Description
I'm analyzing a problem with lftp on s390x
The problem occurs with an https or and ftp server with 'set ftp:ssl-force true'. With ftp, at least one
ftp command needs to be run.
To reproduce it, I've been using
lftp -e "set ftp:ssl-force true; set ssl:verify-certificate false; ls; quit" -u
The segfault occurs during exit when __run_exit_handlers calls lftp_ssl_openssl_instance>::~Ref
which calls SSL_CTX_free and segfaults on a null openssl global_engine_lock:
#bt
#0 __pthread_rwlock_wrlock_full (abstime=0x0, clockid=0, rwlock=0x0) at pthread_rwlock_common.c:604
#1 __GI___pthread_rwlock_wrlock (rwlock=0x0) at pthread_rwlock_wrlock.c:27
#2 0x000003ff892a6f8a in CRYPTO_THREAD_write_lock (lock=) at crypto/threads_pthread.c:78
#3 0x000003ff89223cb6 in ENGINE_finish (e=0x2aa2ff73670) at crypto/engine/eng_init.c:101
#4 0x000003ff892864c6 in RSA_free (r=0x2aa2ffc3ed0) at crypto/rsa/rsa_lib.c:137
#5 0x000003ff892408de in EVP_PKEY_free_it (x=x@entry=0x2aa2ffc57f0) at crypto/evp/p_lib.c:618
#6 0x000003ff8924178a in EVP_PKEY_free (x=0x2aa2ffc57f0) at crypto/evp/p_lib.c:608
#7 0x000003ff892c375e in pubkey_cb (operation=, pval=, it=, exarg=) at crypto/x509/x_pubkey.c:34
#8 0x000003ff891a93d4 in asn1_item_embed_free (pval=0x2aa2ffc4e10, it=0x3ff89397720 <X509_PUBKEY_it>, embed=) at crypto/asn1/tasn_fre.c:113
#9 0x000003ff891a963e in asn1_template_free (pval=0x2aa2ffc4e10, tt=tt@entry=0x3ff893a0e20) at crypto/asn1/tasn_fre.c:142
#10 0x000003ff891a93a8 in asn1_item_embed_free (pval=0x3ffde2fe990, it=0x3ff89397878 <X509_CINF_it>, embed=) at crypto/asn1/tasn_fre.c:110
#11 0x000003ff891a963e in asn1_template_free (pval=0x3ffde2fe990, tt=tt@entry=0x3ff893a0cb8 <X509_seq_tt>) at crypto/asn1/tasn_fre.c:142
#12 0x000003ff891a93a8 in asn1_item_embed_free (pval=0x3ffde2feae8, it=0x3ff89397818 <X509_it>, embed=) at crypto/asn1/tasn_fre.c:110
#13 0x000003ff891a9538 in ASN1_item_free (val=, it=) at crypto/asn1/tasn_fre.c:20
#14 0x000003ff892b64ae in X509_OBJECT_free (a=0x2aa2ffc4a00) at crypto/x509/x509_lu.c:470
#15 0x000003ff892a3024 in OPENSSL_sk_pop_free (st=0x2aa2ffb8240, func=0x3ff892b6498 <X509_OBJECT_free>) at crypto/stack/stack.c:368
#16 0x000003ff892b6aa4 in sk_X509_OBJECT_pop_free (freefunc=, sk=) at include/openssl/x509_vfy.h:58
#17 X509_STORE_free (vfy=0x2aa2ffb7e30) at crypto/x509/x509_lu.c:225
#18 0x000003ff8803e426 in SSL_CTX_free (a=0x2aa2ff9efb0) at ssl/ssl_lib.c:3254
#19 0x000003ff881995cc in lftp_ssl_openssl_instance::~lftp_ssl_openssl_instance (this=0x2aa2ff7d4b0, __in_chrg=) at lftp_ssl.cc:922
#20 0x000003ff8819aa80 in Ref<lftp_ssl_openssl_instance>::~Ref (this=, __in_chrg=) at Ref.h:34
#21 0x000003ff894cbcd2 in __run_exit_handlers (status=, listp=0x3ff896288c0 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true,
run_dtors=run_dtors@entry=true) at exit.c:108
#22 0x000003ff894cbde8 in __GI_exit (status=) at exit.c:139
#23 0x000003ff894ab250 in __libc_start_main (main=0x2aa2df896f0 <main(int, char**)>, argc=, argv=0x3ffde2ff228, init=, fini=,
rtld_fini=0x3ff89b91430 <_dl_fini>, stack_end=0x3ffde2ff170) at libc-start.c:342
#24 0x000002aa2df8a164 in _start () at ../sysdeps/s390/s390-64/start.S:90
The openssl global_engine_lock is null because the openssl exit cleanup handler, OPENSSL_cleanup has already run.
So, this appears to be an issue with the order the OPENSSL_cleanup exit handler is running in relation to
lftp_ssl_openssl_instance>::~Ref
A possible solution may be to cleanup those instances before exit, so they're already cleaned up by the time the openssl exit handler runs.