Bug #101349 for Crypt-OpenSSL-EC: EC_GROUP get0_generator() causes crash when memory reclaimed

Tue Jan 06 11:33:46 2015 rwfranks [...] acm.org - Ticket created

Subject:

EC_GROUP get0_generator() causes crash when memory reclaimed

Running attached script results in a crash. The result from get0_generator() appears to work properly. The problem arises when memory is reclaimed usually, but not always, at program termination. $ perl -w demo.pl 1..2 # using Perl 5.018004 ok 1 - get precalculated EC group ok 2 - extract generator from group # program will self-destruct in 5 seconds *** Error in `perl': double free or corruption (!prev): 0x0a18d5a0 *** ======= Backtrace: ========= /lib/libc.so.6[0x4a9a6143] /lib/libc.so.6[0x4a9adcba] /lib/libcrypto.so.10(CRYPTO_free+0x35)[0x4325c875] /lib/libcrypto.so.10(EC_POINT_free+0x2f)[0x432a0d6f] /lib/libcrypto.so.10(EC_GROUP_free+0x41)[0x432a0dc1] /home/rwf/perl5/lib/perl5/i386-linux-thread-multi/auto/Crypt/OpenSSL/EC/EC.so(+0x10616)[0xb7598616] /lib/libperl.so.5.18(Perl_pp_entersub+0x55a)[0x4120aeda] /lib/libperl.so.5.18(Perl_call_sv+0x639)[0x4118ba99] /lib/libperl.so.5.18[0x41213eff] /lib/libperl.so.5.18(Perl_sv_clear+0x3f4)[0x412145c4] /lib/libperl.so.5.18(Perl_sv_free2+0xdb)[0x41214cdb] /lib/libperl.so.5.18[0x41214f3c] /lib/libperl.so.5.18[0x4120c4bd] /lib/libperl.so.5.18(Perl_sv_clean_objs+0x3f)[0x412153ef] /lib/libperl.so.5.18(perl_destruct+0x139)[0x4118df59] perl[0x80489a5] /lib/libc.so.6(__libc_start_main+0xf3)[0x4a951b73] perl[0x8048a49] ======= Memory map: ======== 08048000-08049000 r-xp 00000000 fd:00 925054 /usr/bin/perl ...

Subject:

demo.pl

#!/usr/bin/perl # use strict; use Test::More tests => 2; use Crypt::OpenSSL::Bignum; use Crypt::OpenSSL::EC 0.5; BEGIN { use vars qw(%ECcurve); my %GOST_R_34_10_2001_CryptoPro_A = ( # RFC4357 a => 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94', # -3 mod p b => '00A6', # 166 p => 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97', n => 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893', # q x => '01', y => '8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14' ); my $_curve = sub { my %param = @_; my $p = Crypt::OpenSSL::Bignum->new_from_hex( $param{p} ); my $a = Crypt::OpenSSL::Bignum->new_from_hex( $param{a} ); my $b = Crypt::OpenSSL::Bignum->new_from_hex( $param{b} ); my $x = Crypt::OpenSSL::Bignum->new_from_hex( $param{x} ); my $y = Crypt::OpenSSL::Bignum->new_from_hex( $param{y} ); my $n = Crypt::OpenSSL::Bignum->new_from_hex( $param{n} ); my $h = Crypt::OpenSSL::Bignum->one; my $ctx = Crypt::OpenSSL::Bignum::CTX->new(); my $method = Crypt::OpenSSL::EC::EC_GFp_mont_method(); my $group = Crypt::OpenSSL::EC::EC_GROUP::new($method); $group->set_curve_GFp( $p, $a, $b, $ctx ); # y^2 = x^3 + a*x + b mod p my $G = Crypt::OpenSSL::EC::EC_POINT::new($group); Crypt::OpenSSL::EC::EC_POINT::set_affine_coordinates_GFp( $group, $G, $x, $y, $ctx ); $group->set_generator( $G, $n, $h ); die 'bad curve' unless Crypt::OpenSSL::EC::EC_GROUP::check( $group, $ctx ); return $group; }; $ECcurve{12} = &$_curve(%GOST_R_34_10_2001_CryptoPro_A); } diag "using Perl $]"; my $group = $ECcurve{12}; ok( $group, 'get precalculated EC group' ); my $P = $group->get0_generator(); ok( $P, 'extract generator from group' ); my $wait = 5; diag "program will self-destruct in $wait seconds"; sleep $wait; exit;

Tue Jan 06 18:34:20 2015 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #101349] EC_GROUP get0_generator() causes crash when memory reclaimed
Date:	Wed, 07 Jan 2015 09:34:08 +1000
To:	bug-Crypt-OpenSSL-EC [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hi Dick, thanks for the report. New EC version 0.6 uploaded that fixes this problem. Cheers. On Tuesday, January 06, 2015 11:33:47 AM you wrote: Show quoted text

> Tue Jan 06 11:33:46 2015: Request 101349 was acted upon. > Transaction: Ticket created by rwfranks@acm.org > Queue: Crypt-OpenSSL-EC > Subject: EC_GROUP get0_generator() causes crash when memory reclaimed > Broken in: 0.5 > Severity: Important > Owner: Nobody > Requestors: rwfranks@acm.org > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=101349 > > > > Running attached script results in a crash. > > The result from get0_generator() appears to work properly. > The problem arises when memory is reclaimed usually, but not always, at > program termination. > > > $ perl -w demo.pl > 1..2 > # using Perl 5.018004 > ok 1 - get precalculated EC group > ok 2 - extract generator from group > # program will self-destruct in 5 seconds > *** Error in `perl': double free or corruption (!prev): 0x0a18d5a0 *** > ======= Backtrace: ========= > /lib/libc.so.6[0x4a9a6143] > /lib/libc.so.6[0x4a9adcba] > /lib/libcrypto.so.10(CRYPTO_free+0x35)[0x4325c875] > /lib/libcrypto.so.10(EC_POINT_free+0x2f)[0x432a0d6f] > /lib/libcrypto.so.10(EC_GROUP_free+0x41)[0x432a0dc1] > /home/rwf/perl5/lib/perl5/i386-linux-thread-multi/auto/Crypt/OpenSSL/EC/EC.s > o(+0x10616)[0xb7598616] > /lib/libperl.so.5.18(Perl_pp_entersub+0x55a)[0x4120aeda] > /lib/libperl.so.5.18(Perl_call_sv+0x639)[0x4118ba99] > /lib/libperl.so.5.18[0x41213eff] > /lib/libperl.so.5.18(Perl_sv_clear+0x3f4)[0x412145c4] > /lib/libperl.so.5.18(Perl_sv_free2+0xdb)[0x41214cdb] > /lib/libperl.so.5.18[0x41214f3c] > /lib/libperl.so.5.18[0x4120c4bd] > /lib/libperl.so.5.18(Perl_sv_clean_objs+0x3f)[0x412153ef] > /lib/libperl.so.5.18(perl_destruct+0x139)[0x4118df59] > perl[0x80489a5] > /lib/libc.so.6(__libc_start_main+0xf3)[0x4a951b73] > perl[0x8048a49] > ======= Memory map: ======== > 08048000-08049000 r-xp 00000000 fd:00 925054 /usr/bin/perl > ...

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474

Tue Jan 06 18:34:20 2015 The RT System itself - Status changed from 'new' to 'open'

Wed Jan 07 00:10:31 2015 rwfranks [...] acm.org - Correspondence added

From:

rwfranks [...] acm.org

On Tue Jan 06 18:34:20 2015, mikem@airspayce.com wrote: Show quoted text

> thanks for the report. New EC version 0.6 uploaded that fixes this > problem.

Now works fine. Thanks

Mon Jun 11 09:56:52 2018 rwfranks [...] acm.org - Status changed from 'open' to 'resolved'

Mon Jun 11 09:56:52 2018 rwfranks [...] acm.org - Fixed in 0.6 added