Bug #101793 for Crypt-OpenSSL-EC: SEGV and core dump when EC

Wed Jan 28 09:34:02 2015 rwfranks [...] acm.org - Ticket created

Subject:

SEGV and core dump when EC_POINT object goes out of scope

# Script fragment: #!/usr/bin/perl # use 5.18.4; use Crypt::OpenSSL::Bignum 0.04; use Crypt::OpenSSL::EC 0.8; do { my $nid = 415; # NID_X9_62_prime256v1 my $group = Crypt::OpenSSL::EC::EC_GROUP::new_by_curve_name($nid); my $ctx = Crypt::OpenSSL::Bignum::CTX->new(); my $order = Crypt::OpenSSL::Bignum->zero; $group->get_order( $order, $ctx ); my $eckey = Crypt::OpenSSL::EC::EC_KEY::new() || die; $eckey->set_group($group) || die; $eckey->generate_key() || die; my $bignum = $eckey->get0_private_key(); print '$bignum ', $bignum, "\n"; my $binary = $bignum->to_bin; my $K = $eckey->get0_public_key(); print '$K: ', $K, "\n"; }; print "exit;\n"; exit; __END__ # produces (usually, but not always): $ perl -w specimen.pl $bignum Crypt::OpenSSL::Bignum=SCALAR(0x95434e0) $K: Crypt::OpenSSL::EC::EC_POINT=SCALAR(0x955d110) *** Error in `perl': double free or corruption (!prev): 0x095ed420 *** ======= Backtrace: ========= /lib/libc.so.6[0x4a9a6143] /lib/libc.so.6[0x4a9adcba] /lib/libcrypto.so.10(CRYPTO_free+0x35)[0x4325c875] /lib/libcrypto.so.10(EC_POINT_free+0x2f)[0x432a0d6f] /lib/libcrypto.so.10(EC_KEY_free+0x76)[0x432aaba6] /home/rwf/perl5/lib/perl5/i386-linux-thread-multi/auto/Crypt/OpenSSL/EC/EC.so(+0x4b36)[0xb7512b36] /lib/libperl.so.5.18(Perl_pp_entersub+0x55a)[0x41700eda] /lib/libperl.so.5.18(Perl_call_sv+0x639)[0x41681a99] /lib/libperl.so.5.18[0x41709eff] /lib/libperl.so.5.18(Perl_sv_clear+0x3f4)[0x4170a5c4] /lib/libperl.so.5.18(Perl_sv_free2+0xdb)[0x4170acdb] /lib/libperl.so.5.18(Perl_sv_unref_flags+0x6b)[0x4170b0fb] /lib/libperl.so.5.18(Perl_sv_force_normal_flags+0x120)[0x41710af0] /lib/libperl.so.5.18(Perl_leave_scope+0xd34)[0x417311e4] /lib/libperl.so.5.18(Perl_pop_scope+0x34)[0x41731724] /lib/libperl.so.5.18(Perl_pp_leave+0xbd)[0x4173c16d] /lib/libperl.so.5.18(Perl_runops_standard+0x3f)[0x416f8daf] /lib/libperl.so.5.18(perl_run+0x2d1)[0x41688f61] perl[0x8048a15] /lib/libc.so.6(__libc_start_main+0xf3)[0x4a951b73] perl[0x8048a49] ======= Memory map: ======== 08048000-08049000 r-xp 00000000 fd:01 943669 /usr/bin/perl 08049000-0804a000 r--p 00000000 fd:01 943669 /usr/bin/perl 0804a000-0804b000 rw-p 00001000 fd:01 943669 /usr/bin/perl 09540000-09628000 rw-p 00000000 00:00 0 [heap] 41646000-417d0000 r-xp 00000000 fd:01 943666 /usr/lib/libperl.so.5.18.4 417d0000-417d3000 r--p 00189000 fd:01 943666 /usr/lib/libperl.so.5.18.4 417d3000-417d7000 rw-p 0018c000 fd:01 943666 /usr/lib/libperl.so.5.18.4 41c9f000-41d00000 r-xp 00000000 fd:01 921988 /usr/lib/libfreebl3.so 41d00000-41d01000 ---p 00061000 fd:01 921988 /usr/lib/libfreebl3.so 41d01000-41d02000 r--p 00061000 fd:01 921988 /usr/lib/libfreebl3.so 41d02000-41d03000 rw-p 00062000 fd:01 921988 /usr/lib/libfreebl3.so 41d03000-41d07000 rw-p 00000000 00:00 0 41d09000-41d10000 r-xp 00000000 fd:01 923385 /usr/lib/libcrypt-2.18.so 41d10000-41d11000 r--p 00006000 fd:01 923385 /usr/lib/libcrypt-2.18.so 41d11000-41d12000 rw-p 00007000 fd:01 923385 /usr/lib/libcrypt-2.18.so 41d12000-41d39000 rw-p 00000000 00:00 0 4321d000-433ce000 r-xp 00000000 fd:01 928229 /usr/lib/libcrypto.so.1.0.1e 433ce000-433de000 r--p 001b1000 fd:01 928229 /usr/lib/libcrypto.so.1.0.1e 433de000-433e5000 rw-p 001c1000 fd:01 928229 /usr/lib/libcrypto.so.1.0.1e 433e5000-433e8000 rw-p 00000000 00:00 0

Wed Jan 28 18:48:17 2015 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #101793] SEGV and core dump when EC_POINT object goes out of scope
Date:	Thu, 29 Jan 2015 09:48:05 +1000
To:	bug-Crypt-OpenSSL-EC [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Thanks Dick, new version 0.9 uploaded should fix this. Cheers. On Wednesday, January 28, 2015 09:34:03 AM you wrote: Show quoted text

> Wed Jan 28 09:34:02 2015: Request 101793 was acted upon. > Transaction: Ticket created by rwfranks@acm.org > Queue: Crypt-OpenSSL-EC > Subject: SEGV and core dump when EC_POINT object goes out of scope > Broken in: 0.8 > Severity: Important > Owner: Nobody > Requestors: rwfranks@acm.org > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=101793 > > > > # Script fragment: > > #!/usr/bin/perl > # > use 5.18.4; > use Crypt::OpenSSL::Bignum 0.04; > use Crypt::OpenSSL::EC 0.8; > > do { > my $nid = 415; # NID_X9_62_prime256v1 > my $group = Crypt::OpenSSL::EC::EC_GROUP::new_by_curve_name($nid); > my $ctx = Crypt::OpenSSL::Bignum::CTX->new(); > my $order = Crypt::OpenSSL::Bignum->zero; > $group->get_order( $order, $ctx ); > my $eckey = Crypt::OpenSSL::EC::EC_KEY::new() || die; > $eckey->set_group($group) || die; > $eckey->generate_key() || die; > my $bignum = $eckey->get0_private_key(); > print '$bignum ', $bignum, "\n"; > my $binary = $bignum->to_bin; > > my $K = $eckey->get0_public_key(); > print '$K: ', $K, "\n"; > }; > > print "exit;\n"; > exit; > > __END__ > > # produces (usually, but not always): > > $ perl -w specimen.pl > $bignum Crypt::OpenSSL::Bignum=SCALAR(0x95434e0) > $K: Crypt::OpenSSL::EC::EC_POINT=SCALAR(0x955d110) > *** Error in `perl': double free or corruption (!prev): 0x095ed420 *** > ======= Backtrace: ========= > /lib/libc.so.6[0x4a9a6143] > /lib/libc.so.6[0x4a9adcba] > /lib/libcrypto.so.10(CRYPTO_free+0x35)[0x4325c875] > /lib/libcrypto.so.10(EC_POINT_free+0x2f)[0x432a0d6f] > /lib/libcrypto.so.10(EC_KEY_free+0x76)[0x432aaba6] > /home/rwf/perl5/lib/perl5/i386-linux-thread-multi/auto/Crypt/OpenSSL/EC/EC.s > o(+0x4b36)[0xb7512b36] > /lib/libperl.so.5.18(Perl_pp_entersub+0x55a)[0x41700eda] > /lib/libperl.so.5.18(Perl_call_sv+0x639)[0x41681a99] > /lib/libperl.so.5.18[0x41709eff] > /lib/libperl.so.5.18(Perl_sv_clear+0x3f4)[0x4170a5c4] > /lib/libperl.so.5.18(Perl_sv_free2+0xdb)[0x4170acdb] > /lib/libperl.so.5.18(Perl_sv_unref_flags+0x6b)[0x4170b0fb] > /lib/libperl.so.5.18(Perl_sv_force_normal_flags+0x120)[0x41710af0] > /lib/libperl.so.5.18(Perl_leave_scope+0xd34)[0x417311e4] > /lib/libperl.so.5.18(Perl_pop_scope+0x34)[0x41731724] > /lib/libperl.so.5.18(Perl_pp_leave+0xbd)[0x4173c16d] > /lib/libperl.so.5.18(Perl_runops_standard+0x3f)[0x416f8daf] > /lib/libperl.so.5.18(perl_run+0x2d1)[0x41688f61] > perl[0x8048a15] > /lib/libc.so.6(__libc_start_main+0xf3)[0x4a951b73] > perl[0x8048a49] > ======= Memory map: ======== > 08048000-08049000 r-xp 00000000 fd:01 943669 /usr/bin/perl > 08049000-0804a000 r--p 00000000 fd:01 943669 /usr/bin/perl > 0804a000-0804b000 rw-p 00001000 fd:01 943669 /usr/bin/perl > 09540000-09628000 rw-p 00000000 00:00 0 [heap] > 41646000-417d0000 r-xp 00000000 fd:01 943666 /usr/lib/libperl.so.5.18.4 > 417d0000-417d3000 r--p 00189000 fd:01 943666 /usr/lib/libperl.so.5.18.4 > 417d3000-417d7000 rw-p 0018c000 fd:01 943666 /usr/lib/libperl.so.5.18.4 > 41c9f000-41d00000 r-xp 00000000 fd:01 921988 /usr/lib/libfreebl3.so > 41d00000-41d01000 ---p 00061000 fd:01 921988 /usr/lib/libfreebl3.so > 41d01000-41d02000 r--p 00061000 fd:01 921988 /usr/lib/libfreebl3.so > 41d02000-41d03000 rw-p 00062000 fd:01 921988 /usr/lib/libfreebl3.so > 41d03000-41d07000 rw-p 00000000 00:00 0 > 41d09000-41d10000 r-xp 00000000 fd:01 923385 /usr/lib/libcrypt-2.18.so > 41d10000-41d11000 r--p 00006000 fd:01 923385 /usr/lib/libcrypt-2.18.so > 41d11000-41d12000 rw-p 00007000 fd:01 923385 /usr/lib/libcrypt-2.18.so > 41d12000-41d39000 rw-p 00000000 00:00 0 > 4321d000-433ce000 r-xp 00000000 fd:01 928229 > /usr/lib/libcrypto.so.1.0.1e 433ce000-433de000 r--p 001b1000 fd:01 928229 > /usr/lib/libcrypto.so.1.0.1e 433de000-433e5000 rw-p 001c1000 fd:01 928229 > /usr/lib/libcrypto.so.1.0.1e 433e5000-433e8000 rw-p 00000000 00:00 0

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474

Wed Jan 28 18:48:18 2015 The RT System itself - Status changed from 'new' to 'open'

Mon Jun 11 09:53:20 2018 rwfranks [...] acm.org - Status changed from 'open' to 'resolved'

Mon Jun 11 09:53:20 2018 rwfranks [...] acm.org - Fixed in 0.9 added

Bug #101793 for Crypt-OpenSSL-EC: SEGV and core dump when EC_POINT object goes out of scope