New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check for NULL locks #23616
Check for NULL locks #23616
Conversation
This will happen if a library calls SSL_CTX_free() in its destructor, which runs after OpenSSL's atexit() handler OPENSSL_cleanup() has already destroyed all the locks. This commit fixes a SEGV in that case.
Given the myriad of ways that the The only real fix is for OpenSSL to not tear itself down while it may still be in use. |
So you're saying it's better for a security-critical component to crash and become a denial of service, than to detect an error and return an error code. Except you're being inconsistent, since the same kind of check already exists just a few lines further down in the current code: openssl/crypto/threads_pthread.c Line 711 in 1a571a5
|
Btw, your fuzzcheck job failed because it's out of disk space.
|
The out of disk space is a known issue
|
@hyc It's not my CI job. While I contribute to OpenSSL and am quite familiar with the problem space, I'm not a decision maker for project. I work on BoringSSL, which solves this problem by not calling This PR may address a symptom, but it ignores the underlying problem and misses that far, far worse symptoms can occur. Ignoring broken invariants piecemeal is a recipe security vulnerabilities. That you're only crashing on NULL dereference is a mercy. For a security-critical component, a clean crash is far better than use-after-free, overflow a buffer, race condition or signing ECDSA with bad entropy. Those will result in much worse! (Of course, it's best to do none of these. The way to do that is to fix OpenSSL to stop calling As for consistency, that's a free function. All free functions in OpenSSL behave like C |
If "detect an error and return an error code" would always happen, then no. But since errors in very low-level routines like locks aren't always caught, and can't always be propagated back up the stack (a And "crash and become a denial of service" is definitely better than "serious vulnerability". With the NULL-pointer crash, it is possible to know what the underlying problem was (lock was destroyed) - if this had been silently ignored and propagated back up the stack to something that was several levels deep it would have been much harder to figure out what had happened. While I am not a decision maker for the project, I too think this change is potentially unsafe. |
I totally agree with @davidben and @tom-cosgrove-arm on this one. The decision maker on technical issues is OTC. If any OTC member disagrees with my triage (resolved: wont fix - i.e., this won't be merged), he can add OTC hold label and it will be discussed by OTC as a whole. |
Any reason to keep this open? |
Closing now |
This will happen if a library calls SSL_CTX_free() in its destructor, which runs after OpenSSL's atexit() handler OPENSSL_cleanup() has already destroyed all the locks. This commit fixes a SEGV in that case.
Related to #23575
Checklist