SIGBUS after upgrading to mod_ssl-2.8.15-1.3.28 and using +OptRenegotiate

SIGBUS after upgrading to mod_ssl-2.8.15-1.3.28 and using +OptRenegotiate

am 09.10.2003 22:27:07 von Matt Stevenson

Hi,

With the release of openssl-0.9.6k I recompiled and
updated my apache installs to 1.3.28/modssl-2.8.15
from 1.3.27/modssl-2.8.12. I compiled up on Linux and
Solaris. When running I randomly get a SIGBUS on
Solaris and a SIGSEGV on linux. I'm using client
certificates. I've a large number of servers (>50)
running fine on 1.3.27/2.8.12.

The issue seems to be with the "SSLOptions
+OptRenegotiate" option. When going from a non client
cert location to a client cert location.

The backtrace from dbx on solaris is

t@1 (l@1) signal BUS (invalid address alignment) in
sk_value at 0xfebed534
0xfebed534: sk_value+0x0014: ld [%g3 + %g2],
%o0
(/opt/SUNWspro/bin/../WS6/bin/sparcv9/dbx) where
current thread: t@1
=>[1] sk_value(0x132990, 0x0, 0x3, 0xfed27eb0, 0x260,
0x132980), at 0xfebed534
[2] X509_NAME_oneline(0x132980, 0x0, 0x0, 0x0, 0xc7,
0xffbef4d0), at 0xfec1e6dc
[3] ssl_hook_Access(0xf0f30, 0xfed64cf4, 0xad400,
0x24bec, 0x0, 0xf26b8), at 0xfed65b74
[4] run_method(0xf0f30, 0x10, 0x1, 0x0, 0x0,
0xff00), at 0x2052c
[5] ap_check_access(0xf0f30, 0x93460, 0x93400,
0x91659, 0x45, 0x65), at 0x20620
[6] process_request_internal(0xf0f30, 0x0, 0x16,
0xcd, 0xeffffc00, 0x1), at 0x40180
[7] ap_process_request(0xf0f30, 0xc8, 0xf0f30,
0xffbef8e0, 0xffbef8f0, 0x5), at 0x405ac
[8] child_main(0x5, 0x31298, 0x31000, 0xff17b250,
0xff175980, 0xff16efe0), at 0x33284
[9] make_child(0xb0bf0, 0x5, 0x3f8154e3, 0xcd,
0xff23b1d4, 0xffbefa18), at 0x335fc
[10] perform_idle_server_maintenance(0x0,
0xffbefb1c, 0x0, 0xb0bf0, 0x90ed8, 0x8fa80), at
0x33b10
[11] standalone_main(0x6, 0xffbefc4c, 0x0, 0x0,
0xff23b02c, 0x90ff0), at 0x34384
[12] main(0x6, 0xffbefc4c, 0xffbefc68, 0xadd98, 0x0,
0x0), at 0x34cc4

the cofiguration for a typical SSL server is ...

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile
/opt/apache_test/conf/ssl.crt/server.crt
SSLCertificateKeyFile
/opt/apache_test/conf/ssl.key/server.key
SSLCACertificateFile
/opt/apache_test/conf/ssl.crt/CA.crt
SSLVerifyDepth 2
SSLOptions +StdEnvVars +ExportCertData

SSLPassPhraseDialog builtin
SSLSessionCache
shmcb:/opt/apache_test/sites/debug.internal.net/logs/ssl_sca che(512000)
SSLSessionCacheTimeout 300
SSLMutex
file:/opt/apache_test/sites/debug.internal.net/logs/ssl_mute x
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog
/opt/apache_test/sites/debug.internal.net/logs/ssl_engine_lo g
SSLLogLevel Warn


SSLVerifyClient optional
SSLOptions +OptRenegotiate


When entering the images directory some but not all of
the httpd children die. I'm going to get a linux debug
server running. Hopefully someone can replicate the
issue? Or suggest a fix.

Thanks
Matt


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SIGBUS after upgrading to mod_ssl-2.8.15-1.3.28 and using +OptRenegotiate

am 27.10.2003 15:41:33 von Matt Stevenson

I've been doing a little debugging under linux and
seem to have found an issue in ssl_kernel_engine.c.

On line 1001 X509_free(cert) is called. When a call to
get the cert is used later on line 1033 the memory
looks corrupt and a SEGV happens on the next line. I
removed the X509_free(cert) on line 1001 and the SEGV
stopped (am I now leaking memory?).

Is the cert being freed already by the
sk_X509_pop_free on line 999 (after being place on the
stack in previous code)?

997 if (SSL_get_peer_cert_chain(ssl) !=
certstack) {
998 /* created by us, so free it */
999 sk_X509_pop_free(certstack,
X509_free);
1000 }
1001 X509_free(cert);
}

Any help appreciated.

Thanks
Matt

--- Matt Stevenson wrote:
> Hi,
>
> With the release of openssl-0.9.6k I recompiled and
> updated my apache installs to 1.3.28/modssl-2.8.15
> from 1.3.27/modssl-2.8.12. I compiled up on Linux
> and
> Solaris. When running I randomly get a SIGBUS on
> Solaris and a SIGSEGV on linux. I'm using client
> certificates. I've a large number of servers (>50)
> running fine on 1.3.27/2.8.12.
>
> The issue seems to be with the "SSLOptions
> +OptRenegotiate" option. When going from a non
> client
> cert location to a client cert location.
>
> The backtrace from dbx on solaris is
>
> t@1 (l@1) signal BUS (invalid address alignment) in
> sk_value at 0xfebed534
> 0xfebed534: sk_value+0x0014: ld [%g3 + %g2],
> %o0
> (/opt/SUNWspro/bin/../WS6/bin/sparcv9/dbx) where
> current thread: t@1
> =>[1] sk_value(0x132990, 0x0, 0x3, 0xfed27eb0,
> 0x260,
> 0x132980), at 0xfebed534
> [2] X509_NAME_oneline(0x132980, 0x0, 0x0, 0x0,
> 0xc7,
> 0xffbef4d0), at 0xfec1e6dc
> [3] ssl_hook_Access(0xf0f30, 0xfed64cf4, 0xad400,
> 0x24bec, 0x0, 0xf26b8), at 0xfed65b74
> [4] run_method(0xf0f30, 0x10, 0x1, 0x0, 0x0,
> 0xff00), at 0x2052c
> [5] ap_check_access(0xf0f30, 0x93460, 0x93400,
> 0x91659, 0x45, 0x65), at 0x20620
> [6] process_request_internal(0xf0f30, 0x0, 0x16,
> 0xcd, 0xeffffc00, 0x1), at 0x40180
> [7] ap_process_request(0xf0f30, 0xc8, 0xf0f30,
> 0xffbef8e0, 0xffbef8f0, 0x5), at 0x405ac
> [8] child_main(0x5, 0x31298, 0x31000, 0xff17b250,
> 0xff175980, 0xff16efe0), at 0x33284
> [9] make_child(0xb0bf0, 0x5, 0x3f8154e3, 0xcd,
> 0xff23b1d4, 0xffbefa18), at 0x335fc
> [10] perform_idle_server_maintenance(0x0,
> 0xffbefb1c, 0x0, 0xb0bf0, 0x90ed8, 0x8fa80), at
> 0x33b10
> [11] standalone_main(0x6, 0xffbefc4c, 0x0, 0x0,
> 0xff23b02c, 0x90ff0), at 0x34384
> [12] main(0x6, 0xffbefc4c, 0xffbefc68, 0xadd98,
> 0x0,
> 0x0), at 0x34cc4
>
> the cofiguration for a typical SSL server is ...
>
> SSLEngine on
> SSLCipherSuite
>
ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> SSLCertificateFile
> /opt/apache_test/conf/ssl.crt/server.crt
> SSLCertificateKeyFile
> /opt/apache_test/conf/ssl.key/server.key
> SSLCACertificateFile
> /opt/apache_test/conf/ssl.crt/CA.crt
> SSLVerifyDepth 2
> SSLOptions +StdEnvVars +ExportCertData
>
> SSLPassPhraseDialog builtin
> SSLSessionCache
>
shmcb:/opt/apache_test/sites/debug.internal.net/logs/ssl_sca che(512000)
> SSLSessionCacheTimeout 300
> SSLMutex
>
file:/opt/apache_test/sites/debug.internal.net/logs/ssl_mute x
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> SSLLog
>
/opt/apache_test/sites/debug.internal.net/logs/ssl_engine_lo g
> SSLLogLevel Warn
>
>
> SSLVerifyClient optional
> SSLOptions +OptRenegotiate
>
>
> When entering the images directory some but not all
> of
> the httpd children die. I'm going to get a linux
> debug
> server running. Hopefully someone can replicate the
> issue? Or suggest a fix.
>
> Thanks
> Matt
>
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product
> search
> http://shopping.yahoo.com
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> User Support Mailing List
> modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

__________________________________
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org