Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:66886 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 81077 invoked from network); 2 Apr 2013 02:49:37 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Apr 2013 02:49:37 -0000 Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.128.170 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 209.85.128.170 mail-ve0-f170.google.com Received: from [209.85.128.170] ([209.85.128.170:64939] helo=mail-ve0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A0/94-56336-0474A515 for ; Mon, 01 Apr 2013 21:49:37 -0500 Received: by mail-ve0-f170.google.com with SMTP id 15so3322457vea.15 for ; Mon, 01 Apr 2013 19:49:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :x-enigmail-version:content-type:content-transfer-encoding :x-gm-message-state; bh=bTPZcYfvAYbStu9tqMutkOcT8dMq6OL3kTXUXgFajqE=; b=Agvn1bFjb3Zp00RzPFjfGSJXWRCYasUqeQlqlB6aI21d9ypCZPwk7FQhv8SH1Vj5pm aFWgqUhs/7fibyZMhx+qMELmwrHLLNpKNWDeqhvf6Qn3vi4dyJqWysujaIN5ZnMQFutl CZxI0mArLHgh1oyeQfAjX6P7wuduqvCyd2vcRrov4G6NVF0dAlFAJX/uDuXItKnmHglA bWYLcFx+x0cG82BmRLJ9gtoROpkop1jMxl56j8ctBf6NZaWA1xPsqsIjpqKlNKFhYcLV n6Hf1LwxZSxQkkiUSoym3FNtu1N4OlFVrj60Ke3KkK0R0vt7IDaKC7dJTeeX22oPTq+A Eqpg== X-Received: by 10.52.73.73 with SMTP id j9mr9440591vdv.124.1364870973865; Mon, 01 Apr 2013 19:49:33 -0700 (PDT) Received: from [192.168.200.148] (c-50-131-44-225.hsd1.ca.comcast.net. [50.131.44.225]) by mx.google.com with ESMTPS id kf8sm16854601vec.4.2013.04.01.19.49.32 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 01 Apr 2013 19:49:33 -0700 (PDT) Message-ID: <515A473B.7090207@lerdorf.com> Date: Mon, 01 Apr 2013 19:49:31 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130308 Thunderbird/17.0.4 MIME-Version: 1.0 To: PHP internals X-Enigmail-Version: 1.4.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQnAa8s4cZZ9bf/kPZM/JxGQHwiWmQDBFZ+jJ+VciwyijJEhfX70BTffQJdCR88p2WEKBHX6 Subject: Chasing an SSL stream segfault From: rasmus@lerdorf.com (Rasmus Lerdorf) This standalone self-contained test script segfaults on Centos 6.2 for me with PHP 5.4: https://gist.github.com/anonymous/5289189 The Valgrind output is: https://gist.github.com/anonymous/5289189 So it is as if SSL_CTX_use_certificate_chain_file() is calling ASN1_item_free() on something that it needs later. On Debian, FreeBSD and Ubuntu, I don't get a crash and the script works, but Valgrind still complains at least on Ubuntu with: ==12085== Uninitialised value was created by a stack allocation ==12085== at 0x7B54530: ASN1_STRING_to_UTF8 (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) And it was accessed from: ==12085== Conditional jump or move depends on uninitialised value(s) ==12085== at 0x7B657AB: ASN1_STRING_set (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==12085== by 0x7B5349C: ASN1_mbstring_ncopy (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==12085== by 0x7B536C3: ASN1_mbstring_copy (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==12085== by 0x7B54584: ASN1_STRING_to_UTF8 (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==12085== by 0x7B559A2: ??? (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==12085== by 0x7B55F06: ??? (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==12085== by 0x7B5C442: ASN1_item_ex_d2i (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==12085== by 0x7B5CFFF: ??? (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==12085== by 0x7B5D247: ??? (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==12085== by 0x7B5CAB0: ASN1_item_ex_d2i (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==12085== by 0x7B5CFFF: ??? (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==12085== by 0x7B5D247: ??? (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==12085== by 0x7B5CAB0: ASN1_item_ex_d2i (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==12085== by 0x7B5D3D3: ASN1_item_d2i (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==12085== by 0x7B561E5: d2i_X509_AUX (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==12085== by 0x7B6BD07: PEM_ASN1_read_bio (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==12085== by 0x7842771: SSL_CTX_use_certificate_chain_file (in /lib/x86_64-linux-gnu/libssl.so.1.0.0) ==12085== by 0x47AE6B: php_SSL_new_from_context (openssl.c:4552) This same problem appears across PHP 5.3, 5.4 and 5.5 with different openssl library versions, so I think we are calling the openssl incorrectly somehow there. Somehow related to a realloc during UTF8 conversion deep in the library perhaps? Does anyone see what we might have gotten wrong in this function? http://lxr.php.net/xref/PHP_5_4/ext/openssl/openssl.c#4492 -Rasmus