Use openssl1.1.0h to test libuv_tls, and crash at CRYPTO_free and OPENSSL_sk_pop_free.

[brucejee]

I compile openssl1.1.0h use the default config. Just test evt and client in libuv-tls directory. And i receive coredump as follows, I found something related here and here

(gdb) bt
#0  0x00007ffff6d2638c in free () from /lib64/libc.so.6
#1  0x00007ffff781614e in CRYPTO_free (str=0xa4cb33d2, file=0x7ffff7bc130b "ssl/ssl_ciph.c", line=1799) at crypto/mem.c:179
#2  0x00007ffff7b8d22b in cmeth_free (cm=0xa4cb33d2) at ssl/ssl_ciph.c:1799
#3  0x00007ffff787b036 in OPENSSL_sk_pop_free (st=0x6237c0, func=0x7ffff7b8d207 <cmeth_free>) at crypto/stack/stack.c:265
#4  0x00007ffff7b8a391 in sk_SSL_COMP_pop_free (sk=0x6237c0, freefunc=0x7ffff7b8d207 <cmeth_free>) at include/openssl/ssl.h:846
#5  0x00007ffff7b8d25e in ssl_comp_free_compression_methods_int () at ssl/ssl_ciph.c:1806
#6  0x00007ffff7b8f305 in ssl_library_stop () at ssl/ssl_init.c:153
#7  0x00007ffff7810f31 in OPENSSL_cleanup () at crypto/init.c:412
#8  0x00007ffff6cdea49 in __run_exit_handlers () from /lib64/libc.so.6
#9  0x00007ffff6cdea95 in exit () from /lib64/libc.so.6
#10 0x00007ffff6cc7b3c in __libc_start_main () from /lib64/libc.so.6
#11 0x00000000004042e7 in _start ()
(gdb) info threads
  Id   Target Id         Frame 
* 1    Thread 0x7ffff7fed740 (LWP 10367) "client" 0x00007ffff787b036 in OPENSSL_sk_pop_free (st=0x6237c0, func=0x7ffff7b8d207 <cmeth_free>) at crypto/stack/stack.c:265

[brucejee]

It muse be double free bug.
First backtrace:

(gdb) bt
#0  CRYPTO_free (str=0x6237c0, file=0x7ffff78e8d51 "crypto/stack/stack.c", line=274) at crypto/mem.c:179
#1  0x00007ffff787b09c in OPENSSL_sk_free (st=0x6237c0) at crypto/stack/stack.c:274
#2  0x00000000004046a0 in sk_SSL_COMP_free (sk=0x6237c0) at /usr/local/include/openssl/ssl.h:846
#3  0x0000000000405511 in evt_ctx_free (ctx=0x7fffffffe3b0) at ../..//src/evt_tls.c:421
#4  0x000000000040467e in main () at tls_client_test.c:94

Second backtrace:

(gdb) 
Single stepping until exit from function __libc_start_main,
which has no line number information.
OPENSSL_INIT: ossl_init_thread_stop: err_delete_thread_state()
OPENSSL_INIT: ssl_library_stop: ssl_comp_free_compression_methods_int()

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6d2638c in free () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff6d2638c in free () from /lib64/libc.so.6
#1  0x00007ffff781614e in CRYPTO_free (str=0xa4cb33d2, file=0x7ffff7bc130b "ssl/ssl_ciph.c", line=1799) at crypto/mem.c:179
#2  0x00007ffff7b8d22b in cmeth_free (cm=0xa4cb33d2) at ssl/ssl_ciph.c:1799
#3  0x00007ffff787b036 in OPENSSL_sk_pop_free (st=0x6237c0, func=0x7ffff7b8d207 <cmeth_free>) at crypto/stack/stack.c:265
#4  0x00007ffff7b8a391 in sk_SSL_COMP_pop_free (sk=0x6237c0, freefunc=0x7ffff7b8d207 <cmeth_free>) at include/openssl/ssl.h:846
#5  0x00007ffff7b8d25e in ssl_comp_free_compression_methods_int () at ssl/ssl_ciph.c:1806
#6  0x00007ffff7b8f305 in ssl_library_stop () at ssl/ssl_init.c:153
#7  0x00007ffff7810f31 in OPENSSL_cleanup () at crypto/init.c:412
#8  0x00007ffff6cdea49 in __run_exit_handlers () from /lib64/libc.so.6
#9  0x00007ffff6cdea95 in exit () from /lib64/libc.so.6
#10 0x00007ffff6cc7b3c in __libc_start_main () from /lib64/libc.so.6
#11 0x00000000004042e7 in _start ()

st=0x6237c0 is freed by sk_SSL_COMP_free and ssl_library_stop.

change void evt_ctx_free(evt_ctx_t *ctx) and fix this coredump:

- sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
+ SSL_COMP_free_compression_methods();

[deleisha]

Thanks for the contribution, sorry for being late. Let me have a close look and get back to your pull request

[brucejee]

OK, I copy some code from libimobiledevice project, and it works fine for different openssl versions.

[jungkwangho]

i have just removed

sk_SSL_COMP_free(SSL_COMP_get_compression_methods()); at evt_ctx_free