Probably memory leak on handshake when KTLS enabled

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Probably memory leak on handshake when KTLS enabled

Xinzhe Wang
When KTLS is enabled, multiple client's handshake will lead to unexpected eof while reading and data corrupt(possible memory leak).

Tested OpenSSL version: master, 3.0.0-alpha1
Kernel version: 5.4.43-1-MANJARO
Reproduce step(using docker):

sudo modprobe tls
git clone https://github.com/openssl/openssl.git
sudo docker run -it -v $(pwd)/openssl:/openssl archlinux

# [In docker]
pacman -Sy make gcc vim
cd openssl
./config enable-ktls
make build_sw -j4
pacman -Rdd openssl
make install_sw

cd /
vim server.cpp
https://paste.ubuntu.com/p/fyhr6dDR7G/
vim client.cpp
https://paste.ubuntu.com/p/P2DjwWhTkf/
vim server.pem
https://paste.ubuntu.com/p/QttnVGsVSm/
vim serverkey.pem
https://paste.ubuntu.com/p/g6QR84wSfw/

g++ -c -o client.o client.cpp
g++ -o client client.o -lssl -lcrypto
g++ -c -o server.o server.cpp
g++ -o server server.o -lssl -lcrypto
export LD_LIBRARY_PATH=/usr/local/lib
./server &
./client

You will see like this

FP
 Vtest test
test
test
Mljtest test
test
test
test
test
test
test
Error creating SSL connection.  err=ffffffff
error:14000126:SSL routines::unexpected eof while reading

When OpenSSL is compiled without ktls, the client will print test infinitely, but when enable ktls, some data are corrupted and sometimes result in unexpected eof while reading.

Even when you remove SSL_write(ssl, reply, strlen(reply)); in server and RecvPacket(); in client, it will also result in unexpected eof while reading so I think there is something wrong with handshake procedure when ktls is enabled, maybe memory leak or UAF.
Reply | Threaded
Open this post in threaded view
|

Re: Probably memory leak on handshake when KTLS enabled

Dmitry Belyavsky-3
Could you please try to re-run the client via Valgrind?

On Fri, Jun 12, 2020 at 7:03 AM Xinzhe Wang <[hidden email]> wrote:
When KTLS is enabled, multiple client's handshake will lead to unexpected eof while reading and data corrupt(possible memory leak).

Tested OpenSSL version: master, 3.0.0-alpha1
Kernel version: 5.4.43-1-MANJARO
Reproduce step(using docker):

sudo modprobe tls
git clone https://github.com/openssl/openssl.git
sudo docker run -it -v $(pwd)/openssl:/openssl archlinux

# [In docker]
pacman -Sy make gcc vim
cd openssl
./config enable-ktls
make build_sw -j4
pacman -Rdd openssl
make install_sw

cd /
vim server.cpp
https://paste.ubuntu.com/p/fyhr6dDR7G/
vim client.cpp
https://paste.ubuntu.com/p/P2DjwWhTkf/
vim server.pem
https://paste.ubuntu.com/p/QttnVGsVSm/
vim serverkey.pem
https://paste.ubuntu.com/p/g6QR84wSfw/

g++ -c -o client.o client.cpp
g++ -o client client.o -lssl -lcrypto
g++ -c -o server.o server.cpp
g++ -o server server.o -lssl -lcrypto
export LD_LIBRARY_PATH=/usr/local/lib
./server &
./client

You will see like this

FP
 Vtest test
test
test
Mljtest test
test
test
test
test
test
test
Error creating SSL connection.  err=ffffffff
error:14000126:SSL routines::unexpected eof while reading

When OpenSSL is compiled without ktls, the client will print test infinitely, but when enable ktls, some data are corrupted and sometimes result in unexpected eof while reading.

Even when you remove SSL_write(ssl, reply, strlen(reply)); in server and RecvPacket(); in client, it will also result in unexpected eof while reading so I think there is something wrong with handshake procedure when ktls is enabled, maybe memory leak or UAF.


--
SY, Dmitry Belyavsky
Reply | Threaded
Open this post in threaded view
|

Re: Probably memory leak on handshake when KTLS enabled

Xinzhe Wang
$ valgrind --leak-check=full ./client
==18674== Memcheck, a memory error detector                                          
==18674== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.            
==18674== Using Valgrind-3.16.0.GIT and LibVEX; rerun with -h for copyright info    
==18674== Command: ./client                                                          
==18674==                                                                            
ZS\!Uڃȕe;+UbH1XF                                                                    
汹Sj                                                                                
    aETg[Y                                                                          
                                                                                     
          .Error creating SSL connection.  err=ffffffff                              
error:14000126:SSL routines::unexpected eof while reading                            
==18674==                                                                            
==18674== HEAP SUMMARY:
==18674==     in use at exit: 942,770 bytes in 3,508 blocks
==18674==   total heap usage: 372,389 allocs, 368,881 frees, 116,999,626 bytes allocated
==18674==
==18674== 865,305 (159,600 direct, 705,705 indirect) bytes in 21 blocks are definitel
y lost in loss record 222 of 222
==18674==    at 0x483977F: malloc (vg_replace_malloc.c:307)
==18674==    by 0x4AB7709: CRYPTO_zalloc (in /usr/local/lib/libcrypto.so.3)
==18674==    by 0x487F015: SSL_new (in /usr/local/lib/libssl.so.3)
==18674==    by 0x109597: main (in /client)
==18674==
==18674== LEAK SUMMARY:
==18674==    definitely lost: 159,600 bytes in 21 blocks
==18674==    indirectly lost: 705,705 bytes in 3,276 blocks
==18674==      possibly lost: 0 bytes in 0 blocks
==18674==    still reachable: 77,465 bytes in 211 blocks
==18674==         suppressed: 0 bytes in 0 blocks
==18674== Reachable blocks (those to which a pointer was found) are not shown.
==18674== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==18674==
==18674== For lists of detected and suppressed errors, rerun with: -s
==18674== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Dmitry Belyavsky <[hidden email]> 于2020年6月12日周五 下午6:24写道:
Could you please try to re-run the client via Valgrind?

On Fri, Jun 12, 2020 at 7:03 AM Xinzhe Wang <[hidden email]> wrote:
When KTLS is enabled, multiple client's handshake will lead to unexpected eof while reading and data corrupt(possible memory leak).

Tested OpenSSL version: master, 3.0.0-alpha1
Kernel version: 5.4.43-1-MANJARO
Reproduce step(using docker):

sudo modprobe tls
git clone https://github.com/openssl/openssl.git
sudo docker run -it -v $(pwd)/openssl:/openssl archlinux

# [In docker]
pacman -Sy make gcc vim
cd openssl
./config enable-ktls
make build_sw -j4
pacman -Rdd openssl
make install_sw

cd /
vim server.cpp
https://paste.ubuntu.com/p/fyhr6dDR7G/
vim client.cpp
https://paste.ubuntu.com/p/P2DjwWhTkf/
vim server.pem
https://paste.ubuntu.com/p/QttnVGsVSm/
vim serverkey.pem
https://paste.ubuntu.com/p/g6QR84wSfw/

g++ -c -o client.o client.cpp
g++ -o client client.o -lssl -lcrypto
g++ -c -o server.o server.cpp
g++ -o server server.o -lssl -lcrypto
export LD_LIBRARY_PATH=/usr/local/lib
./server &
./client

You will see like this

FP
 Vtest test
test
test
Mljtest test
test
test
test
test
test
test
Error creating SSL connection.  err=ffffffff
error:14000126:SSL routines::unexpected eof while reading

When OpenSSL is compiled without ktls, the client will print test infinitely, but when enable ktls, some data are corrupted and sometimes result in unexpected eof while reading.

Even when you remove SSL_write(ssl, reply, strlen(reply)); in server and RecvPacket(); in client, it will also result in unexpected eof while reading so I think there is something wrong with handshake procedure when ktls is enabled, maybe memory leak or UAF.


--
SY, Dmitry Belyavsky