On Tue, 24 Apr 2018, Jeremie Courreges-Anglas wrote: ... > We took a quick look yesterday, the crash happens in dtors, the cause of > the crash looks like a use after free. I'm not a BIO_* hacker, here's > a stack trace on amd64, curl rebuilt with DEBUG=-g: > > Program received signal SIGBUS, Bus error. > p 0x000005738701c2d7 in BIO_write (b=0x5735f58b080, in=0x573e9a05400, inl=24) > at /usr/src/lib/libcrypto/bio/bio_lib.c:289 > 289 if ((b->method == NULL) || (b->method->bwrite == NULL)) { > (gdb) p *b > $1 = {method = 0xdfdfdfdfdfdfdfdf, callback = 0xdfdfdfdfdfdfdfdf, cb_arg = > 0xdfdfdfdfdfdfdfdf <error: Cannot access memory at address > 0xdfdfdfdfdfdfdfdf>, init = -538976289, shutdown = -538976289, flags = > -538976289, > retry_reason = -538976289, num = -538976289, ptr = 0xdfdfdfdfdfdfdfdf, > next_bio = 0xdfdfdfdfdfdfdfdf, prev_bio = 0xdfdfdfdfdfdfdfdf, references = > -538976289, num_read = 16131858542891098079, > num_write = 16131858542891098079, ex_data = {sk = 0xdfdfdfdfdfdfdfdf}} > (gdb) bt > #0 0x000005738701c2d7 in BIO_write (b=0x5735f58b080, in=0x573e9a05400, > inl=24) at /usr/src/lib/libcrypto/bio/bio_lib.c:289 > #1 0x00000573bd3467ab in __sflush (fp=0x573bd5b9410 <usual>) at > /usr/src/lib/libc/stdio/fflush.c:80 > #2 0x00000573bd34aa5f in _fwalk (function=0x573bd346740 <__sflush>) at > /usr/src/lib/libc/stdio/fwalk.c:50 > #3 0x00000573bd2ffd8c in _libc___cxa_finalize (dso=0x0) at > /usr/src/lib/libc/stdlib/atexit.c:177 > #4 0x00000573bd2ea9f1 in _libc_exit (status=0) at > /usr/src/lib/libc/stdlib/exit.c:54 > #5 0x00000570ee100b0d in _start () > (gdb)
So these BIOs are used with funopen()? I smells like the BIO is being closed directly instead of being closed with fclose(), with the result that stdio still has a reference to it and you get the flush later trying to access the freed BIO. Philip