Valgrind reports false positive issues in OpenSSL for several tests on Debian

[sssd-bot]

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/4033

• Created at 2019-06-26 09:26:58 by jhrozek
• Closed at 2020-03-13 14:38:04 as Fixed
• Assigned to nobody

---

I'm sorry I didn't run the recent crypto patches through the internal CI, I trusted the github CI, but forgot it doesn't include all operating systems:

On Debian we see failures like this:

==34326== 
==34326== 71 errors in context 34 of 35:
==34326== Use of uninitialised value of size 8
==34326==    at 0x52BA8E9: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x52A859E: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x51FB9E9: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x51FAA42: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x51FAEE2: BIO_write (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x4BD7538: sss_base64_encode (crypto_base64.c:45)
==34326==    by 0x4BD8964: sss_password_encrypt (crypto_obfuscate.c:182)
==34326==    by 0x10C2E6: test_sss_password_encrypt_decrypt (crypto-tests.c:74)
==34326==    by 0x10E7EA: tcase_run_tfun_nofork.isra.9 (in /var/lib/jenkins/workspace/ci/label/debian_testing/ci-build-debug/.libs/crypto-tests)
==34326==    by 0x10EBAB: srunner_run (in /var/lib/jenkins/workspace/ci/label/debian_testing/ci-build-debug/.libs/crypto-tests)
==34326==    by 0x10B754: main (crypto-tests.c:291)
==34326== 
{
   <insert_a_suppression_name_here>
   Memcheck:Value8
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:BIO_write
   fun:sss_base64_encode
   fun:sss_password_encrypt
   fun:test_sss_password_encrypt_decrypt
   fun:tcase_run_tfun_nofork.isra.9
   fun:srunner_run
   fun:main
}
==34326== 
==34326== 71 errors in context 35 of 35:
==34326== Use of uninitialised value of size 8
==34326==    at 0x52BA8D3: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x52A859E: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x51FB9E9: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x51FAA42: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x51FAEE2: BIO_write (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x4BD7538: sss_base64_encode (crypto_base64.c:45)
==34326==    by 0x4BD8964: sss_password_encrypt (crypto_obfuscate.c:182)
==34326==    by 0x10C2E6: test_sss_password_encrypt_decrypt (crypto-tests.c:74)
==34326==    by 0x10E7EA: tcase_run_tfun_nofork.isra.9 (in /var/lib/jenkins/workspace/ci/label/debian_testing/ci-build-debug/.libs/crypto-tests)
==34326==    by 0x10EBAB: srunner_run (in /var/lib/jenkins/workspace/ci/label/debian_testing/ci-build-debug/.libs/crypto-tests)
==34326==    by 0x10B754: main (crypto-tests.c:291)
==34326== 
{
   <insert_a_suppression_name_here>
   Memcheck:Value8
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:BIO_write
   fun:sss_base64_encode
   fun:sss_password_encrypt
   fun:test_sss_password_encrypt_decrypt
   fun:tcase_run_tfun_nofork.isra.9
   fun:srunner_run
   fun:main
}

I haven't looked into whether the suppression needs to be amended or whether there is a genuine leak.

Comments

---

Comment from jhrozek at 2019-06-26 09:27:32

CC @atikhonov

---

Comment from jhrozek at 2019-06-26 09:28:37

Also pam_srv_test fail with:

==32504== 
==32504== 19 errors in context 87 of 87:
==32504== Conditional jump or move depends on uninitialised value(s)
==32504==    at 0x4F93D7B: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==32504==    by 0x4F943AC: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==32504==    by 0x4F951FA: RAND_DRBG_generate (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==32504==    by 0x4F95480: RAND_DRBG_bytes (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==32504==    by 0x4902554: s3crypt_gen_salt (crypto_sha512crypt.c:377)
==32504==    by 0x4893DA0: sysdb_cache_password_ex (sysdb_ops.c:3219)
==32504==    by 0x1266E1: test_pam_offline_auth_success (test_pam_srv.c:1580)
==32504==    by 0x485A0D8: ??? (in /usr/lib/x86_64-linux-gnu/libcmocka.so.0.5.1)
==32504==    by 0x485AA48: _cmocka_run_group_tests (in /usr/lib/x86_64-linux-gnu/libcmocka.so.0.5.1)
==32504==    by 0x112821: main (test_pam_srv.c:3205)
==32504== 
{
   <insert_a_suppression_name_here>
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   fun:RAND_DRBG_bytes
   fun:s3crypt_gen_salt
   fun:sysdb_cache_password_ex
   fun:test_pam_offline_auth_success
   obj:/usr/lib/x86_64-linux-gnu/libcmocka.so.0.5.1
   fun:_cmocka_run_group_tests
   fun:main
}

---

Comment from jhrozek at 2019-06-26 09:29:48

btw I think I remember Alexey told me that openssl on Debian was broken, IIRC they picked a bad release by accident between two good releases. But maybe if there is already a fixed version somewhere, we could install it on our CI machines?

---

Comment from jhrozek at 2019-06-26 09:30:26

And finally sysdb tests:

==33786== 4 errors in context 17 of 19:
==33786== Use of uninitialised value of size 8
==33786==    at 0x4C62608: b64_from_24bit (crypto_sha512crypt.c:62)
==33786==    by 0x4C62608: s3crypt_gen_salt (crypto_sha512crypt.c:386)
==33786==    by 0x4BF5DA0: sysdb_cache_password_ex (sysdb_ops.c:3219)
==33786==    by 0x113BDB: test_sysdb_cache_password (sysdb-tests.c:2134)
==33786==    by 0x12D88A: tcase_run_tfun_nofork.isra.9 (in /var/lib/jenkins/workspace/ci/label/debian_testing/ci-build-debug/.libs/sysdb-tests)
==33786==    by 0x12DC4B: srunner_run (in /var/lib/jenkins/workspace/ci/label/debian_testing/ci-build-debug/.libs/sysdb-tests)
==33786==    by 0x10E319: main (sysdb-tests.c:7812)
==33786== 
{
   <insert_a_suppression_name_here>
   Memcheck:Value8
   fun:b64_from_24bit
   fun:s3crypt_gen_salt
   fun:sysdb_cache_password_ex
   fun:test_sysdb_cache_password
   fun:tcase_run_tfun_nofork.isra.9
   fun:srunner_run
   fun:main
}

---

Comment from atikhonov at 2019-06-26 11:23:36

I'm sorry I didn't run the recent crypto patches through the internal CI

This issues has nothing to do with recent patches.
The reason is update of openssl packaged on Debian machine:
Jun 16: Unpacking openssl (1.1.1c-1) over (1.1.1b-2) ...

Issue was introduced here: openssl/openssl@b3d113e
And was fixed here: openssl/openssl@700c5b8

Fix is picked up in Fedora package.

---

Comment from jhrozek at 2019-07-04 10:47:26

So I guess we can just close this ticket?

---

Comment from atikhonov at 2019-07-04 11:46:03

So I guess we can just close this ticket?

If we do not plan to take any action to see if Debian OpenSSL package could be fixed, then we can close this ticket.

---

Comment from pbrezina at 2020-03-13 14:37:26

Metadata Update from @pbrezina:

• Issue tagged with: Canditate to close

---

Comment from pbrezina at 2020-03-13 14:37:45

We added debian-wise valgrind suppression.

---

Comment from pbrezina at 2020-03-13 14:38:05

Metadata Update from @pbrezina:

• Custom field design_review adjusted to on
• Custom field mark adjusted to on
• Custom field patch adjusted to on
• Custom field review adjusted to on
• Custom field sensitive adjusted to on
• Custom field testsupdated adjusted to on
• Issue close_status updated to: Fixed
• Issue status updated to: Closed (was: Open)