[Bug 1940528] Re: curl 7.68 does not init OpenSSL correctly

Dimitri John Ledkov 1940528 at bugs.launchpad.net
Tue Sep 14 13:13:15 UTC 2021 

** Changed in: curl (Ubuntu Focal)
     Assignee: (unassigned) => Dimitri John Ledkov (xnox)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/1940528

Title:
  curl 7.68 does not init OpenSSL correctly

Status in curl package in Ubuntu:
  Fix Released
Status in curl source package in Bionic:
  New
Status in curl source package in Focal:
  Triaged

Bug description:
  [Impact]

   * curl 7.68 does not correctly use OpenSSL 1.1.0+ api to init OpenSSL
  global state prior to executing any OpenSSL APIs. This may lead to
  duplicate engine initiation, which upon engine unload may cause use-
  after-free or double-free of any methods that engine installs. This
  has been fixed in curl 7.74 by correctly calling OpenSSL init api
  prior to any other calls to OpenSSL apis.

  [Test Plan]

   * This should be reproducible with any engines that allocate &
  register methods, and free them upon engine unload. Then use curl with
  openssl backend to test for corrupted stack.

   * I.e. on arm64, compile and configure pka engine from
  https://github.com/Mellanox/pka/commit/b0f32fa05298bf9e3997ea43fc1c11b90e0d662f
  (i.e. without the double-free protections proposed in
  https://github.com/Mellanox/pka/pull/37 ) on any arm64 hardware, there
  is no need for the engine to actually work or have access to anything,
  as the issue is reproducible when engine is enabled but cannot be
  effectively used.

   * curl any https website

  ...
  PKA_DEV: pka_dev_open_ring_vfio: error: failed to get ring 50 device name
  PKA_ENGINE: PKA instance is invalid
  PKA_ENGINE: failed to retrieve valid instance
  100   338  100   338    0     0   3520      0 --:--:-- --:--:-- --:--:--  3520
  (exit status 0)

  is good output from fixed curl.

  Whereas:

  PKA_ENGINE: PKA instance is invalid
  PKA_ENGINE: failed to retrieve valid instance
  100   338  100   338    0     0   1169      0 --:--:-- --:--:-- --:--:--  1169
  Segmentation fault (core dumped)
  (exit status non-zero)

  is bad output from currently broken curl.

  [Where problems could occur]

   * Correctly calling OpenSSL init function prior to any other OpenSSL
  apis changes the behaviour of the library slightly - specifically
  openssl configuration file and engines are initialised and loaded
  earlier, meaning that site-local customizations are applied correctly
  whenever using curl cli utility or libcurl4 (the openssl version of
  curl). This will make engine support working correctly across the
  board. However, if one has missconfigured openssl conf and
  missconfigured engines which are now actually attempted to be used one
  may experience unexpected behaviour changes (since potentially
  existing configuration was not actually taking effect).

  [Other Info]
   
   * References:
  https://github.com/curl/curl/commit/1835cb916e0d40eb8bc1165d5627a0b64f911bac
  https://github.com/openssl/openssl/issues/13548
  https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528/+subscriptions

More information about the foundations-bugs mailing list