You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
Not sure if this helps, each crash follows a slightly different path with-in 'modules/tls/tls_server.c' but always crashes in 'aes_ecb_cipher' at 'crypto/evp/e_aes.c:2699'.
Here's our most recent core dump.
(gdb) bt
#0 0x00007f264161d6de in aes_ecb_cipher (ctx=0x7f25f5ad4480, out=0x7f25f6afec90 "", in=0x7f25f5ad4398 "\251\333\023a>EBi\r\035\216Z\241Z}\200\\\345/-\340{", len=0) at crypto/evp/e_aes.c:2699 #1 0x00007f264162b755 in evp_EncryptDecryptUpdate (ctx=0x7f25f5ad4480, out=0x7f25f6afec90 "", outl=0x7ffc6679a3a4, in=0x7f25f5ad4398 "\251\333\023a>EBi\r\035\216Z\241Z}\200\\345/-\340{", inl=16) at crypto/evp/evp_enc.c:333
#2 0x00007f264162b9a0 in EVP_EncryptUpdate (ctx=0x7f25f5ad4480, out=0x7f25f6afec90 "", outl=0x7ffc6679a3a4, in=0x7f25f5ad4398 "\251\333\023a>EBi\r\035\216Z\241Z}\200\\\345/-\340{", inl=16) at crypto/evp/evp_enc.c:385 #3 0x00007f264162b38e in EVP_CipherUpdate (ctx=0x7f25f5ad4480, out=0x7f25f6afec90 "", outl=0x7ffc6679a3a4, in=0x7f25f5ad4398 "\251\333\023a>EBi\r\035\216Z\241Z}\200\\345/-\340{", inl=16) at crypto/evp/evp_enc.c:213
#4 0x00007f2641669a01 in drbg_ctr_generate (drbg=0x7f25f5ad42b0, out=0x7f25f6afec90 "", outlen=32, adin=0x0, adinlen=0) at crypto/rand/drbg_ctr.c:340
#5 0x00007f264166af15 in RAND_DRBG_generate (drbg=0x7f25f5ad42b0, out=0x7f25f6afec90 "", outlen=32, prediction_resistance=0, adin=0x0, adinlen=0) at crypto/rand/drbg_lib.c:638
#6 0x00007f264166b043 in RAND_DRBG_bytes (drbg=0x7f25f5ad42b0, out=0x7f25f6afec90 "", outlen=32) at crypto/rand/drbg_lib.c:679
#7 0x00007f264166b5bc in drbg_bytes (out=0x7f25f6afec90 "", count=32) at crypto/rand/drbg_lib.c:968
#8 0x00007f264166cb2f in RAND_bytes (buf=0x7f25f6afec90 "", num=32) at crypto/rand/rand_lib.c:836
#9 0x00007f26419f0d33 in def_generate_session_id (ssl=0x7f25f6a6c540, id=0x7f25f6afec90 "", id_len=0x7ffc6679a534) at ssl/ssl_sess.c:290
#10 0x00007f26419f0f22 in ssl_generate_session_id (s=0x7f25f6a6c540, ss=0x7f25f6afeb38) at ssl/ssl_sess.c:362
#11 0x00007f26419f113e in ssl_get_new_session (s=0x7f25f6a6c540, session=1) at ssl/ssl_sess.c:418
#12 0x00007f2641a188f0 in tls_early_post_process_client_hello (s=0x7f25f6a6c540) at ssl/statem/statem_srvr.c:1817
#13 0x00007f2641a19900 in tls_post_process_client_hello (s=0x7f25f6a6c540, wst=WORK_MORE_A) at ssl/statem/statem_srvr.c:2222
#14 0x00007f2641a173dc in ossl_statem_server_post_process_message (s=0x7f25f6a6c540, wst=WORK_MORE_A) at ssl/statem/statem_srvr.c:1220
#15 0x00007f2641a03a04 in read_state_machine (s=0x7f25f6a6c540) at ssl/statem/statem.c:664
#16 0x00007f2641a03364 in state_machine (s=0x7f25f6a6c540, server=1) at ssl/statem/statem.c:434
#17 0x00007f2641a02e89 in ossl_statem_accept (s=0x7f25f6a6c540) at ssl/statem/statem.c:255
#18 0x00007f26419e952c in SSL_do_handshake (s=0x7f25f6a6c540) at ssl/ssl_lib.c:3599
#19 0x00007f26419e55f5 in SSL_accept (s=0x7f25f6a6c540) at ssl/ssl_lib.c:1643
#20 0x00007f26360480f2 in tls_accept (c=0x7f25f6aa1010, error=0x7ffc667ba98c) at tls_server.c:422
#21 0x00007f26360515fe in tls_read_f (c=0x7f25f6aa1010, flags=0x7ffc667bacc8) at tls_server.c:1119
#22 0x000055a6ac69fc43 in tcp_read_headers (c=0x7f25f6aa1010, read_flags=0x7ffc667bacc8) at core/tcp_read.c:469
#23 0x000055a6ac6a77e9 in tcp_read_req (con=0x7f25f6aa1010, bytes_read=0x7ffc667baccc, read_flags=0x7ffc667bacc8) at core/tcp_read.c:1496
#24 0x000055a6ac6ac757 in handle_io (fm=0x7f264284c438, events=1, idx=-1) at core/tcp_read.c:1804
#25 0x000055a6ac69a2c0 in io_wait_loop_epoll (h=0x55a6acb783a0 <io_w>, t=2, repeat=0) at core/io_wait.h:1065
#26 0x000055a6ac6ae76a in tcp_receive_loop (unix_sock=86) at core/tcp_read.c:1974
#27 0x000055a6ac561f12 in tcp_init_children () at core/tcp_main.c:4853
#28 0x000055a6ac4994ac in main_loop () at main.c:1745
#29 0x000055a6ac4a046e in main (argc=13, argv=0x7ffc667bb338) at main.c:2696
Here's the disas of aes_ecb_cipher, it was doing a move from memory pointed to in the %rax register plus an offset of 0xf8, to the %rax register.
(gdb) disas aes_ecb_cipher
Dump of assembler code for function aes_ecb_cipher:
0x00007f264161d67d <+0>: push %rbp
0x00007f264161d67e <+1>: mov %rsp,%rbp
0x00007f264161d681 <+4>: sub $0x40,%rsp
0x00007f264161d685 <+8>: mov %rdi,-0x28(%rbp)
0x00007f264161d689 <+12>: mov %rsi,-0x30(%rbp)
0x00007f264161d68d <+16>: mov %rdx,-0x38(%rbp)
0x00007f264161d691 <+20>: mov %rcx,-0x40(%rbp)
0x00007f264161d695 <+24>: mov -0x28(%rbp),%rax
0x00007f264161d699 <+28>: mov %rax,%rdi
0x00007f264161d69c <+31>: callq 0x7f264162cf2a <EVP_CIPHER_CTX_block_size>
0x00007f264161d6a1 <+36>: cltq
0x00007f264161d6a3 <+38>: mov %rax,-0x10(%rbp)
0x00007f264161d6a7 <+42>: mov -0x28(%rbp),%rax
0x00007f264161d6ab <+46>: mov %rax,%rdi
0x00007f264161d6ae <+49>: callq 0x7f264162cfe5 <EVP_CIPHER_CTX_get_cipher_data>
0x00007f264161d6b3 <+54>: mov %rax,-0x18(%rbp)
0x00007f264161d6b7 <+58>: mov -0x40(%rbp),%rax
0x00007f264161d6bb <+62>: cmp -0x10(%rbp),%rax
0x00007f264161d6bf <+66>: jae 0x7f264161d6c8 <aes_ecb_cipher+75>
0x00007f264161d6c1 <+68>: mov $0x1,%eax
0x00007f264161d6c6 <+73>: jmp 0x7f264161d71b <aes_ecb_cipher+158>
0x00007f264161d6c8 <+75>: movq $0x0,-0x8(%rbp)
0x00007f264161d6d0 <+83>: mov -0x10(%rbp),%rax
0x00007f264161d6d4 <+87>: sub %rax,-0x40(%rbp)
0x00007f264161d6d8 <+91>: jmp 0x7f264161d70c <aes_ecb_cipher+143>
0x00007f264161d6da <+93>: mov -0x18(%rbp),%rax
=> 0x00007f264161d6de <+97>: mov 0xf8(%rax),%rax
0x00007f264161d6e5 <+104>: mov -0x18(%rbp),%rdx
0x00007f264161d6e9 <+108>: mov -0x30(%rbp),%rsi
0x00007f264161d6ed <+112>: mov -0x8(%rbp),%rcx
0x00007f264161d6f1 <+116>: add %rcx,%rsi
0x00007f264161d6f4 <+119>: mov -0x38(%rbp),%rdi
0x00007f264161d6f8 <+123>: mov -0x8(%rbp),%rcx
0x00007f264161d6fc <+127>: add %rdi,%rcx
0x00007f264161d6ff <+130>: mov %rcx,%rdi
0x00007f264161d702 <+133>: callq *%rax
0x00007f264161d704 <+135>: mov -0x10(%rbp),%rax
0x00007f264161d708 <+139>: add %rax,-0x8(%rbp)
0x00007f264161d70c <+143>: mov -0x8(%rbp),%rax
0x00007f264161d710 <+147>: cmp -0x40(%rbp),%rax
0x00007f264161d714 <+151>: jbe 0x7f264161d6da <aes_ecb_cipher+93>
0x00007f264161d716 <+153>: mov $0x1,%eax
0x00007f264161d71b <+158>: leaveq
0x00007f264161d71c <+159>: retq
End of assembler dump.
If we look at the register, the problem is %rax is 0.
(gdb) i r
rax 0x0 0
rbx 0x50 80
rcx 0x10 16
rdx 0x7f25f5ad4398 139801012290456
rsi 0x7f25f6afec90 139801029242000
rdi 0x7f25f5ad4480 139801012290688
rbp 0x7ffc6679a290 0x7ffc6679a290
rsp 0x7ffc6679a250 0x7ffc6679a250
r8 0x10 16
r9 0x0 0
r10 0x0 0
r11 0x202 514
r12 0x55a6ac8570b3 94174347358387
r13 0x40000000 1073741824
r14 0x10000000 268435456
r15 0x6 6
rip 0x7f264161d6de 0x7f264161d6de <aes_ecb_cipher+97>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.