lftp segfault on exit #716
Comments
tabraham
added a commit
to tabraham/lftp
that referenced
this issue
Jan 26, 2024
If the instance isn't deinitialized prior to exit, the OPENSSL_cleanup exit handler may run before the lftp_ssl_openssl_instance destructor on exit resulting in a segfault. This fixes a null deref on exit. Fixes lavv17#716
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm analyzing a problem with lftp on s390x
The problem occurs with an https or and ftp server with 'set ftp:ssl-force true'. With ftp, at least one
ftp command needs to be run.
To reproduce it, I've been using
lftp -e "set ftp:ssl-force true; set ssl:verify-certificate false; ls; quit" -u
The segfault occurs during exit when __run_exit_handlers calls lftp_ssl_openssl_instance>::~Ref
which calls SSL_CTX_free and segfaults on a null openssl global_engine_lock:
#bt
#0 __pthread_rwlock_wrlock_full (abstime=0x0, clockid=0, rwlock=0x0) at pthread_rwlock_common.c:604
#1 __GI___pthread_rwlock_wrlock (rwlock=0x0) at pthread_rwlock_wrlock.c:27
#2 0x000003ff892a6f8a in CRYPTO_THREAD_write_lock (lock=) at crypto/threads_pthread.c:78
#3 0x000003ff89223cb6 in ENGINE_finish (e=0x2aa2ff73670) at crypto/engine/eng_init.c:101
#4 0x000003ff892864c6 in RSA_free (r=0x2aa2ffc3ed0) at crypto/rsa/rsa_lib.c:137
#5 0x000003ff892408de in EVP_PKEY_free_it (x=x@entry=0x2aa2ffc57f0) at crypto/evp/p_lib.c:618
#6 0x000003ff8924178a in EVP_PKEY_free (x=0x2aa2ffc57f0) at crypto/evp/p_lib.c:608
#7 0x000003ff892c375e in pubkey_cb (operation=, pval=, it=, exarg=) at crypto/x509/x_pubkey.c:34
#8 0x000003ff891a93d4 in asn1_item_embed_free (pval=0x2aa2ffc4e10, it=0x3ff89397720 <X509_PUBKEY_it>, embed=) at crypto/asn1/tasn_fre.c:113
#9 0x000003ff891a963e in asn1_template_free (pval=0x2aa2ffc4e10, tt=tt@entry=0x3ff893a0e20) at crypto/asn1/tasn_fre.c:142
#10 0x000003ff891a93a8 in asn1_item_embed_free (pval=0x3ffde2fe990, it=0x3ff89397878 <X509_CINF_it>, embed=) at crypto/asn1/tasn_fre.c:110
#11 0x000003ff891a963e in asn1_template_free (pval=0x3ffde2fe990, tt=tt@entry=0x3ff893a0cb8 <X509_seq_tt>) at crypto/asn1/tasn_fre.c:142
#12 0x000003ff891a93a8 in asn1_item_embed_free (pval=0x3ffde2feae8, it=0x3ff89397818 <X509_it>, embed=) at crypto/asn1/tasn_fre.c:110
#13 0x000003ff891a9538 in ASN1_item_free (val=, it=) at crypto/asn1/tasn_fre.c:20
#14 0x000003ff892b64ae in X509_OBJECT_free (a=0x2aa2ffc4a00) at crypto/x509/x509_lu.c:470
#15 0x000003ff892a3024 in OPENSSL_sk_pop_free (st=0x2aa2ffb8240, func=0x3ff892b6498 <X509_OBJECT_free>) at crypto/stack/stack.c:368
#16 0x000003ff892b6aa4 in sk_X509_OBJECT_pop_free (freefunc=, sk=) at include/openssl/x509_vfy.h:58
#17 X509_STORE_free (vfy=0x2aa2ffb7e30) at crypto/x509/x509_lu.c:225
#18 0x000003ff8803e426 in SSL_CTX_free (a=0x2aa2ff9efb0) at ssl/ssl_lib.c:3254
#19 0x000003ff881995cc in lftp_ssl_openssl_instance::~lftp_ssl_openssl_instance (this=0x2aa2ff7d4b0, __in_chrg=) at lftp_ssl.cc:922
#20 0x000003ff8819aa80 in Ref<lftp_ssl_openssl_instance>::~Ref (this=, __in_chrg=) at Ref.h:34
#21 0x000003ff894cbcd2 in __run_exit_handlers (status=, listp=0x3ff896288c0 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true,
run_dtors=run_dtors@entry=true) at exit.c:108
#22 0x000003ff894cbde8 in __GI_exit (status=) at exit.c:139
#23 0x000003ff894ab250 in __libc_start_main (main=0x2aa2df896f0 <main(int, char**)>, argc=, argv=0x3ffde2ff228, init=, fini=,
rtld_fini=0x3ff89b91430 <_dl_fini>, stack_end=0x3ffde2ff170) at libc-start.c:342
#24 0x000002aa2df8a164 in _start () at ../sysdeps/s390/s390-64/start.S:90
The openssl global_engine_lock is null because the openssl exit cleanup handler, OPENSSL_cleanup has already run.
So, this appears to be an issue with the order the OPENSSL_cleanup exit handler is running in relation to
lftp_ssl_openssl_instance>::~Ref
A possible solution may be to cleanup those instances before exit, so they're already cleaned up by the time the openssl exit handler runs.
The text was updated successfully, but these errors were encountered: