[rt.openssl.org #4526] bug: use of ExitProcess on Windows platforms, 1.0.2g

[richsalz]

Migrated from rt.openssl.org#4526 (status was 'open')

Requestors:

• tbaen@wynyardgroup.com

From tbaen@wynyardgroup.com on 2016-05-02 12:33:22:
Hi,

I'm working in the 1.0.2g version of OpenSSL, in a Windows desktop environment, specifically Win 7, 8.1, and 10 (and their equivalent server and R2 versions).

Problem and Resolution:
The following lines of code make use of the Microsoft API ExitProcess:

Apps\Speed.c line 335:	ExitProcess(ret);
Ms\uplink.c line 22: ExitProcess(1);

These function calls are made after fatal errors are detected and program termination is desired. ExitProcess(), however causes orderly shutdown of a process and all its threads, i.e. it unloads all dlls and runs all destructors. See MSDN for details of exactly what happens (https://msdn.microsoft.com/en-us/library/windows/desktop/ms682658(v=vs.85).aspx). The MSDN page states that ExitProcess should never be called unless it is known to be safe to call it. These calls should simply be replaced with calls to TerminateProcess(), which is what should be called for disorderly shutdown.

An example of usage:

TerminateProcess(GetCurrentProcess(), exitcode);

Effect of Problem:
Because of a compilation error (wrong c++ runtime), my program executed the uplink.c ExitProcess() call. This caused the single OpenSSL thread to start executing the destructors of all my dlls, and their objects. Unfortunately, about 30 other threads were happily using those objects at that time, eventually causing a 0xC0000005 ACCESS_VIOLATION. Obviously an ACCESS_VIOLATION is the best case scenario, as I'm sure you can imagine at the consequences of undiscovered memory corruption, even in a terminating process.

Regards,

Ty Baen-Price
JADE Development Team Leader
Wynyard Group

DDI +64 3 367 8453

Powerful Software. Connecting the Dots.
wynyardgroup.com

From rsalz@openssl.org on 2016-06-15 17:42:58:

OpenSSL_1_0_2-stable 75f9068 RT4526: Call TerminateProcess, not ExitProcess
master 9c1a9cc RT4526: Call TerminateProcess, not ExitProcess

Author: Rich Salz rsalz@openssl.org
Date: Tue Jun 14 16:19:37 2016 -0400

RT4526: Call TerminateProcess, not ExitProcess

Reviewed-by: Richard Levitte <levitte@openssl.org>

From matt@openssl.org on 2016-06-16 16:44:16:

On Wed Jun 15 17:42:58 2016, rsalz wrote:

OpenSSL_1_0_2-stable 75f9068 RT4526: Call TerminateProcess, not ExitProcess
master 9c1a9cc RT4526: Call TerminateProcess, not ExitProcess

Author: Rich Salz rsalz@openssl.org
Date: Tue Jun 14 16:19:37 2016 -0400

RT4526: Call TerminateProcess, not ExitProcess

Reviewed-by: Richard Levitte levitte@openssl.org

I just reverted this commit. We need to take another look at this, so
reopening this ticket.

Matt

From tbaen@wynyardgroup.com on 2016-06-20 01:53:28:

Hi!

I just looked on GitHub and I see the reason you reverted the change is that TerminateProcess is asynchronous.

That is technically true, but I think it's probably synchronous "enough" for your purposes, since a call to TerminateProcess suspends execution of all threads in the target process. This means it's really only asynchronous if you're calling TerminateProcess one some other process. If you're calling TerminateProcess on your own process, you'll never return from the TerminateProcess call.

Regards,
Ty

-----Original Message-----
From: Matt Caswell via RT [mailto:rt@openssl.org]
Sent: Friday, 17 June 2016 4:44 AM
To: Ty Baen-Price tbaen@wynyardgroup.com
Cc: openssl-dev@openssl.org
Subject: [openssl.org #4526] bug: use of ExitProcess on Windows platforms, 1.0.2g

On Wed Jun 15 17:42:58 2016, rsalz wrote:

OpenSSL_1_0_2-stable 75f9068 RT4526: Call TerminateProcess, not
ExitProcess master 9c1a9cc RT4526: Call TerminateProcess, not
ExitProcess

Author: Rich Salz rsalz@openssl.org
Date: Tue Jun 14 16:19:37 2016 -0400

RT4526: Call TerminateProcess, not ExitProcess

Reviewed-by: Richard Levitte levitte@openssl.org

I just reverted this commit. We need to take another look at this, so reopening this ticket.

Matt

--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4526
Please log in as guest with password guest if prompted

[re-edited for better readability /@levitte]

[richsalz]

This is not behavior introduced in 1.1.1, so removing that milestone.

[levitte]

This needs a revisit in newer branches

[levitte]

@mattcaswell, can you remember why you reverted the change to use TerminateProcess()?

[mattcaswell]

I don't recall the details of this but commit f219a1b has this description:

"TerminateProcess is asynchronous, so the code as written in the above commit is not correct. It is also probably not needed in the speed case. Reverting in order to figure out the correct solution."

The original gitlab merge request (this was pre github), additionally claims that the original code did not even compile at the time that we reverted it.

[levitte]

Yeah, so re asynchronous, I'll quote the response from the description above:

Hi!

I just looked on GitHub and I see the reason you reverted the change is that TerminateProcess is asynchronous.

That is technically true, but I think it's probably synchronous "enough" for your purposes, since a call to TerminateProcess suspends execution of all threads in the target process. This means it's really only asynchronous if you're calling TerminateProcess one some other process. If you're calling TerminateProcess on your own process, you'll never return from the TerminateProcess call.

Regards,
Ty

As for not compiling (assume you meant the code with TerminateProcess), that should be looked into, of courses.

I'm thinking of reapplying the original patch and then bash it mercilessly until it compiles properly... and concerns about such action?

[mattcaswell]

Nope.