Debian Bug report logs - #534892
libssl0.9.8: err_fns_check() has a race if a pointer assignment is not atomic

Package: openssl; Maintainer for openssl is Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>; Source for openssl is src:openssl.

Reported by: Russell Coker <russell@coker.com.au>

Date: Sat, 27 Jun 2009 23:54:01 UTC

Severity: normal

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#534892; Package libssl0.9.8. (Sat, 27 Jun 2009 23:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russell Coker <russell@coker.com.au>:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Sat, 27 Jun 2009 23:54:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libssl0.9.8: err_fns_check() has a race if a pointer assignment is not atomic
Date: Sun, 28 Jun 2009 09:51:36 +1000
Package: libssl0.9.8
Version: 0.9.8g-15+lenny1
Severity: normal

static void err_fns_check(void)
        {
        if (err_fns) return;

        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
        if (!err_fns)
                err_fns = &err_defaults;
        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
        }

Helgrind flags the above function as an error due to there being no lock on
the first check of err_fns.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#534892; Package libssl0.9.8. (Tue, 17 May 2011 01:42:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Scott Schaefer <saschaefer@neurodiverse.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Tue, 17 May 2011 01:42:13 GMT) Full text and rfc822 format available.

Message #10 received at 534892@bugs.debian.org (full text, mbox):

From: Scott Schaefer <saschaefer@neurodiverse.org>
To: 534892@bugs.debian.org
Subject: False positive ?
Date: Mon, 16 May 2011 21:40:21 -0400
I am a bit confused...  I am certainly no Helgrind expert, and I will 
concede that it may
know more about C than I do.  However, this certainly appears to me to 
be a false positive.

The variable err_fns is declared as:
static const ERR_FNS *err_fns = NULL;

Your subject line states "err_fns_check() has a race if a pointer 
assignment is not
atomic".  Except, because the assignment is inside of 
CRYPTO_w_lock(),CRYPTO_w_unlock(),
no race condition exists (assuming these two functions are implemented 
correctly).

In the body you state "Helgrind flags the function ... due to there 
being no lock on the
first check of err_fns".  However, this is a test and return.  What 
possible
reason is there for requiring a lock on the test ?







Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#534892; Package libssl0.9.8. (Tue, 17 May 2011 02:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Tue, 17 May 2011 02:15:03 GMT) Full text and rfc822 format available.

Message #15 received at 534892@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Scott Schaefer <saschaefer@neurodiverse.org>
Cc: 534892@bugs.debian.org
Subject: Re: Debian OpenSSL Bug # 534892
Date: Tue, 17 May 2011 12:04:39 +1000
On Tue, 17 May 2011, Scott Schaefer <saschaefer@neurodiverse.org> wrote:
> I am a bit confused...  I am certainly no Helgrind expert [indeed, I had 
> never heard of it until I first read your report), and I will concede 
> that it may know more about C than I do.  However, this certainly 
> appears to me to be a false positive.
> 
> The variable err_fns is declared as:
> static const ERR_FNS *err_fns = NULL;
> 
> Your subject line states "err_fns_check() has a race if a pointer 
> assignment is not atomic".  Except, because the assignment is inside of 
> CRYPTO_w_lock(),CRYPTO_w_unlock(), no race condition exists (assuming 
> these two functions are implemented correctly).

If that function was the only one using the function pointer in question then 
that analysis would be correct.

const ERR_FNS *ERR_get_implementation(void)
        {
        err_fns_check();
        return err_fns;
        }

However it's expected that some other functions such as the above which rely 
on it.  Imagine an architecture which has 64bit pointers but only 32bit 
atomicity for memory writes.  If one thread writes a value to err_fns and gets 
interrupted before completing the operation then another thread could return 
from the first line of err_fns_check() and allow ERR_get_implementation() to 
return data from a half-written memory location.

I could be wrong in this analysis, it would be good if someone who knows more 
about Valgrind than I do could check this out.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Sat, 19 Nov 2011 09:51:44 GMT) Full text and rfc822 format available.

Notification sent to Russell Coker <russell@coker.com.au>:
Bug acknowledged by developer. (Sat, 19 Nov 2011 09:51:50 GMT) Full text and rfc822 format available.

Message #20 received at 534892-done@bugs.debian.org (full text, mbox):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 351684-done@bugs.debian.org,394107-done@bugs.debian.org,431918-done@bugs.debian.org,511727-done@bugs.debian.org,520021-done@bugs.debian.org,524682-done@bugs.debian.org,526747-done@bugs.debian.org,534534-done@bugs.debian.org,534656-done@bugs.debian.org,534683-done@bugs.debian.org,534685-done@bugs.debian.org,534687-done@bugs.debian.org,534699-done@bugs.debian.org,534706-done@bugs.debian.org,534889-done@bugs.debian.org,534892-done@bugs.debian.org,536229-done@bugs.debian.org,546521-done@bugs.debian.org,556968-done@bugs.debian.org,557261-done@bugs.debian.org,561558-done@bugs.debian.org,645805-done@bugs.debian.org,
Cc: openssl098@packages.debian.org, openssl098@packages.qa.debian.org
Subject: Bug#641975: Removed package(s) from unstable
Date: Sat, 19 Nov 2011 09:44:37 +0000
Version: 0.9.8o-7+rm

Dear submitter,

as the package openssl098 has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/641975

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Luca Falavigna (the ftpmaster behind the curtain)




Bug No longer marked as fixed in versions 0.9.8o-7+rm and reopened. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 19 Nov 2011 10:57:50 GMT) Full text and rfc822 format available.

Bug reassigned from package 'libssl0.9.8' to 'openssl'. Request was from Kurt Roeckx <kurt@roeckx.be> to control@bugs.debian.org. (Sat, 19 Nov 2011 10:58:04 GMT) Full text and rfc822 format available.

Bug No longer marked as found in versions openssl/0.9.8g-15+lenny1. Request was from Kurt Roeckx <kurt@roeckx.be> to control@bugs.debian.org. (Sat, 19 Nov 2011 10:58:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 08:11:59 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.