New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use after free on ENGINE_finish(rdrand_engine). #548
Comments
Valgrind says...
|
Ah, you're cleaning up engines after OpenSSL's own Proof of concept fix at dwmw2@f9c24e0 |
Thanks for report and PoC fix. I checked the OSSL documentation, and it seems that the Could you submit a PR based on the PoC fix with the change mentioned above? That'd be much appreciated! |
As of 1.1.0, OpenSSL registers its own atexit() handler to call OPENSSL_cleanup(). If our own atexit() handler subsequently tries to, for example, unreference an ENGINE, then it'll crash or deadlock with a use-after-free. This is issue opendnssec#548. Fix it by hooking registering a callback OpenSSL_atexit() to be called when OPENSSL_cleanup() is called. It sets a flag which prevents any further touching of OpenSSL objects — which would otherwise happen fairly much immediately thereafter when our own OSSLCryptoFactory destructor gets called by the C++ runtime's own atexit() handler. Fixes: opendnssec#548
…y shut down As of 1.1.0, OpenSSL registers its own atexit() handler to call OPENSSL_cleanup(). If our own code subsequently tries to, for example, unreference an ENGINE, then it'll crash or deadlock with a use after free. Fix it by registering a callback with OPENSSL_atexit() to be called when OPENSSL_cleanup() is called. It sets a flag which prevents any further touching of OpenSSL objects — which would otherwise happen fairly much immediately thereafter when our own OSSLCryptoFactory destructor gets called by the C++ runtime's own atexit() handler. Fixes: opendnssec#548
…y shut down As of 1.1.0, OpenSSL registers its own atexit() handler to call OPENSSL_cleanup(). If our own code subsequently tries to, for example, unreference an ENGINE, then it'll crash or deadlock with a use after free. Fix it by registering a callback with OPENSSL_atexit() to be called when OPENSSL_cleanup() is called. It sets a flag which prevents any further touching of OpenSSL objects — which would otherwise happen fairly much immediately thereafter when our own OSSLCryptoFactory destructor gets called by the C++ runtime's own atexit() handler. Fixes: opendnssec#548
Issue #548: Don't clean up engines after OpenSSL has already shut down
The hung CI jobs on fedora:32 and debian:sid have likely been caused by a SoftHSM bug (see opendnssec/SoftHSMv2#548), but the failure to upload their logs seems to be an issue with the build config.
I think we need to revert this. It causes problems if the SoftHSM DSO is unloaded before OpenSSL shuts down: https://bugzilla.redhat.com/show_bug.cgi?id=1831086#c8 I'll see if I can find a way to tell that OpenSSL has been shut down without registering an I wonder if we can register a system atexit() handler, and rely on ordering such that it runs before the C++ runtime's atexit handler which calls the OSSLCryptoFactory destructor? Ordering is guaranteed, I think:
|
Argh, of course it works for my test just to register |
On 2020-05-13 13:24, David Woodhouse wrote:
I think we need to revert this. It causes problems if the SoftHSM DSO
is _unloaded_ before OpenSSL shuts down:
https://bugzilla.redhat.com/show_bug.cgi?id=1831086#c8
I'll see if I can find a way to tell that OpenSSL has been shut down
_without_ registering an OpenSSL_atexit() handler for it _(which can't
be unregistered when we unload)_.
I wonder if we can register a _system_ atexit() handler, and rely on
ordering such that it runs before the C++ runtime's atexit handler
which calls the OSSLCryptoFactory destructor? Ordering _is_
guaranteed, I think:
Okay, thanks for following up on it. Perhaps good for me too to have
a look into it, as unloading SoftHSM isn't a strange thing to do...
\Berry
… DESCRIPTION
The atexit() function registers the given function to be called
at nor‐
mal process termination, either via exit(3) or via return from
the pro‐
gram's main(). Functions so registered are called in the
reverse order
of their registration; no arguments are passed.
--
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub [1], or unsubscribe
[2].
Links:
------
[1]
#548 (comment)
[2]
https://github.com/notifications/unsubscribe-auth/ACM3WIBW73S42INYEJURU7TRRJ7OZANCNFSM4MY37SUA
|
We can't register our own atexit() or OPENSSL_atexit() handler because there's no way to unregister it when the SoftHSM DSO is unloaded. This causes the crash reported at https://bugzilla.redhat.com/1831086#c8 Instead of using that method to set a flag showing that OPENSSL_cleanup() has occurred, instead test directly by calling OPENSSL_init_crypto() for something that *would* do nothing, but will fail if OPENSSL_cleanup() has indeed been run already. Fixes: c2cc065 "Issue opendnssec#548: Don't clean up engines after OpenSSL has already shut down"
I was just writing a proposal for this hack :) It is not nice ( |
We can't register our own atexit() or OPENSSL_atexit() handler because there's no way to unregister it when the SoftHSM DSO is unloaded. This causes the crash reported at https://bugzilla.redhat.com/1831086#c8 Instead of using that method to set a flag showing that OPENSSL_cleanup() has occurred, instead test directly by calling OPENSSL_init_crypto() for something that *would* do nothing, but will fail if OPENSSL_cleanup() has indeed been run already. Fixes: c2cc065 "Issue opendnssec#548: Don't clean up engines after OpenSSL has already shut down"
Commit caec0c7 has caused SoftHSM to stop exiting cleanly when running the
auth-pkcs11
test from OpenConnect self-tests. Instead of exiting, it just stops:This appears to be true for the GnuTLS build of OpenConnect but not the OpenSSL build.
The text was updated successfully, but these errors were encountered: