爲什麼OpenSSL崩潰？

Question

這裏是我從GDB得到回溯：

 
(gdb) bt 
#0 0x040010c2 in ??() from /lib/ld-linux.so.2 
#1 0x06822a0b in write() at ../sysdeps/unix/syscall-template.S:82 
#2 0x082e6891 in conn_write (b=0x9791b40, in=0xe9125a3 "\027\003\003", inl=175) at bss_conn.c:442 
#3 0x082e40cb in BIO_write (b=0x9791b40, in=0xe9125a3, inl=175) at bio_lib.c:247 
#4 0x08290991 in ssl3_write_pending (s=0xea22bd8, type=23, 
     buf=0xafdeb08 "Host: graph.facebook.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4\r\n", len=146) at s3_pkt.c:881 
#5 0x082908a4 in do_ssl3_write (s=0xea22bd8, type=23, 
     buf=0xafdeb08 "Host: graph.facebook.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4\r\n", len=146, create_empty_fragment=0) at s3_pkt.c:853 
#6 0x08290281 in ssl3_write_bytes (s=0xea22bd8, type=23, buf_=0xafdeb08, len=146) at s3_pkt.c:609 
#7 0x0828d0c3 in ssl3_write (s=0xea22bd8, buf=0xafdeb08, len=146) at s3_lib.c:4204 
#8 0x082a4eae in SSL_write (s=0xea22bd8, buf=0xafdeb08, num=146) at ssl_lib.c:1002 
#9 0x082b363b in ssl_write (b=0xaf5ba48, 
     out=0xafdeb08 "Host: graph.facebook.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4\r\n", outl=146) at bio_ssl.c:243 
#10 0x082e40cb in BIO_write (b=0xaf5ba48, in=0xafdeb08, inl=146) at bio_lib.c:247 
#11 0x0816c7db in SSL_Connection_send (connection=0xaf6ef10, 
     data=0xafdeb08 "Host: graph.facebook.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4\r\n", length=146) at Util/SSL_Connection.cpp:318 

這是第一個可疑的valgrind錯誤：

 
==2803== Syscall param write(buf) points to uninitialised byte(s) 
==2803== at 0x6822A0B: ??? (syscall-template.S:82) 
==2803== by 0x82E40CA: BIO_write (bio_lib.c:247) 
==2803== by 0x829790E: ssl23_write_bytes (s23_pkt.c:77) 
==2803== by 0x8296D63: ssl23_client_hello (s23_clnt.c:594) 
==2803== by 0x829621C: ssl23_connect (s23_clnt.c:217) 
==2803== by 0x82A785C: SSL_do_handshake (ssl_lib.c:2564) 
==2803== by 0x82B3C22: ssl_ctrl (bio_ssl.c:423) 
==2803== by 0x82E4552: BIO_ctrl (bio_lib.c:370) 
==2803== by 0x816C2AA: SSL_Connection_connect(SSL_Connection_s*) (SSL_Connection.cpp:162) 
==2803== by 0x8147C17: Connection_connectToHost (Connection.cpp:48) 
==2803== by 0x815E8B7: Http_client_send_prepare(Http_Message_s*) (Http_client.cpp:330) 
==2803== by 0x815E9FD: Http_client_send (Http_client.cpp:357) 
==2803== Address 0xe9e6f33 is 11 bytes inside a block of size 21,848 alloc'd 
==2803== at 0x4028876: malloc (vg_replace_malloc.c:236) 
==2803== by 0x82C898B: default_malloc_ex (mem.c:79) 
==2803== by 0x82C8EAA: CRYPTO_malloc (mem.c:308) 
==2803== by 0x82E349B: BUF_MEM_grow (buffer.c:121) 
==2803== by 0x8296198: ssl23_connect (s23_clnt.c:195) 
==2803== by 0x82A785C: SSL_do_handshake (ssl_lib.c:2564) 
==2803== by 0x82B3C22: ssl_ctrl (bio_ssl.c:423) 
==2803== by 0x82E4552: BIO_ctrl (bio_lib.c:370) 
==2803== by 0x816C2AA: SSL_Connection_connect(SSL_Connection_s*) (SSL_Connection.cpp:162) 
==2803== by 0x8147C17: Connection_connectToHost (Connection.cpp:48) 
==2803== by 0x815E8B7: Http_client_send_prepare(Http_Message_s*) (Http_client.cpp:330) 
==2803== by 0x815E9FD: Http_client_send (Http_client.cpp:357) 

這是大跌前的最近Valgrind的錯誤：

 
== Syscall param write(buf) points to uninitialised byte(s) 
==2803== at 0x6822A0B: ??? (syscall-template.S:82) 
==2803== by 0x82E40CA: BIO_write (bio_lib.c:247) 
==2803== by 0x8290990: ssl3_write_pending (s3_pkt.c:881) 
==2803== by 0x82908A3: do_ssl3_write (s3_pkt.c:853) 
==2803== by 0x8290280: ssl3_write_bytes (s3_pkt.c:609) 
==2803== by 0x828D0C2: ssl3_write (s3_lib.c:4204) 
==2803== by 0x82A4EAD: SSL_write (ssl_lib.c:1002) 
==2803== by 0x82B363A: ssl_write (bio_ssl.c:243) 
==2803== by 0x82E40CA: BIO_write (bio_lib.c:247) 
==2803== by 0x816C7DA: SSL_Connection_send(SSL_Connection_s*, char*, unsigned int) (SSL_Connection.cpp:318) 
==2803== by 0x8147F66: Connection_send (Connection.cpp:167) 
==2803== by 0x815EA67: Http_client_send (Http_client.cpp:368) 
==2803== Address 0xe9125a8 is 8 bytes inside a block of size 17,584 alloc'd 
==2803== at 0x4028876: malloc (vg_replace_malloc.c:236) 
==2803== by 0x82C898B: default_malloc_ex (mem.c:79) 
==2803== by 0x82C8EAA: CRYPTO_malloc (mem.c:308) 
==2803== by 0x8293115: freelist_extract (s3_both.c:708) 
==2803== by 0x8293412: ssl3_setup_write_buffer (s3_both.c:811) 
==2803== by 0x829349B: ssl3_setup_buffers (s3_both.c:829) 
==2803== by 0x82961C3: ssl23_connect (s23_clnt.c:204) 
==2803== by 0x82A785C: SSL_do_handshake (ssl_lib.c:2564) 
==2803== by 0x82B3C22: ssl_ctrl (bio_ssl.c:423) 
==2803== by 0x82E4552: BIO_ctrl (bio_lib.c:370) 
==2803== by 0x816C2AA: SSL_Connection_connect(SSL_Connection_s*) (SSL_Connection.cpp:162) 
==2803== by 0x8147C17: Connection_connectToHost (Connection.cpp:48) 

With --track-origin：

 
==3588== Syscall param write(buf) points to uninitialised byte(s) 
==3588== at 0x6822A0B: ??? (syscall-template.S:82) 
==3588== by 0x82E40CA: BIO_write (bio_lib.c:247) 
==3588== by 0x829790E: ssl23_write_bytes (s23_pkt.c:77) 
==3588== by 0x8296D63: ssl23_client_hello (s23_clnt.c:594) 
==3588== by 0x829621C: ssl23_connect (s23_clnt.c:217) 
==3588== by 0x82A785C: SSL_do_handshake (ssl_lib.c:2564) 
==3588== by 0x82B3C22: ssl_ctrl (bio_ssl.c:423) 
==3588== by 0x82E4552: BIO_ctrl (bio_lib.c:370) 
==3588== by 0x816C2AA: SSL_Connection_connect(SSL_Connection_s*) (SSL_Connection.cpp:162) 
==3588== by 0x8147C17: Connection_connectToHost (Connection.cpp:48) 
==3588== Address 0x106e8cd3 is 11 bytes inside a block of size 21,848 alloc'd 
==3588== at 0x4028876: malloc (vg_replace_malloc.c:236) 
==3588== by 0x82C898B: default_malloc_ex (mem.c:79) 
==3588== by 0x82C8EAA: CRYPTO_malloc (mem.c:308) 
==3588== by 0x82E349B: BUF_MEM_grow (buffer.c:121) 
==3588== by 0x8296198: ssl23_connect (s23_clnt.c:195) 
==3588== by 0x82A785C: SSL_do_handshake (ssl_lib.c:2564) 
==3588== by 0x82B3C22: ssl_ctrl (bio_ssl.c:423) 
==3588== by 0x82E4552: BIO_ctrl (bio_lib.c:370) 
==3588== by 0x816C2AA: SSL_Connection_connect(SSL_Connection_s*) (SSL_Connection.cpp:162) 
==3588== by 0x8147C17: Connection_connectToHost (Connection.cpp:48) 
==3588== Uninitialised value was created by a heap allocation 
==3588== at 0x4028876: malloc (vg_replace_malloc.c:236) 
==3588== by 0x82C898B: default_malloc_ex (mem.c:79) 
==3588== by 0x82C8EAA: CRYPTO_malloc (mem.c:308) 
==3588== by 0x83568E7: bnrand (bn_rand.c:134) 
==3588== by 0x8356B6E: BN_rand (bn_rand.c:213) 
==3588== by 0x8356DCD: bn_rand_range (bn_rand.c:281) 
==3588== by 0x8356EA9: BN_rand_range (bn_rand.c:299) 
==3588== by 0x82DE894: EC_KEY_generate_key (ec_key.c:271) 
==3588== by 0x8288A4D: ssl3_send_client_key_exchange (s3_clnt.c:2606) 
==3588== by 0x8283BA6: ssl3_connect (s3_clnt.c:416) 
==3588== by 0x82A4CF2: SSL_connect (ssl_lib.c:949) 
==3588== by 0x82975B7: ssl23_get_server_hello (s23_clnt.c:797) 
==3588== by 0x829624A: ssl23_connect (s23_clnt.c:226) 
==3588== by 0x82A785C: SSL_do_handshake (ssl_lib.c:2564) 
==3588== by 0x82B3C22: ssl_ctrl (bio_ssl.c:423) 
==3588== by 0x82E4552: BIO_ctrl (bio_lib.c:370) 
==3588== by 0x816C2AA: SSL_Connection_connect(SSL_Connection_s*) (SSL_Connection.cpp:162) 
==3588== by 0x8147C17: Connection_connectToHost (Connection.cpp:48) 

爲什麼會發生此錯誤：這些錯誤看起來像是全部來自OpenSSL庫？

Answer 1

從Valgrind錯誤消息看來，您的程序嘗試訪問系統調用中未初始化或未找到的值（寫入）。

It checks all parameters to system calls.

It checks all the direct parameters themselves, whether they are initialised.

Also, if a system call needs to read from a buffer provided by your program, Memcheck checks that the entire buffer is addressable and its contents are initialised.

Also, if the system call needs to write to a user-supplied buffer, Memcheck checks that the buffer is addressable.

After the system call, Memcheck updates its tracked information to precisely reflect any changes in memory state caused by the system call.

您可能希望與--track-起源運行Valgrind的應用程序= YES選項獲取：

==2803== Syscall param write(buf) points to uninitialised byte(s) 
==2803== Address 0xe9125a8 is 8 bytes inside a block of size 17,584 alloc'd 
==2803== Address 0xe9e6f33 is 11 bytes inside a block of size 21,848 alloc'd 

從Valgrind的(Memcheck)手冊以下信息可以針對本作中找到有關未初始化內存使用的更詳細信息。您可以查看我以前在Valgrind上的post以及GDB/Valgrind如何一起用於在您的程序報告第一個錯誤時執行實時調試。