Segmentation fault in ssl3_get_message on openssl 1.0.1t version

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Segmentation fault in ssl3_get_message on openssl 1.0.1t version

kotidudala
This post has NOT been accepted by the mailing list yet.
Hi Experts,

My application crashes due to seg. fault in ssl3_get_message() on used openssl version 1.0.1t

Please find below gdb output :

#3  <signal handler called>
#4  0x00007f763f57f2e2 in ssl3_get_message () from /opt/CSCOacs/runtime/lib/libssl.so.1.0.0
#5  0x00007f763f57f9bd in ssl3_get_finished () from /opt/CSCOacs/runtime/lib/libssl.so.1.0.0
#6  0x00007f763f57300a in ssl3_accept () from /opt/CSCOacs/runtime/lib/libssl.so.1.0.0
#7  0x00007f76403e2a7b in Crypto::SSLConnection::processData (this=0x7f75a78bb6b0, pInData=0x7f761022bd21 "\025\003\001", nInDataSize=37, pOutData=0x7f7627ff9737 "", pnOutDataSize=0x7f7627ff9730)
    at SSLConnection.cpp:651

Please find below disass of ssl3_get_message -

(gdb) disass ssl3_get_message
Dump of assembler code for function ssl3_get_message:
   0x00007f763f57f230 <+0>:     push   %r15
   0x00007f763f57f232 <+2>:     mov    %r9,%r15
   0x00007f763f57f235 <+5>:     push   %r14
   0x00007f763f57f237 <+7>:     push   %r13
   0x00007f763f57f239 <+9>:     mov    %edx,%r13d
   0x00007f763f57f23c <+12>:    push   %r12
   0x00007f763f57f23e <+14>:    mov    %ecx,%r12d
   0x00007f763f57f241 <+17>:    push   %rbp
   0x00007f763f57f242 <+18>:    mov    %rdi,%rbp
   0x00007f763f57f245 <+21>:    push   %rbx
   0x00007f763f57f246 <+22>:    sub    $0x18,%rsp
   0x00007f763f57f24a <+26>:    mov    %r8,0x10(%rsp)
   0x00007f763f57f24f <+31>:    mov    0x80(%rdi),%rcx
   0x00007f763f57f256 <+38>:    mov    0x3c4(%rcx),%edx
   0x00007f763f57f25c <+44>:    test   %edx,%edx
   0x00007f763f57f25e <+46>:    je     0x7f763f57f2d7 <ssl3_get_message+167>
   0x00007f763f57f260 <+48>:    test   %r12d,%r12d
   0x00007f763f57f263 <+51>:    movl   $0x0,0x3c4(%rcx)
   0x00007f763f57f26d <+61>:    js     0x7f763f57f40a <ssl3_get_message+474>
   0x00007f763f57f273 <+67>:    mov    0x80(%rdi),%rax
   0x00007f763f57f27a <+74>:    mov    $0x1a9,%r8d
   0x00007f763f57f280 <+80>:    cmp    %r12d,0x3a0(%rax)
   0x00007f763f57f287 <+87>:    je     0x7f763f57f40a <ssl3_get_message+474>
   0x00007f763f57f28d <+93>:    lea    0x27b88(%rip),%rcx        # 0x7f763f5a6e1c
   0x00007f763f57f294 <+100>:   mov    $0xf4,%edx
   0x00007f763f57f299 <+105>:   mov    $0x8e,%esi
   0x00007f763f57f29e <+110>:   mov    $0x14,%edi
   0x00007f763f57f2a3 <+115>:   callq  0x7f763f56d7a8 <ERR_put_error@plt>
   0x00007f763f57f2a8 <+120>:   mov    $0xa,%edx
   0x00007f763f57f2ad <+125>:   mov    $0x2,%esi
   0x00007f763f57f2b2 <+130>:   mov    %rbp,%rdi
   0x00007f763f57f2b5 <+133>:   callq  0x7f763f57cf20 <ssl3_send_alert>
   0x00007f763f57f2ba <+138>:   movl   $0x0,(%r15)
   0x00007f763f57f2c1 <+145>:   add    $0x18,%rsp
   0x00007f763f57f2c5 <+149>:   mov    $0xffffffffffffffff,%rax
   0x00007f763f57f2cc <+156>:   pop    %rbx
   0x00007f763f57f2cd <+157>:   pop    %rbp
   0x00007f763f57f2ce <+158>:   pop    %r12
   0x00007f763f57f2d0 <+160>:   pop    %r13
   0x00007f763f57f2d2 <+162>:   pop    %r14
   0x00007f763f57f2d4 <+164>:   pop    %r15
   0x00007f763f57f2d6 <+166>:   retq
   0x00007f763f57f2d7 <+167>:   mov    0x48(%rbp),%r14d
   0x00007f763f57f2db <+171>:   mov    0x50(%rdi),%rdi
   0x00007f763f57f2df <+175>:   cmp    %esi,%r14d
   0x00007f763f57f2e2 <+178>:   mov    0x8(%rdi),%rbx
   0x00007f763f57f2e6 <+182>:   je     0x7f763f57f387 <ssl3_get_message+343>
   0x00007f763f57f2ec <+188>:   mov    0x60(%rbp),%edx
   0x00007f763f57f2ef <+191>:   mov    0x398(%rcx),%rbx
   0x00007f763f57f2f6 <+198>:   mov    0x58(%rbp),%r12 0x00007f763f57f2fa <+202>:   movslq %edx,%rax
   0x00007f763f57f2fd <+205>:   sub    %rax,%rbx
   0x00007f763f57f300 <+208>:   test   %rbx,%rbx
   0x00007f763f57f303 <+211>:   jg     0x7f763f57f324 <ssl3_get_message+244>
   0x00007f763f57f305 <+213>:   jmpq   0x7f763f57f44b <ssl3_get_message+539>
   0x00007f763f57f30a <+218>:   nopw   0x0(%rax,%rax,1)
   0x00007f763f57f310 <+224>:   add    %eax,0x60(%rbp)
   0x00007f763f57f313 <+227>:   cltq
   0x00007f763f57f315 <+229>:   sub    %rax,%rbx
   0x00007f763f57f318 <+232>:   test   %rbx,%rbx
   0x00007f763f57f31b <+235>:   jle    0x7f763f57f447 <ssl3_get_message+535>
   0x00007f763f57f321 <+241>:   mov    0x60(%rbp),%edx
   0x00007f763f57f324 <+244>:   mov    0x8(%rbp),%rax
   0x00007f763f57f328 <+248>:   movslq %edx,%rdx
   0x00007f763f57f32b <+251>:   xor    %r8d,%r8d
   0x00007f763f57f32e <+254>:   add    %r12,%rdx
   0x00007f763f57f331 <+257>:   mov    %ebx,%ecx
   0x00007f763f57f333 <+259>:   mov    $0x16,%esi
   0x00007f763f57f338 <+264>:   mov    %rbp,%rdi
   0x00007f763f57f33b <+267>:   callq  *0x68(%rax)
   0x00007f763f57f33e <+270>:   test   %eax,%eax
   0x00007f763f57f340 <+272>:   jg     0x7f763f57f310 <ssl3_get_message+224>
   0x00007f763f57f342 <+274>:   movl   $0x3,0x28(%rbp)
   0x00007f763f57f349 <+281>:   movl   $0x0,(%r15)
   0x00007f763f57f350 <+288>:   add    $0x18,%rsp
   0x00007f763f57f354 <+292>:   pop    %rbx
 0x00007f763f57f355 <+293>:   pop    %rbp
   0x00007f763f57f356 <+294>:   pop    %r12
   0x00007f763f57f358 <+296>:   pop    %r13
   0x00007f763f57f35a <+298>:   pop    %r14
   0x00007f763f57f35c <+300>:   pop    %r15
   0x00007f763f57f35e <+302>:   cltq
   0x00007f763f57f360 <+304>:   retq
   0x00007f763f57f361 <+305>:   mov    0x8(%rbp),%rax
   0x00007f763f57f365 <+309>:   mov    $0x4,%ecx
   0x00007f763f57f36a <+314>:   xor    %r8d,%r8d
   0x00007f763f57f36d <+317>:   sub    %edx,%ecx
   0x00007f763f57f36f <+319>:   movslq %edx,%rdx
   0x00007f763f57f372 <+322>:   mov    $0x16,%esi
   0x00007f763f57f377 <+327>:   add    %rbx,%rdx
   0x00007f763f57f37a <+330>:   mov    %rbp,%rdi
   0x00007f763f57f37d <+333>:   callq  *0x68(%rax)
   0x00007f763f57f380 <+336>:   test   %eax,%eax
   0x00007f763f57f382 <+338>:   jle    0x7f763f57f342 <ssl3_get_message+274>
   0x00007f763f57f384 <+340>:   add    %eax,0x60(%rbp)
   0x00007f763f57f387 <+343>:   mov    0x60(%rbp),%edx
   0x00007f763f57f38a <+346>:   cmp    $0x3,%edx
   0x00007f763f57f38d <+349>:   jle    0x7f763f57f361 <ssl3_get_message+305>
   0x00007f763f57f38f <+351>:   mov    0x38(%rbp),%eax
   0x00007f763f57f392 <+354>:   test   %eax,%eax
   0x00007f763f57f394 <+356>:   jne    0x7f763f57f500 <ssl3_get_message+720>
 0x00007f763f57f39a <+362>:   cmpb   $0x0,(%rbx)
   0x00007f763f57f39d <+365>:   jne    0x7f763f57f500 <ssl3_get_message+720>
   0x00007f763f57f3a3 <+371>:   cmpb   $0x0,0x1(%rbx)
   0x00007f763f57f3a7 <+375>:   jne    0x7f763f57f500 <ssl3_get_message+720>
   0x00007f763f57f3ad <+381>:   cmpb   $0x0,0x2(%rbx)
   0x00007f763f57f3b1 <+385>:   jne    0x7f763f57f500 <ssl3_get_message+720>
   0x00007f763f57f3b7 <+391>:   cmpb   $0x0,0x3(%rbx)
   0x00007f763f57f3bb <+395>:   nopl   0x0(%rax,%rax,1)
   0x00007f763f57f3c0 <+400>:   jne    0x7f763f57f500 <ssl3_get_message+720>
   0x00007f763f57f3c6 <+406>:   mov    0x98(%rbp),%r10
   0x00007f763f57f3cd <+413>:   movl   $0x0,0x60(%rbp)
   0x00007f763f57f3d4 <+420>:   test   %r10,%r10
   0x00007f763f57f3d7 <+423>:   je     0x7f763f57f387 <ssl3_get_message+343>
   0x00007f763f57f3d9 <+425>:   mov    0xa0(%rbp),%rax
   0x00007f763f57f3e0 <+432>:   mov    $0x16,%edx
   0x00007f763f57f3e5 <+437>:   xor    %edi,%edi
   0x00007f763f57f3e7 <+439>:   mov    %rbp,%r9
   0x00007f763f57f3ea <+442>:   mov    $0x4,%r8d
   0x00007f763f57f3f0 <+448>:   mov    %rbx,%rcx
   0x00007f763f57f3f3 <+451>:   mov    %rax,(%rsp)
   0x00007f763f57f3f7 <+455>:   mov    0x0(%rbp),%esi
   0x00007f763f57f3fa <+458>:   callq  *%r10
   0x00007f763f57f3fd <+461>:   mov    0x60(%rbp),%edx
   0x00007f763f57f400 <+464>:   cmp    $0x3,%edx
   0x00007f763f57f403 <+467>:   jg     0x7f763f57f38f <ssl3_get_message+351>
   0x00007f763f57f405 <+469>:   jmpq   0x7f763f57f361 <ssl3_get_message+305>
   0x00007f763f57f40a <+474>:   movl   $0x1,(%r15)
   0x00007f763f57f411 <+481>:   mov    0x50(%rbp),%rax
   0x00007f763f57f415 <+485>:   mov    %r13d,0x48(%rbp)
   0x00007f763f57f419 <+489>:   mov    0x8(%rax),%rax
   0x00007f763f57f41d <+493>:   add    $0x4,%rax
   0x00007f763f57f421 <+497>:   mov    %rax,0x58(%rbp)
   0x00007f763f57f425 <+501>:   mov    0x80(%rbp),%rax
   0x00007f763f57f42c <+508>:   mov    0x398(%rax),%rax
   0x00007f763f57f433 <+515>:   mov    %eax,0x60(%rbp)
   0x00007f763f57f436 <+518>:   add    $0x18,%rsp
   0x00007f763f57f43a <+522>:   cltq
   0x00007f763f57f43c <+524>:   pop    %rbx
   0x00007f763f57f43d <+525>:   pop    %rbp
   0x00007f763f57f43e <+526>:   pop    %r12
   0x00007f763f57f440 <+528>:   pop    %r13
   0x00007f763f57f442 <+530>:   pop    %r14
   0x00007f763f57f444 <+532>:   pop    %r15
   0x00007f763f57f446 <+534>:   retq
   0x00007f763f57f447 <+535>:   mov    0x50(%rbp),%rdi
   0x00007f763f57f44b <+539>:   mov    0x8(%rdi),%rax
   0x00007f763f57f44f <+543>:   cmpb   $0x14,(%rax)
   0x00007f763f57f452 <+546>:   je     0x7f763f57f4b7 <ssl3_get_message+647>
   0x00007f763f57f454 <+548>:   mov    0x60(%rbp),%edx
   0x00007f763f57f457 <+551>:   mov    0x8(%rdi),%rsi
   0x00007f763f57f45b <+555>:   mov    %rbp,%rdi
0x00007f763f57f45e <+558>:   add    $0x4,%edx
   0x00007f763f57f461 <+561>:   callq  0x7f763f57ba10 <ssl3_finish_mac>
   0x00007f763f57f466 <+566>:   mov    0x98(%rbp),%r10
   0x00007f763f57f46d <+573>:   test   %r10,%r10
   0x00007f763f57f470 <+576>:   je     0x7f763f57f49d <ssl3_get_message+621>
   0x00007f763f57f472 <+578>:   mov    0x50(%rbp),%rax
   0x00007f763f57f476 <+582>:   movslq 0x60(%rbp),%r8
   0x00007f763f57f47a <+586>:   mov    %rbp,%r9
   0x00007f763f57f47d <+589>:   mov    $0x16,%edx
   0x00007f763f57f482 <+594>:   xor    %edi,%edi
   0x00007f763f57f484 <+596>:   mov    0x8(%rax),%rcx
   0x00007f763f57f488 <+600>:   mov    0xa0(%rbp),%rax
   0x00007f763f57f48f <+607>:   add    $0x4,%r8
   0x00007f763f57f493 <+611>:   mov    %rax,(%rsp)
   0x00007f763f57f497 <+615>:   mov    0x0(%rbp),%esi
   0x00007f763f57f49a <+618>:   callq  *%r10
   0x00007f763f57f49d <+621>:   movl   $0x1,(%r15)
   0x00007f763f57f4a4 <+628>:   movslq 0x60(%rbp),%rax
   0x00007f763f57f4a8 <+632>:   add    $0x18,%rsp
   0x00007f763f57f4ac <+636>:   pop    %rbx
   0x00007f763f57f4ad <+637>:   pop    %rbp
   0x00007f763f57f4ae <+638>:   pop    %r12
   0x00007f763f57f4b0 <+640>:   pop    %r13
   0x00007f763f57f4b2 <+642>:   pop    %r14
   0x00007f763f57f4b4 <+644>:   pop    %r15
   0x00007f763f57f4b6 <+646>:   retq
   0x00007f763f57f4b7 <+647>:   mov    0x80(%rbp),%rbx
   0x00007f763f57f4be <+654>:   cmpq   $0x0,0x3a8(%rbx)
   0x00007f763f57f4c6 <+662>:   je     0x7f763f57f454 <ssl3_get_message+548>
   0x00007f763f57f4c8 <+664>:   testb  $0x10,0x49(%rbp)
   0x00007f763f57f4cc <+668>:   je     0x7f763f57f5e4 <ssl3_get_message+948>
   0x00007f763f57f4d2 <+674>:   mov    0x8(%rbp),%rcx
   0x00007f763f57f4d6 <+678>:   mov    0xc8(%rcx),%rax
   0x00007f763f57f4dd <+685>:   mov    0x50(%rax),%rsi
   0x00007f763f57f4e1 <+689>:   mov    0x58(%rax),%edx
   0x00007f763f57f4e4 <+692>:   mov    %rbp,%rdi
   0x00007f763f57f4e7 <+695>:   lea    0x314(%rbx),%rcx
   0x00007f763f57f4ee <+702>:   callq  *0x28(%rax)
   0x00007f763f57f4f1 <+705>:   mov    %eax,0x394(%rbx)
   0x00007f763f57f4f7 <+711>:   mov    0x50(%rbp),%rdi
   0x00007f763f57f4fb <+715>:   jmpq   0x7f763f57f454 <ssl3_get_message+548>
   0x00007f763f57f500 <+720>:   test   %r12d,%r12d
   0x00007f763f57f503 <+723>:   js     0x7f763f57f518 <ssl3_get_message+744>
   0x00007f763f57f505 <+725>:   movzbl (%rbx),%eax
   0x00007f763f57f508 <+728>:   cmp    %r12d,%eax
   0x00007f763f57f50b <+731>:   je     0x7f763f57f53a <ssl3_get_message+778>
   0x00007f763f57f50d <+733>:   mov    $0x1dd,%r8d
   0x00007f763f57f513 <+739>:   jmpq   0x7f763f57f28d <ssl3_get_message+93>
   0x00007f763f57f518 <+744>:   cmpb   $0x1,(%rbx)
   0x00007f763f57f51b <+747>:   jne    0x7f763f57f53a <ssl3_get_message+778>
   0x00007f763f57f51d <+749>:   cmp    $0x2180,%r14d
0x00007f763f57f524 <+756>:   jne    0x7f763f57f53a <ssl3_get_message+778>
   0x00007f763f57f526 <+758>:   cmp    $0x2181,%r13d
   0x00007f763f57f52d <+765>:   nopl   (%rax)
   0x00007f763f57f530 <+768>:   jne    0x7f763f57f53a <ssl3_get_message+778>
   0x00007f763f57f532 <+770>:   mov    %rbp,%rdi
   0x00007f763f57f535 <+773>:   callq  0x7f763f57c130 <ssl3_init_finished_mac>
   0x00007f763f57f53a <+778>:   movzbl (%rbx),%eax
   0x00007f763f57f53d <+781>:   mov    0x80(%rbp),%rdx
   0x00007f763f57f544 <+788>:   mov    $0x1f1,%r8d
   0x00007f763f57f54a <+794>:   mov    %eax,0x3a0(%rdx)
   0x00007f763f57f550 <+800>:   lea    0x1(%rbx),%rdx
   0x00007f763f57f554 <+804>:   movzbl 0x1(%rbx),%eax
   0x00007f763f57f558 <+808>:   movzbl 0x2(%rdx),%r12d
   0x00007f763f57f55d <+813>:   shl    $0x10,%rax
   0x00007f763f57f561 <+817>:   or     %rax,%r12
   0x00007f763f57f564 <+820>:   movzbl 0x1(%rdx),%eax
   0x00007f763f57f568 <+824>:   shl    $0x8,%rax
   0x00007f763f57f56c <+828>:   or     %rax,%r12
   0x00007f763f57f56f <+831>:   cmp    0x10(%rsp),%r12
   0x00007f763f57f574 <+836>:   ja     0x7f763f57f5bf <ssl3_get_message+911>
   0x00007f763f57f576 <+838>:   cmp    $0x7ffffffb,%r12
   0x00007f763f57f57d <+845>:   ja     0x7f763f57f5b9 <ssl3_get_message+905>
   0x00007f763f57f57f <+847>:   test   %r12,%r12
   0x00007f763f57f582 <+850>:   jne    0x7f763f57f5fb <ssl3_get_message+971>
   0x00007f763f57f584 <+852>:   mov    0x80(%rbp),%rax
   0x00007f763f57f58b <+859>:   mov    %r12,0x398(%rax)
   0x00007f763f57f592 <+866>:   mov    0x50(%rbp),%rdi
   0x00007f763f57f596 <+870>:   mov    %r13d,0x48(%rbp)
   0x00007f763f57f59a <+874>:   mov    0x80(%rbp),%rcx
   0x00007f763f57f5a1 <+881>:   mov    0x8(%rdi),%rax
   0x00007f763f57f5a5 <+885>:   movl   $0x0,0x60(%rbp)
   0x00007f763f57f5ac <+892>:   add    $0x4,%rax
   0x00007f763f57f5b0 <+896>:   mov    %rax,0x58(%rbp)
   0x00007f763f57f5b4 <+900>:   jmpq   0x7f763f57f2ec <ssl3_get_message+188>
   0x00007f763f57f5b9 <+905>:   mov    $0x1f6,%r8d
   0x00007f763f57f5bf <+911>:   lea    0x27856(%rip),%rcx        # 0x7f763f5a6e1c
   0x00007f763f57f5c6 <+918>:   mov    $0x98,%edx
   0x00007f763f57f5cb <+923>:   mov    $0x8e,%esi
   0x00007f763f57f5d0 <+928>:   mov    $0x14,%edi
   0x00007f763f57f5d5 <+933>:   callq  0x7f763f56d7a8 <ERR_put_error@plt>
   0x00007f763f57f5da <+938>:   mov    $0x2f,%edx
   0x00007f763f57f5df <+943>:   jmpq   0x7f763f57f2ad <ssl3_get_message+125>
   0x00007f763f57f5e4 <+948>:   mov    0x8(%rbp),%rcx
   0x00007f763f57f5e8 <+952>:   mov    0xc8(%rcx),%rax
   0x00007f763f57f5ef <+959>:   mov    0x40(%rax),%rsi
   0x00007f763f57f5f3 <+963>:   mov    0x48(%rax),%edx
   0x00007f763f57f5f6 <+966>:   jmpq   0x7f763f57f4e4 <ssl3_get_message+692>
   0x00007f763f57f5fb <+971>:   mov    0x50(%rbp),%rdi
   0x00007f763f57f5ff <+975>:   lea    0x4(%r12),%esi
   0x00007f763f57f604 <+980>:   callq  0x7f763f56d058 <BUF_MEM_grow_clean@plt>
   0x00007f763f57f609 <+985>:   test   %eax,%eax
0x00007f763f57f60b <+987>:   jne    0x7f763f57f584 <ssl3_get_message+852>
   0x00007f763f57f611 <+993>:   lea    0x27804(%rip),%rcx        # 0x7f763f5a6e1c
   0x00007f763f57f618 <+1000>:  mov    $0x1fa,%r8d
   0x00007f763f57f61e <+1006>:  mov    $0x7,%edx
   0x00007f763f57f623 <+1011>:  mov    $0x8e,%esi
   0x00007f763f57f628 <+1016>:  mov    $0x14,%edi
   0x00007f763f57f62d <+1021>:  callq  0x7f763f56d7a8 <ERR_put_error@plt>
   0x00007f763f57f632 <+1026>:  jmpq   0x7f763f57f2ba <ssl3_get_message+138>
End of assembler dump.

Can you please let me know if it is issue on openssl side.
Also please let me know if you need any further info

Thanks in advance
Loading...