Debian Bug report logs -
#1013441
openssl crashes with "munmap_chunk(): invalid pointer" (CVE-2022-2274)
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>:
Bug#1013441; Package libssl3.
(Thu, 23 Jun 2022 17:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Philippe Daouadi <philippe@ud2.org>:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>.
(Thu, 23 Jun 2022 17:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libssl3
Version: 3.0.4-1
Hello,
openssl crashes when it signs things with RSA.
I discovered the bug with sbtool and sign-file, but found out that I can reproduce it with just openssl.
My system worked fine before I ran `apt full-upgrade`, I probably didn't run it for a month or so.
$ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key \
-out PK.crt -days 3650 -nodes -sha256
..+......+....+..+....+...+..+...+.+......+..............................+.....+......+...+....+...+..+...+...+.+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+..........+...........+....+.....+....+......+.....+.+.....+...............+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
....+.+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+......+.+......+.....+.......+......+.........+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+........+....+...+......+.....+.+...........+.......+...........+.........+.......+......+..+...+.........+.+............+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
munmap_chunk(): invalid pointer
[1] 462685 IOT instruction openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key
I tried getting a backtrace from gdb:
Thread 1 (Thread 0x7ffff7ec5740 (LWP 468166) "openssl"):
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
#1 0x00007ffff7849546 in __GI_abort () at abort.c:79
#2 0x00007ffff78a0eb8 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff79bea78 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff78a891a in malloc_printerr (str=str@entry=0x7ffff79c0a20 "munmap_chunk(): invalid pointer") at malloc.c:5628
#4 0x00007ffff78a8d6c in munmap_chunk (p=<optimized out>) at malloc.c:2995
#5 0x00007ffff78ad9e3 in __GI___libc_free (mem=<optimized out>) at malloc.c:3302
#6 0x00007ffff7b2bd2c in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.3
#7 0x00007ffff7b1858e in BN_mod_exp_mont_consttime_x2 () from /lib/x86_64-linux-gnu/libcrypto.so.3
#8 0x00007ffff7c77b6d in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.3
#9 0x00007ffff7c79010 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.3
#10 0x00007ffff7c7d0d1 in RSA_sign () from /lib/x86_64-linux-gnu/libcrypto.so.3
#11 0x00007ffff7d31aec in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.3
#12 0x00007ffff7d31d7f in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.3
#13 0x00007ffff7c135fc in EVP_DigestSignFinal () from /lib/x86_64-linux-gnu/libcrypto.so.3
#14 0x00007ffff7ae9d40 in ASN1_item_sign_ctx () from /lib/x86_64-linux-gnu/libcrypto.so.3
#15 0x00005555555eeb7e in ?? ()
#16 0x00005555555c5a42 in ?? ()
#17 0x00005555555ba9d2 in ?? ()
#18 0x0000555555596358 in ?? ()
#19 0x00007ffff784a7fd in __libc_start_main (main=0x555555596190, argc=16, argv=0x7fffffffdb28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdb18) at ../csu/libc-start.c:332
#20 0x000055555559647a in ?? ()
I tried running it in valgrind but it doesn't crash in that case.
Thanks,
Philippe
-- System Information:
Debian Release: bookworm/sid
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.18.0-2-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libssl3 depends on:
ii libc6 2.33-7
libssl3 recommends no packages.
libssl3 suggests no packages.
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>:
Bug#1013441; Package libssl3.
(Fri, 24 Jun 2022 10:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Gianpaolo Cugola <gianpaoloc@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>.
(Fri, 24 Jun 2022 10:00:03 GMT) (full text, mbox, link).
Message #10 received at 1013441@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I confirm that the bug affects NetworkManager wifi connections under sid,
crashing wpa_supplicant with "munmap_chunk(): invalid pointer" message.
As a workaround I reinstalled previous version 3.0.3-8
Let me know if I can help in any way.
Thanks
Gianpaolo
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>:
Bug#1013441; Package libssl3.
(Fri, 24 Jun 2022 11:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Sébastien Noel <sebastien@twolife.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>.
(Fri, 24 Jun 2022 11:21:06 GMT) (full text, mbox, link).
Message #15 received at 1013441@bugs.debian.org (full text, mbox, reply):
Hi,
I had a similar crash with the same error message with openvpn.
Downgrading libssl3 to version 3.0.3-8 did fix the issue.
It seems to be related to this upstream bug:
https://github.com/openssl/openssl/issues/18625
br,
Sébastien
On Thu, 23 Jun 2022 19:28:11 +0200 Philippe Daouadi <philippe@ud2.org>
wrote:
> Package: libssl3
> Version: 3.0.4-1
>
> Hello,
>
> openssl crashes when it signs things with RSA.
> I discovered the bug with sbtool and sign-file, but found out that I
can reproduce it with just openssl.
> My system worked fine before I ran `apt full-upgrade`, I probably
didn't run it for a month or so.
>
> $ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -
keyout PK.key \
> -out PK.crt -days 3650 -nodes -sha256
>
..+......+....+..+....+...+..+...+.+......+............................
..+.....+......+...+....+...+..+...+...+.+...++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++*..+.+++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++*.....+..........+...........+...
.+.....+....+......+.....+.+.....+...............+.++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++
>
....+.+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++*.+...+......+.+......+.....+.......+......+.........+..+...+++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+........+.
...+...+......+.....+.+...........+.......+...........+.........+......
.+......+..+...+.........+.+............+..+...++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++
> -----
> munmap_chunk(): invalid pointer
> [1] 462685 IOT instruction openssl req -new -x509 -newkey
rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key
>
> I tried getting a backtrace from gdb:
>
> Thread 1 (Thread 0x7ffff7ec5740 (LWP 468166) "openssl"):
> #0 __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:49
> #1 0x00007ffff7849546 in __GI_abort () at abort.c:79
> #2 0x00007ffff78a0eb8 in __libc_message
(action=action@entry=do_abort, fmt=fmt@entry=0x7ffff79bea78 "%s\n") at
../sysdeps/posix/libc_fatal.c:155
> #3 0x00007ffff78a891a in malloc_printerr
(str=str@entry=0x7ffff79c0a20 "munmap_chunk(): invalid pointer") at
malloc.c:5628
> #4 0x00007ffff78a8d6c in munmap_chunk (p=<optimized out>) at
malloc.c:2995
> #5 0x00007ffff78ad9e3 in __GI___libc_free (mem=<optimized out>) at
malloc.c:3302
> #6 0x00007ffff7b2bd2c in ?? () from /lib/x86_64-linux-
gnu/libcrypto.so.3
> #7 0x00007ffff7b1858e in BN_mod_exp_mont_consttime_x2 () from
/lib/x86_64-linux-gnu/libcrypto.so.3
> #8 0x00007ffff7c77b6d in ?? () from /lib/x86_64-linux-
gnu/libcrypto.so.3
> #9 0x00007ffff7c79010 in ?? () from /lib/x86_64-linux-
gnu/libcrypto.so.3
> #10 0x00007ffff7c7d0d1 in RSA_sign () from /lib/x86_64-linux-
gnu/libcrypto.so.3
> #11 0x00007ffff7d31aec in ?? () from /lib/x86_64-linux-
gnu/libcrypto.so.3
> #12 0x00007ffff7d31d7f in ?? () from /lib/x86_64-linux-
gnu/libcrypto.so.3
> #13 0x00007ffff7c135fc in EVP_DigestSignFinal () from /lib/x86_64-
linux-gnu/libcrypto.so.3
> #14 0x00007ffff7ae9d40 in ASN1_item_sign_ctx () from /lib/x86_64-
linux-gnu/libcrypto.so.3
> #15 0x00005555555eeb7e in ?? ()
> #16 0x00005555555c5a42 in ?? ()
> #17 0x00005555555ba9d2 in ?? ()
> #18 0x0000555555596358 in ?? ()
> #19 0x00007ffff784a7fd in __libc_start_main (main=0x555555596190,
argc=16, argv=0x7fffffffdb28, init=<optimized out>, fini=<optimized
out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdb18) at
../csu/libc-start.c:332
> #20 0x000055555559647a in ?? ()
>
> I tried running it in valgrind but it doesn't crash in that case.
>
> Thanks,
> Philippe
>
> -- System Information:
> Debian Release: bookworm/sid
> APT prefers stable-security
> APT policy: (500, 'stable-security'), (500, 'unstable'), (500,
'testing'), (500, 'stable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 5.18.0-2-amd64 (SMP w/8 CPU threads; PREEMPT)
> Kernel taint flags: TAINT_OOT_MODULE
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>:
Bug#1013441; Package libssl3.
(Fri, 24 Jun 2022 13:12:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>.
(Fri, 24 Jun 2022 13:12:02 GMT) (full text, mbox, link).
Message #20 received at 1013441@bugs.debian.org (full text, mbox, reply):
On 2022-06-24 13:07:59 [+0200], Sébastien Noel wrote:
> Hi,
Hi,
> I had a similar crash with the same error message with openvpn.
> Downgrading libssl3 to version 3.0.3-8 did fix the issue.
>
> It seems to be related to this upstream bug:
> https://github.com/openssl/openssl/issues/18625
My plan is to make an upload today in the evening with
https://github.com/xry111/openssl/commit/71ad6a8da3e39bd4caf5c6c767287ddd9bce8bae
If someone could please confirm that it indeed fixes the issue, that
would be great. But if that is the case then the question is why
everyone is having avx512 but me.
> br,
>
> Sébastien
Sebastian
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>:
Bug#1013441; Package libssl3.
(Fri, 24 Jun 2022 13:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Sébastien Noel <sebastien@twolife.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>.
(Fri, 24 Jun 2022 13:27:02 GMT) (full text, mbox, link).
Message #25 received at 1013441@bugs.debian.org (full text, mbox, reply):
Hi Sebastian,
> If someone could please confirm that it indeed fixes the issue, that
> would be great
I have been running my laptop with a local openssl build with this
patch applied for a few hours now, it fixed the issue.
Thanks in advance for making the upload :-)
br,
Sébastien
Le vendredi 24 juin 2022 à 15:09 +0200, Sebastian Andrzej Siewior a
écrit :
> On 2022-06-24 13:07:59 [+0200], Sébastien Noel wrote:
> > Hi,
> Hi,
>
> > I had a similar crash with the same error message with openvpn.
> > Downgrading libssl3 to version 3.0.3-8 did fix the issue.
> >
> > It seems to be related to this upstream bug:
> > https://github.com/openssl/openssl/issues/18625
>
> My plan is to make an upload today in the evening with
>
> https://github.com/xry111/openssl/commit/71ad6a8da3e39bd4caf5c6c76728
> 7ddd9bce8bae
>
> If someone could please confirm that it indeed fixes the issue, that
> would be great. But if that is the case then the question is why
> everyone is having avx512 but me.
>
> > br,
> >
> > Sébastien
>
> Sebastian
Reply sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
You have taken responsibility.
(Fri, 24 Jun 2022 18:06:03 GMT) (full text, mbox, link).
Notification sent
to Philippe Daouadi <philippe@ud2.org>:
Bug acknowledged by developer.
(Fri, 24 Jun 2022 18:06:03 GMT) (full text, mbox, link).
Message #30 received at 1013441-close@bugs.debian.org (full text, mbox, reply):
Source: openssl
Source-Version: 3.0.4-2
Done: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1013441@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 24 Jun 2022 19:27:02 +0200
Source: openssl
Architecture: source
Version: 3.0.4-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Closes: 1013441
Changes:
openssl (3.0.4-2) unstable; urgency=medium
.
* Address a AVX2 related memory corruption (Closes: #1013441).
Checksums-Sha1:
ce401261eb17d272003965facf0affe473060bb0 2601 openssl_3.0.4-2.dsc
cd19b899abd17f8fa5acc1163d8b6434a0aa2b4b 69160 openssl_3.0.4-2.debian.tar.xz
Checksums-Sha256:
554c23961bee37a4c15e3301beda4b1f16b6a9b708db9a186c20a9b0b1a99aa9 2601 openssl_3.0.4-2.dsc
bbc257f5eb3e01619c854f95d30f36ce2961aeea72d7d5b81abf0c431a701cb4 69160 openssl_3.0.4-2.debian.tar.xz
Files:
fcb3fa9e6964961a582e67dd3c54a9b3 2601 utils optional openssl_3.0.4-2.dsc
68f3ac7a9e8dbc1be558d23ce955ab75 69160 utils optional openssl_3.0.4-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAmK19xgACgkQe5boFiqM
9dEQNg//RuErYP+AhSKJFamir3zRBiIbm/kkRSEjLLHrKbAW/M/gt1FKwODSaOy4
/3EWO4KDYYkFyNQY2ua9Pw5n7cWve70fZyQAExgWgo2ThS7tCxBTuXaYOB6h4Epv
+E3hKcIiICRmMYHrg9AQ0RAw36HzRT9GpBSMbnCG4z1VP9eas1ygt/TcRxl2WLem
t2J5Pkn5NmLh4cGd2WlneffbTxjwGkSKzBeqP+UzhdclTJpOjMvV4NnUs5UmDxcL
j98+pds+/CXY9YM2CiUET7fxSb+5d3FBSYeVN33eUedsjwcTlfGdq9zrMnm7xJC8
KPXpuZ3e0+Wrl0kRqW1IGniRFePZYAQM52JzzswZMNB7XEQO8MlprhTh67lbZ6TK
wxEEYVjglEMccMTlCWJg2MAxHEL78WuiddOKB9cCz9UWWfcsZ0FA83W3vKwM/WVc
T+QKu4b2tvFzIQ9XUVL6Vly0Fq/GntQzwLl8jww91OFtRKyNBvETdWABCljD8Ah4
PF7hYvwuo/aM/RCK4vHNpXgydVgSXXdJ2iQGHatEX4EWoZveYEOZbGGP1FHFOIjx
kjZjJwCB5fPa/xDhcJIhENUzlHwj3EVZVbSyvT3RO+i+L9gZYnfuDXBSIoSRYLqV
BcwjFWGMZv47FYKrQT8CmxjpWwbbjOgZSWbvcL9Zno2o9stlUTk=
=HgMG
-----END PGP SIGNATURE-----
Changed Bug title to 'openssl crashes with "munmap_chunk(): invalid pointer" (CVE-2022-2274)' from 'openssl crashes with "munmap_chunk(): invalid pointer"'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 01 Jul 2022 20:33:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jul 2 13:15:25 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon