|
From: Fred S. <fr...@co...> - 2008-05-28 18:48:49
|
Guys: I'm working on an app that uses openSSL (and libcrypto), and I find when running it under valgrind (memcheck) I'm getting huge numbers of reports of use of un-initialized memory. They all appear to be stuff I've not allocated, so I don't think it's anything I'm doing wrong. Just wondering if anyone else here has seen this and can say if it's OK or not. Here's one example (of many): ==29892== Conditional jump or move depends on uninitialised value(s) (otag 9339) ==29892== at 0x14B42B: BN_mod_inverse (in /lib/libcrypto.so.0.9.7a) ==29892== by 0x152A1F: RSA_blinding_on (in /lib/libcrypto.so.0.9.7a) ==29892== by 0x150494: (within /lib/libcrypto.so.0.9.7a) ==29892== by 0x150CE9: (within /lib/libcrypto.so.0.9.7a) ==29892== by 0x1528BD: RSA_private_decrypt (in /lib/libcrypto.so.0.9.7a) ==29892== by 0x58D2BD: (within /lib/libssl.so.0.9.7a) ==29892== by 0x58EF10: ssl3_accept (in /lib/libssl.so.0.9.7a) ==29892== by 0x59E0C2: SSL_accept (in /lib/libssl.so.0.9.7a) ==29892== by 0x598894: ssl23_get_client_hello (in /lib/libssl.so.0.9.7a) ==29892== by 0x599318: ssl23_accept (in /lib/libssl.so.0.9.7a) ==29892== by 0x59E0DA: SSL_accept (in /lib/libssl.so.0.9.7a) ==29892== by 0x4FBE8DA: swill_ssl_accept (ssl.c:182) ==29892== by 0x4FBE27E: swill_accept_connection (sock.c:169) ==29892== by 0x4FBD7CC: swill_serve (web.c:764) ==29892== by 0x8054842: HS_thr_ui (HS_ui.c:2188) ==29892== by 0xA463CB: start_thread (in /lib/tls/libpthread-2.3.4.so) ==29892== by 0x8BE1AD: clone (in /lib/tls/libc-2.3.4.so) ==29892== Uninitialised value originates from a heap block allocated ==29892== at 0x4004825: malloc (vg_replace_malloc.c:207) ==29892== by 0x12C4BD: (within /lib/libcrypto.so.0.9.7a) ==29892== by 0x12CA6E: CRYPTO_malloc (in /lib/libcrypto.so.0.9.7a) ==29892== by 0x14943B: (within /lib/libcrypto.so.0.9.7a) ==29892== by 0x14972C: (within /lib/libcrypto.so.0.9.7a) ==29892== by 0x1529B8: RSA_blinding_on (in /lib/libcrypto.so.0.9.7a) ==29892== by 0x150494: (within /lib/libcrypto.so.0.9.7a) ==29892== by 0x150CE9: (within /lib/libcrypto.so.0.9.7a) ==29892== by 0x1528BD: RSA_private_decrypt (in /lib/libcrypto.so.0.9.7a) ==29892== by 0x58D2BD: (within /lib/libssl.so.0.9.7a) ==29892== by 0x58EF10: ssl3_accept (in /lib/libssl.so.0.9.7a) ==29892== by 0x59E0C2: SSL_accept (in /lib/libssl.so.0.9.7a) ==29892== by 0x598894: ssl23_get_client_hello (in /lib/libssl.so.0.9.7a) ==29892== by 0x599318: ssl23_accept (in /lib/libssl.so.0.9.7a) ==29892== by 0x59E0DA: SSL_accept (in /lib/libssl.so.0.9.7a) ==29892== by 0x4FBE8DA: swill_ssl_accept (ssl.c:182) ==29892== by 0x4FBE27E: swill_accept_connection (sock.c:169) ==29892== by 0x4FBD7CC: swill_serve (web.c:764) ==29892== by 0x8054842: HS_thr_ui (HS_ui.c:2188) ==29892== by 0xA463CB: start_thread (in /lib/tls/libpthread-2.3.4.so) ==29892== by 0x8BE1AD: clone (in /lib/tls/libc-2.3.4.so) Fred Smith Senior Applications Programmer/Analyst Computrition, Inc. fr...@co... <mailto:fr...@co...> 781-275-4488x148 This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email |
|
From: Dan K. <da...@ke...> - 2008-05-28 19:53:09
|
On Wed, May 28, 2008 at 11:48 AM, Fred Smith <fr...@co...> wrote: > I'm working on an app that uses openSSL (and libcrypto), and I find when > running it under valgrind (memcheck) I'm getting huge numbers of reports of > use of un-initialized memory. They all appear to be stuff I've not > allocated, so I don't think it's anything I'm doing wrong. > > Just wondering if anyone else here has seen this and can say if it's OK or > not. Here's one example (of many): > > ==29892== Conditional jump or move depends on uninitialised value(s) (otag > 9339) > ==29892== at 0x14B42B: BN_mod_inverse (in /lib/libcrypto.so.0.9.7a) See http://www.openssl.org/support/faq.html#PROG14 for a tip. See http://marc.info/?l=openssl-dev&m=120077437529837&w=2 for some discussion of this particular error. See also the recent kerfluffle, http://wiki.debian.org/SSLkeys for a cautionary tale. - Dan |
|
From: Fred S. <fr...@co...> - 2008-05-28 19:59:19
|
Dan: Thanks for the links! I was, in fact, THINKING of the Debian issue, wondering if these un-initialized things may be stuff that's intentionally left that way as a source of entropy. I don't mind that, I'm just trying to make sure there's nothing I'm doing that's causing it. Fred Smith Senior Applications Programmer/Analyst Computrition, Inc. fr...@co... 781-275-4488x148 > -----Original Message----- > From: dan...@gm... [mailto:dan...@gm...] On Behalf > Of Dan Kegel > Sent: Wednesday, May 28, 2008 3:53 PM > To: Fred Smith > Cc: val...@li... > Subject: Re: [Valgrind-users] libcrypto/openssl uninitialized memory > > On Wed, May 28, 2008 at 11:48 AM, Fred Smith <fr...@co...> > wrote: > > I'm working on an app that uses openSSL (and libcrypto), and I find when > > running it under valgrind (memcheck) I'm getting huge numbers of reports > of > > use of un-initialized memory. They all appear to be stuff I've not > > allocated, so I don't think it's anything I'm doing wrong. > > > > Just wondering if anyone else here has seen this and can say if it's OK > or > > not. Here's one example (of many): > > > > ==29892== Conditional jump or move depends on uninitialised value(s) > (otag > > 9339) > > ==29892== at 0x14B42B: BN_mod_inverse (in /lib/libcrypto.so.0.9.7a) > > See http://www.openssl.org/support/faq.html#PROG14 for a tip. > See http://marc.info/?l=openssl-dev&m=120077437529837&w=2 > for some discussion of this particular error. > See also the recent kerfluffle, http://wiki.debian.org/SSLkeys for a > cautionary tale. > - Dan This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email |
|
From: Christoph B. <bar...@or...> - 2008-05-28 23:16:59
|
You should also consider: http://www.mail-archive.com/openssl-users%40openssl.org/msg52081.html |
|
From: Fred S. <fr...@co...> - 2008-05-29 12:53:39
|
Christoph: Thanks for the additional info! I'd like to not recompile those toolkits if I can avoid it. I'd rather have it work with the distribution's own binaries, as the program I'm working on will eventually be distributed to customers' machines--I don't want to become a maintainer of a SSL and/or crypto package, not only because I'm lazy, but because I really don't understand how they do what they do. While I don't like hundreds (and hundreds) of diagnostics for libcrypto, et al, I'm pretty sure that they are not due to anything wrong in my program, so I can, if it becomes an issue, add suppressions for those diagnostics. Thanks again! Fred Smith Senior Applications Programmer/Analyst Computrition, Inc. fr...@co... 781-275-4488x148 > -----Original Message----- > From: val...@li... [mailto:valgrind-users- > bo...@li...] On Behalf Of Christoph Bartoschek > Sent: Wednesday, May 28, 2008 7:17 PM > To: val...@li... > Subject: Re: [Valgrind-users] libcrypto/openssl uninitialized memory > > You should also consider: > > http://www.mail-archive.com/openssl-users%40openssl.org/msg52081.html > > ------------------------------------------------------------------------ - > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Valgrind-users mailing list > Val...@li... > https://lists.sourceforge.net/lists/listinfo/valgrind-users This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email |