why are you using an outdated version of OpenSSL?

--
Michael Wojcik


More information about the openssl-users mailing list