[Bug 1842383] Re: openssl 1.1.1 memory overuse/leak

Mon Sep 16 13:18:16 UTC 2019

** Attachment added: "1.1.0g"
   https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1842383/+attachment/5289013/+files/1.1.0g.png

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1842383

Title:
  openssl 1.1.1 memory overuse/leak

Status in openssl package in Ubuntu:
  New

Bug description:
  [Impact]

  At some point in the past do_ssl3_write() used to return the number of
  bytes written, or a value <= 0 on error.

  With libssl1.11 it now just returns a success/
  error code and writes the number of bytes written to |tmpwrit|.

  The SSL_MODE_RELEASE_BUFFERS code was still looking at the return code
  for the number of bytes written rather than |tmpwrit|. This has the effect
  that the buffers are not released when they are supposed to be.

  Thus such software as nginx currenty use significantly more memory
  compared to libssl1.0.

  [Test Case]

  Use 'top' to measure the memory usage by nginx with ssl configured.

  Example:

  No memory overuse:
  ii libssl1.1:amd64 1.1.0g-2ubuntu4 amd64 Secure Sockets Layer toolkit - shared libraries
  https://launchpadlibrarian.net/442818951/1.1.0g.png

  2,5x memory overuse:
  ii libssl1.1:amd64 1.1.1-1ubuntu2.1~18.04.4 amd64 Secure Sockets Layer toolkit - shared libraries
  https://launchpadlibrarian.net/442819146/1.1.1.png

  [Regression Potential]

  Low. This particular fix is tiny
  (https://git.openssl.org/?p=openssl.git;a=commitdiff;h=f2bb79a) and
  has been released and used in a couple of upstream openssl versions
  already without issue.

  [Other Info]

  The fix has been tested by nginx team and it solved the memory overuse issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1842383/+subscriptions