Chasing an SSL stream segfault

13 years ago by Rasmus Lerdorf — view source — reply

unread

This standalone self-contained test script segfaults on Centos 6.2 for
me with PHP 5.4:

https://gist.github.com/anonymous/5289189

The Valgrind output is:

https://gist.github.com/anonymous/5289189

So it is as if SSL_CTX_use_certificate_chain_file() is calling
ASN1_item_free() on something that it needs later.

On Debian, FreeBSD and Ubuntu, I don't get a crash and the script works,
but Valgrind still complains at least on Ubuntu with:

==12085== Uninitialised value was created by a stack allocation
==12085== at 0x7B54530: ASN1_STRING_to_UTF8 (in
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)

And it was accessed from:

==12085== Conditional jump or move depends on uninitialised value(s)
==12085== at 0x7B657AB: ASN1_STRING_set (in
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==12085== by 0x7B5349C: ASN1_mbstring_ncopy (in
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==12085== by 0x7B536C3: ASN1_mbstring_copy (in
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==12085== by 0x7B54584: ASN1_STRING_to_UTF8 (in
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==12085== by 0x7B559A2: ??? (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==12085== by 0x7B55F06: ??? (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==12085== by 0x7B5C442: ASN1_item_ex_d2i (in
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==12085== by 0x7B5CFFF: ??? (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==12085== by 0x7B5D247: ??? (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==12085== by 0x7B5CAB0: ASN1_item_ex_d2i (in
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==12085== by 0x7B5CFFF: ??? (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==12085== by 0x7B5D247: ??? (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==12085== by 0x7B5CAB0: ASN1_item_ex_d2i (in
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==12085== by 0x7B5D3D3: ASN1_item_d2i (in
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==12085== by 0x7B561E5: d2i_X509_AUX (in
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==12085== by 0x7B6BD07: PEM_ASN1_read_bio (in
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)
==12085== by 0x7842771: SSL_CTX_use_certificate_chain_file (in
/lib/x86_64-linux-gnu/libssl.so.1.0.0)
==12085== by 0x47AE6B: php_SSL_new_from_context (openssl.c:4552)

This same problem appears across PHP 5.3, 5.4 and 5.5 with different
openssl library versions, so I think we are calling the openssl
incorrectly somehow there. Somehow related to a realloc during UTF8
conversion deep in the library perhaps? Does anyone see what we might
have gotten wrong in this function?

http://lxr.php.net/xref/PHP_5_4/ext/openssl/openssl.c#4492

-Rasmus

13 years ago by Rasmus Lerdorf — view source — reply

unread

This standalone self-contained test script segfaults on Centos 6.2 for
me with PHP 5.4:

https://gist.github.com/anonymous/5289189

Oops, the script gist is actually:

https://gist.github.com/anonymous/5288886

-Rasmus

13 years ago by Rasmus Lerdorf — view source — reply

unread

==12085== Uninitialised value was created by a stack allocation
==12085== at 0x7B54530: ASN1_STRING_to_UTF8 (in
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0)

Looks like these ASN1_STRING_to_UTF8 ones are normal for libcrypto.
Really hard to debug openssl stuff with all these Valgrind false
positives. Still trying to track down the core on Centos 6.2. Looks like
a weird build issue at this point.

-Rasmus

13 years ago by Michael Wallner — view source — reply

unread

Looks like these ASN1_STRING_to_UTF8 ones are normal for libcrypto.
Really hard to debug openssl stuff with all these Valgrind false
positives. Still trying to track down the core on Centos 6.2. Looks like
a weird build issue at this point.

Might not be related, but looks like we call
SSL_CTX_use_certificate_chain_file with too less arguments:
http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html (note the type
parameter, apparently since 0.9.8).

--
Regards,
Mike

13 years ago by Michael Wallner — view source — reply

unread

Looks like these ASN1_STRING_to_UTF8 ones are normal for libcrypto.
Really hard to debug openssl stuff with all these Valgrind false
positives. Still trying to track down the core on Centos 6.2. Looks like
a weird build issue at this point.

Might not be related, but looks like we call
SSL_CTX_use_certificate_chain_file with too less arguments:
http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html (note the
type parameter, apparently since 0.9.8).

The openssl extension might need some refreshing review in general then...

--
Regards,
Mike

13 years ago by Michael Wallner — view source — reply

unread

Looks like these ASN1_STRING_to_UTF8 ones are normal for libcrypto.
Really hard to debug openssl stuff with all these Valgrind false
positives. Still trying to track down the core on Centos 6.2. Looks like
a weird build issue at this point.

Might not be related, but looks like we call
SSL_CTX_use_certificate_chain_file with too less arguments:
http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html (note the
type parameter, apparently since 0.9.8).

Nevermind, I actually confused *_chain_file with *_file ...

--
Regards,
Mike