cURL / Mailing Lists / curl-library / Single Mail

curl-library

Segfault with MD5 in axTLS

From: Dan Fandrich <dan_at_coneharvesters.com>
Date: Fri, 6 Feb 2015 00:17:58 +0100

The new md5 code added in the last 3 days has caused builds using axTLS to
segfault. Here's a trace of curl from git HEAD run against the test suite
server under valgrind using axTLS 1.4.9 on x86 Linux:

$ LD_LIBRARY_PATH=lib/.libs valgrind --num-callers=16 src/.libs/curl --max-time 13 --output log/https_verify.out --silent --verbose --globoff -1 --insecure "https://127.0.0.1:8991/verifiedserver"
==18403== Memcheck, a memory error detector
==18403== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==18403== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==18403== Command: src/.libs/curl --max-time 13 --output log/https_verify.out --silent --verbose --globoff -1 --insecure https://127.0.0.1:8991/verifiedserver
==18403==
* STATE: INIT => CONNECT handle 0x42ee284; line 1034 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* Trying 127.0.0.1...
* STATE: CONNECT => WAITCONNECT handle 0x42ee284; line 1087 (connection #0)
* Connected to 127.0.0.1 (127.0.0.1) port 8991 (#0)
* Marked for [keep alive]: HTTP default
Error: Invalid X509 ASN.1 file (Unsupported digest)
Error: Invalid X509 ASN.1 file (Unsupported digest)
Error: Invalid X509 ASN.1 file (Unsupported digest)
Error: Invalid X509 ASN.1 file (Unsupported digest)
Error: Invalid X509 ASN.1 file (X509 not ok)
Error: Invalid X509 ASN.1 file (Unsupported digest)
Error: Invalid X509 ASN.1 file (Unsupported digest)
Error: Invalid X509 ASN.1 file (Unsupported digest)
Error: Invalid X509 ASN.1 file (Unsupported digest)
Error: Invalid X509 ASN.1 file (Unsupported digest)
Error: Invalid X509 ASN.1 file (Unsupported digest)
* found certificates in /etc/pki/tls/certs/ca-bundle.crt
* STATE: WAITCONNECT => PROTOCONNECT handle 0x42ee284; line 1223 (connection #0)
==18403== Invalid read of size 4
==18403== at 0x402B0B0: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==18403== by 0x4072BD3: MD5_Update (md5.c:413)
==18403== by 0x40980EC: hmac_md5 (hmac.c:70)
==18403== Address 0xc is not stack'd, malloc'd or (recently) free'd
==18403==
==18403==
==18403== Process terminating with default action of signal 11 (SIGSEGV)
==18403== Access not within mapped region at address 0xC
==18403== at 0x402B0B0: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==18403== by 0x4072BD3: MD5_Update (md5.c:413)
==18403== by 0x40980EC: hmac_md5 (hmac.c:70)
==18403== If you believe this happened as a result of a stack
==18403== overflow in your program's main thread (unlikely but
==18403== possible), you can try to increase the size of the
==18403== main thread stack using the --main-stacksize= flag.
==18403== The main thread stack size used in this run was 8388608.
==18403==
==18403== HEAP SUMMARY:
==18403== in use at exit: 786,356 bytes in 4,429 blocks
==18403== total heap usage: 6,743 allocs, 2,314 frees, 3,406,456 bytes allocated
==18403==
==18403== LEAK SUMMARY:
==18403== definitely lost: 0 bytes in 0 blocks
==18403== indirectly lost: 0 bytes in 0 blocks
==18403== possibly lost: 74,281 bytes in 71 blocks
==18403== still reachable: 712,075 bytes in 4,358 blocks
==18403== suppressed: 0 bytes in 0 blocks
==18403== Rerun with --leak-check=full to see details of leaked memory
==18403==
==18403== For counts of detected and suppressed errors, rerun with: -v
==18403== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

I'm not sure why the stack trace is so short or why that hmac.c line number
doesn't make sure—I assume that the stack is being corrupted prior to this
issue without valgrind noticing.

Running the same thing under Mudflap shows a whole ton of warnings. I'm
attaching the first few below, ending with a couple errors in md5.c

*******
mudflap violation 1 (check/read): time=1423178032.181795 ptr=0xb776ec10 size=6
pc=0xb73a4855 location=`(strlen region)'
      /lib/libmudflap.so.0(__mf_check+0x45) [0xb73a4855]
      /lib/libmudflap.so.0(__mfwrap_strlen+0xa5) [0xb73a9015]
      lib/.libs/libcurl.so.4(+0xc142b) [0xb75b542b]
Nearby object 1: checked region begins 3791B after and ends 3796B after
mudflap object 0x8bce8d8: name=`string literal'
bounds=[0xb776dd2c,0xb776dd41] size=22 area=static check=0r/0w liveness=0
alloc time=1423178032.180038 pc=0xb73a4cb5
Nearby object 2: checked region begins 3635B after and ends 3640B after
mudflap object 0x8bce940: name=`string literal'
bounds=[0xb776ddc6,0xb776dddd] size=24 area=static check=0r/0w liveness=0
alloc time=1423178032.180039 pc=0xb73a4cb5
Nearby object 3: checked region begins 3626B after and ends 3631B after
mudflap object 0x8bce9a8: name=`string literal'
bounds=[0xb776ddde,0xb776dde6] size=9 area=static check=3r/0w liveness=3
alloc time=1423178032.180039 pc=0xb73a4cb5
number of nearby objects: 3
*******
mudflap violation 2 (check/read): time=1423178032.181900 ptr=0xb776ec10 size=1
pc=0xb73a4855 location=`/home/dan/src/curl-git/lib/mprintf.c:821:27 (dprintf_formatf)'
      /lib/libmudflap.so.0(__mf_check+0x45) [0xb73a4855]
      lib/.libs/libcurl.so.4(+0xc16ef) [0xb75b56ef]
      lib/.libs/libcurl.so.4(curl_mvsnprintf+0x83) [0xb75b7e10]
number of nearby objects: 0
*******
mudflap violation 3 (check/read): time=1423178032.181961 ptr=0xb776ec10 size=1
pc=0xb73a4855 location=`/home/dan/src/curl-git/lib/mprintf.c:822:41 (dprintf_formatf)'
      /lib/libmudflap.so.0(__mf_check+0x45) [0xb73a4855]
      lib/.libs/libcurl.so.4(+0xc1633) [0xb75b5633]
      lib/.libs/libcurl.so.4(curl_mvsnprintf+0x83) [0xb75b7e10]
number of nearby objects: 0
*******
mudflap violation 4 (check/read): time=1423178032.182020 ptr=0xb776ec11 size=1
pc=0xb73a4855 location=`/home/dan/src/curl-git/lib/mprintf.c:821:27 (dprintf_formatf)'
      /lib/libmudflap.so.0(__mf_check+0x45) [0xb73a4855]
      lib/.libs/libcurl.so.4(+0xc16ef) [0xb75b56ef]
      lib/.libs/libcurl.so.4(curl_mvsnprintf+0x83) [0xb75b7e10]
number of nearby objects: 0
*******
mudflap violation 5 (check/read): time=1423178032.182078 ptr=0xb776ec11 size=1
pc=0xb73a4855 location=`/home/dan/src/curl-git/lib/mprintf.c:822:41 (dprintf_formatf)'
      /lib/libmudflap.so.0(__mf_check+0x45) [0xb73a4855]
      lib/.libs/libcurl.so.4(+0xc1633) [0xb75b5633]
      lib/.libs/libcurl.so.4(curl_mvsnprintf+0x83) [0xb75b7e10]
number of nearby objects: 0
*******
mudflap violation 6 (check/read): time=1423178032.182137 ptr=0xb776ec12 size=1
pc=0xb73a4855 location=`/home/dan/src/curl-git/lib/mprintf.c:821:27 (dprintf_formatf)'
      /lib/libmudflap.so.0(__mf_check+0x45) [0xb73a4855]
      lib/.libs/libcurl.so.4(+0xc16ef) [0xb75b56ef]
      lib/.libs/libcurl.so.4(curl_mvsnprintf+0x83) [0xb75b7e10]
number of nearby objects: 0
*******
mudflap violation 7 (check/read): time=1423178032.182195 ptr=0xb776ec12 size=1
pc=0xb73a4855 location=`/home/dan/src/curl-git/lib/mprintf.c:822:41 (dprintf_formatf)'
      /lib/libmudflap.so.0(__mf_check+0x45) [0xb73a4855]
      lib/.libs/libcurl.so.4(+0xc1633) [0xb75b5633]
      lib/.libs/libcurl.so.4(curl_mvsnprintf+0x83) [0xb75b7e10]
number of nearby objects: 0
*******
mudflap violation 8 (check/read): time=1423178032.182254 ptr=0xb776ec13 size=1
pc=0xb73a4855 location=`/home/dan/src/curl-git/lib/mprintf.c:821:27 (dprintf_formatf)'
      /lib/libmudflap.so.0(__mf_check+0x45) [0xb73a4855]
      lib/.libs/libcurl.so.4(+0xc16ef) [0xb75b56ef]
      lib/.libs/libcurl.so.4(curl_mvsnprintf+0x83) [0xb75b7e10]
number of nearby objects: 0
*******
mudflap violation 9 (check/read): time=1423178032.182312 ptr=0xb776ec13 size=1
pc=0xb73a4855 location=`/home/dan/src/curl-git/lib/mprintf.c:822:41 (dprintf_formatf)'
      /lib/libmudflap.so.0(__mf_check+0x45) [0xb73a4855]
      lib/.libs/libcurl.so.4(+0xc1633) [0xb75b5633]
      lib/.libs/libcurl.so.4(curl_mvsnprintf+0x83) [0xb75b7e10]
number of nearby objects: 0
*******
mudflap violation 10 (check/read): time=1423178032.182371 ptr=0xb776ec14 size=1
pc=0xb73a4855 location=`/home/dan/src/curl-git/lib/mprintf.c:821:27 (dprintf_formatf)'
      /lib/libmudflap.so.0(__mf_check+0x45) [0xb73a4855]
      lib/.libs/libcurl.so.4(+0xc16ef) [0xb75b56ef]
      lib/.libs/libcurl.so.4(curl_mvsnprintf+0x83) [0xb75b7e10]
number of nearby objects: 0
*******
mudflap violation 11 (check/read): time=1423178032.182433 ptr=0xb776ec14 size=1
pc=0xb73a4855 location=`/home/dan/src/curl-git/lib/mprintf.c:822:41 (dprintf_formatf)'
      /lib/libmudflap.so.0(__mf_check+0x45) [0xb73a4855]
      lib/.libs/libcurl.so.4(+0xc1633) [0xb75b5633]
      lib/.libs/libcurl.so.4(curl_mvsnprintf+0x83) [0xb75b7e10]
number of nearby objects: 0
* STATE: INIT => CONNECT handle 0x8bf0f74; line 1034 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* Trying 127.0.0.1...
* STATE: CONNECT => WAITCONNECT handle 0x8bf0f74; line 1087 (connection #0)
* Connected to 127.0.0.1 (127.0.0.1) port 8991 (#0)
* Marked for [keep alive]: HTTP default
*******
mudflap violation 12 (check/write): time=1423178032.358527 ptr=0xbfa0cb58 size=12
pc=0xb73a4855 location=`/home/dan/src/curl-git/lib/md5.c:373:10 (MD5_Init)'
      /lib/libmudflap.so.0(__mf_check+0x45) [0xb73a4855]
      lib/.libs/libcurl.so.4(+0x13d3a0) [0xb76313a0]
      lib/.libs/libcurl.so.4(x509_new+0x21b) [0xb76b3d9c]
Nearby object 1: checked region begins 524B before and ends 513B before
mudflap object 0x8c11338: name=`/home/dan/src/curl-git/lib/vtls/axtls.c:146:10 (connect_prep) ssl_idsize'
bounds=[0xbfa0cd64,0xbfa0cd67] size=4 area=stack check=0r/0w liveness=0
alloc time=1423178032.191694 pc=0xb73a4cb5
Nearby object 2: checked region begins 528B before and ends 517B before
mudflap object 0x8c10940: name=`/home/dan/src/curl-git/lib/vtls/axtls.c:145:18 (connect_prep) ssl_sessionid'
bounds=[0xbfa0cd68,0xbfa0cd6b] size=4 area=stack check=0r/0w liveness=0
alloc time=1423178032.191693 pc=0xb73a4cb5
Nearby object 3: checked region begins 532B before and ends 521B before
mudflap object 0x8c10b08: name=`/home/dan/src/curl-git/lib/vtls/axtls.c:143:7 (connect_prep) key_types'
bounds=[0xbfa0cd6c,0xbfa0cd7b] size=16 area=stack check=0r/1w liveness=1
alloc time=1423178032.191693 pc=0xb73a4cb5
Nearby object 5: checked region begins 1297B into and ends 1308B into
mudflap dead object 0x8bff2f8: name=`/home/dan/src/curl-git/lib/sendf.c:133:10 (Curl_infof) print_buffer'
bounds=[0xbfa0c647,0xbfa0ce47] size=2049 area=stack check=0r/11w liveness=11
alloc time=1423178032.191626 pc=0xb73a4cb5
dealloc time=1423178032.191689 pc=0xb73a542d
number of nearby objects: 5
*******
mudflap violation 13 (check/write): time=1423178032.358631 ptr=0xbfa0cb58 size=16
pc=0xb73a4855 location=`/home/dan/src/curl-git/lib/md5.c:374:10 (MD5_Init)'
      /lib/libmudflap.so.0(__mf_check+0x45) [0xb73a4855]
      lib/.libs/libcurl.so.4(+0x13d41d) [0xb763141d]
      lib/.libs/libcurl.so.4(x509_new+0x21b) [0xb76b3d9c]
Nearby object 1: checked region begins 524B before and ends 509B before
mudflap object 0x8c11338: name=`/home/dan/src/curl-git/lib/vtls/axtls.c:146:10 (connect_prep) ssl_idsize'
Nearby object 2: checked region begins 528B before and ends 513B before
mudflap object 0x8c10940: name=`/home/dan/src/curl-git/lib/vtls/axtls.c:145:18 (connect_prep) ssl_sessionid'
Nearby object 3: checked region begins 532B before and ends 517B before
mudflap object 0x8c10b08: name=`/home/dan/src/curl-git/lib/vtls/axtls.c:143:7 (connect_prep) key_types'
Nearby object 5: checked region begins 1297B into and ends 1312B into
mudflap dead object 0x8bff2f8: name=`/home/dan/src/curl-git/lib/sendf.c:133:10 (Curl_infof) print_buffer'
number of nearby objects: 5
*******

>>> Dan
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-02-06