#4033 Valgrind reports false positive issues in OpenSSL for several tests on Debian
Closed: Fixed a year ago by pbrezina. Opened 2 years ago by jhrozek.

I'm sorry I didn't run the recent crypto patches through the internal CI, I trusted the github CI, but forgot it doesn't include all operating systems:

On Debian we see failures like this:

==34326== 
==34326== 71 errors in context 34 of 35:
==34326== Use of uninitialised value of size 8
==34326==    at 0x52BA8E9: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x52A859E: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x51FB9E9: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x51FAA42: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x51FAEE2: BIO_write (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x4BD7538: sss_base64_encode (crypto_base64.c:45)
==34326==    by 0x4BD8964: sss_password_encrypt (crypto_obfuscate.c:182)
==34326==    by 0x10C2E6: test_sss_password_encrypt_decrypt (crypto-tests.c:74)
==34326==    by 0x10E7EA: tcase_run_tfun_nofork.isra.9 (in /var/lib/jenkins/workspace/ci/label/debian_testing/ci-build-debug/.libs/crypto-tests)
==34326==    by 0x10EBAB: srunner_run (in /var/lib/jenkins/workspace/ci/label/debian_testing/ci-build-debug/.libs/crypto-tests)
==34326==    by 0x10B754: main (crypto-tests.c:291)
==34326== 
{
   <insert_a_suppression_name_here>
   Memcheck:Value8
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:BIO_write
   fun:sss_base64_encode
   fun:sss_password_encrypt
   fun:test_sss_password_encrypt_decrypt
   fun:tcase_run_tfun_nofork.isra.9
   fun:srunner_run
   fun:main
}
==34326== 
==34326== 71 errors in context 35 of 35:
==34326== Use of uninitialised value of size 8
==34326==    at 0x52BA8D3: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x52A859E: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x51FB9E9: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x51FAA42: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x51FAEE2: BIO_write (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==34326==    by 0x4BD7538: sss_base64_encode (crypto_base64.c:45)
==34326==    by 0x4BD8964: sss_password_encrypt (crypto_obfuscate.c:182)
==34326==    by 0x10C2E6: test_sss_password_encrypt_decrypt (crypto-tests.c:74)
==34326==    by 0x10E7EA: tcase_run_tfun_nofork.isra.9 (in /var/lib/jenkins/workspace/ci/label/debian_testing/ci-build-debug/.libs/crypto-tests)
==34326==    by 0x10EBAB: srunner_run (in /var/lib/jenkins/workspace/ci/label/debian_testing/ci-build-debug/.libs/crypto-tests)
==34326==    by 0x10B754: main (crypto-tests.c:291)
==34326== 
{
   <insert_a_suppression_name_here>
   Memcheck:Value8
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:BIO_write
   fun:sss_base64_encode
   fun:sss_password_encrypt
   fun:test_sss_password_encrypt_decrypt
   fun:tcase_run_tfun_nofork.isra.9
   fun:srunner_run
   fun:main
}

I haven't looked into whether the suppression needs to be amended or whether there is a genuine leak.


Also pam_srv_test fail with:

==32504== 
==32504== 19 errors in context 87 of 87:
==32504== Conditional jump or move depends on uninitialised value(s)
==32504==    at 0x4F93D7B: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==32504==    by 0x4F943AC: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==32504==    by 0x4F951FA: RAND_DRBG_generate (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==32504==    by 0x4F95480: RAND_DRBG_bytes (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==32504==    by 0x4902554: s3crypt_gen_salt (crypto_sha512crypt.c:377)
==32504==    by 0x4893DA0: sysdb_cache_password_ex (sysdb_ops.c:3219)
==32504==    by 0x1266E1: test_pam_offline_auth_success (test_pam_srv.c:1580)
==32504==    by 0x485A0D8: ??? (in /usr/lib/x86_64-linux-gnu/libcmocka.so.0.5.1)
==32504==    by 0x485AA48: _cmocka_run_group_tests (in /usr/lib/x86_64-linux-gnu/libcmocka.so.0.5.1)
==32504==    by 0x112821: main (test_pam_srv.c:3205)
==32504== 
{
   <insert_a_suppression_name_here>
   Memcheck:Cond
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   obj:/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
   fun:RAND_DRBG_generate
   fun:RAND_DRBG_bytes
   fun:s3crypt_gen_salt
   fun:sysdb_cache_password_ex
   fun:test_pam_offline_auth_success
   obj:/usr/lib/x86_64-linux-gnu/libcmocka.so.0.5.1
   fun:_cmocka_run_group_tests
   fun:main
}

btw I think I remember Alexey told me that openssl on Debian was broken, IIRC they picked a bad release by accident between two good releases. But maybe if there is already a fixed version somewhere, we could install it on our CI machines?

And finally sysdb tests:

==33786== 4 errors in context 17 of 19:
==33786== Use of uninitialised value of size 8
==33786==    at 0x4C62608: b64_from_24bit (crypto_sha512crypt.c:62)
==33786==    by 0x4C62608: s3crypt_gen_salt (crypto_sha512crypt.c:386)
==33786==    by 0x4BF5DA0: sysdb_cache_password_ex (sysdb_ops.c:3219)
==33786==    by 0x113BDB: test_sysdb_cache_password (sysdb-tests.c:2134)
==33786==    by 0x12D88A: tcase_run_tfun_nofork.isra.9 (in /var/lib/jenkins/workspace/ci/label/debian_testing/ci-build-debug/.libs/sysdb-tests)
==33786==    by 0x12DC4B: srunner_run (in /var/lib/jenkins/workspace/ci/label/debian_testing/ci-build-debug/.libs/sysdb-tests)
==33786==    by 0x10E319: main (sysdb-tests.c:7812)
==33786== 
{
   <insert_a_suppression_name_here>
   Memcheck:Value8
   fun:b64_from_24bit
   fun:s3crypt_gen_salt
   fun:sysdb_cache_password_ex
   fun:test_sysdb_cache_password
   fun:tcase_run_tfun_nofork.isra.9
   fun:srunner_run
   fun:main
}

I'm sorry I didn't run the recent crypto patches through the internal CI

This issues has nothing to do with recent patches.
The reason is update of openssl packaged on Debian machine:
Jun 16: Unpacking openssl (1.1.1c-1) over (1.1.1b-2) ...

Issue was introduced here: https://github.com/openssl/openssl/commit/b3d113ed2993801ee643126118ccf6592ad18ef7
And was fixed here: https://github.com/openssl/openssl/pull/8603/commits/700c5b8b85a853e7bc0c937395e29c7910d6b84f

Fix is picked up in Fedora package.

So I guess we can just close this ticket?

So I guess we can just close this ticket?

If we do not plan to take any action to see if Debian OpenSSL package could be fixed, then we can close this ticket.

Metadata Update from @pbrezina:
- Issue tagged with: Canditate to close

a year ago

We added debian-wise valgrind suppression.

Metadata Update from @pbrezina:
- Custom field design_review adjusted to on
- Custom field mark adjusted to on
- Custom field patch adjusted to on
- Custom field review adjusted to on
- Custom field sensitive adjusted to on
- Custom field testsupdated adjusted to on
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a year ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5003

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata