summaryrefslogtreecommitdiffstats
path: root/src/ifuse.c
diff options
context:
space:
mode:
authorGravatar Christophe Fergeau2017-04-25 14:09:48 +0200
committerGravatar Christophe Fergeau2017-04-26 11:36:46 +0200
commit02a0e03e24bc96bba2e5ea2438c30baf803fd137 (patch)
tree1b76dac214bbe076d36b0ee40c72cf43b307152b /src/ifuse.c
parent1d844aae7820d10abf9a19b7acfb88341ac6e961 (diff)
downloadlibimobiledevice-02a0e03e24bc96bba2e5ea2438c30baf803fd137.tar.gz
libimobiledevice-02a0e03e24bc96bba2e5ea2438c30baf803fd137.tar.bz2
Avoid double free with OpenSSL 1.1.0
Since commit OpenSSL_1_1_0-pre3~178 https://github.com/openssl/openssl/commit/b184e3ef73200cb3b7914a603b43a5b8a074c85f OpenSSL automatically cleans up some of its internal data when the program exits. This conflicts with some similar clean up libimobiledevice attempts to do, which causes a double-free. SSL_COMP_free_compression_methods() was available in OpenSSL 1.0.2, and is still there in 1.1.0 as a no-op, so we can use that to free the compression methods. This bug can be hit with a simple idevicebackup2 --help ==14299== Invalid read of size 4 ==14299== at 0x547AEBC: OPENSSL_sk_pop_free (stack.c:263) ==14299== by 0x508B848: ssl_library_stop (ssl_init.c:182) ==14299== by 0x5424D11: OPENSSL_cleanup (init.c:402) ==14299== by 0x5DC3134: __cxa_finalize (cxa_finalize.c:56) ==14299== by 0x53332B2: ??? (in /usr/lib64/libcrypto.so.1.1.0e) ==14299== by 0x4011232: _dl_fini (dl-fini.c:235) ==14299== by 0x5DC2DC7: __run_exit_handlers (exit.c:83) ==14299== by 0x5DC2E19: exit (exit.c:105) ==14299== by 0x5DA8604: (below main) (libc-start.c:329) ==14299== Address 0x6585590 is 0 bytes inside a block of size 40 free'd ==14299== at 0x4C2FCC8: free (vg_replace_malloc.c:530) ==14299== by 0x4E43381: sk_SSL_COMP_free (ssl.h:830) ==14299== by 0x4E434E7: internal_idevice_deinit (idevice.c:103) ==14299== by 0x5B79643: __pthread_once_slow (pthread_once.c:116) ==14299== by 0x4E5663A: thread_once (thread.c:104) ==14299== by 0x4E43525: libimobiledevice_deinitialize (idevice.c:140) ==14299== by 0x4011232: _dl_fini (dl-fini.c:235) ==14299== by 0x5DC2DC7: __run_exit_handlers (exit.c:83) ==14299== by 0x5DC2E19: exit (exit.c:105) ==14299== by 0x5DA8604: (below main) (libc-start.c:329) ==14299== Block was alloc'd at ==14299== at 0x4C2EB1B: malloc (vg_replace_malloc.c:299) ==14299== by 0x5428908: CRYPTO_zalloc (mem.c:100) ==14299== by 0x547A9AE: OPENSSL_sk_new (stack.c:108) ==14299== by 0x5087D43: sk_SSL_COMP_new (ssl.h:830) ==14299== by 0x5087D43: do_load_builtin_compressions (ssl_ciph.c:482) ==14299== by 0x5087D43: do_load_builtin_compressions_ossl_ (ssl_ciph.c:476) ==14299== by 0x5B79643: __pthread_once_slow (pthread_once.c:116) ==14299== by 0x547B198: CRYPTO_THREAD_run_once (threads_pthread.c:106) ==14299== by 0x5089F96: load_builtin_compressions (ssl_ciph.c:500) ==14299== by 0x5089F96: SSL_COMP_get_compression_methods (ssl_ciph.c:1845) ==14299== by 0x508B68B: ossl_init_ssl_base (ssl_init.c:125) ==14299== by 0x508B68B: ossl_init_ssl_base_ossl_ (ssl_init.c:25) ==14299== by 0x5B79643: __pthread_once_slow (pthread_once.c:116) ==14299== by 0x547B198: CRYPTO_THREAD_run_once (threads_pthread.c:106) ==14299== by 0x508B90A: OPENSSL_init_ssl (ssl_init.c:227) ==14299== by 0x4E43416: internal_idevice_init (idevice.c:73) = Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Diffstat (limited to 'src/ifuse.c')
0 files changed, 0 insertions, 0 deletions