This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: warnings from valgrind about openssl as used by CPython
Type: Stage:
Components: Library (Lib) Versions: Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: loewis, python-dev, skrah, vstinner, zooko
Priority: normal Keywords:

Created on 2012-03-02 06:48 by zooko, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
cpython-openssl101.supp zooko, 2012-03-02 06:48 valgrind suppressions file
Messages (7)
msg154742 - (view) Author: Zooko O'Whielacronx (zooko) Date: 2012-03-02 06:48 
The buildbot for the Tahoe-LAFS and pycryptopp projects runs CPython under valgrind on Fedora, and valgrind emits warnings like this:

==30127== Conditional jump or move depends on uninitialised value(s)
==30127== at 0x4C2AD01: bcmp (mc_replace_strmem.c:889)
==30127== by 0xC1D1646: fips_get_entropy (fips_drbg_lib.c:166)
==30127== by 0xC1D1D6E: FIPS_drbg_instantiate (fips_drbg_lib.c:234)
==30127== by 0xC15F590: RAND_init_fips (rand_lib.c:286)
==30127== by 0xC0F54D3: OPENSSL_init_library (o_init.c:106)
==30127== by 0xBE76AF8: SSL_library_init (ssl_algs.c:68)
==30127== by 0xBC2B39D: init_hashlib (in /usr/lib64/python2.7/lib-dynload/_hashlib.so)
==30127== by 0x4F1DB00: _PyImport_LoadDynamicModule (in /usr/lib64/libpython2.7.so.1.0)

You can see the full output from such a buildbot run here:

https://tahoe-lafs.org/buildbot-pycryptopp/builders/Ruben%20Fedora%20syslib/builds/58/steps/test%20valgrind/logs/valgrind

Here is information about the versions of software involved:

https://tahoe-lafs.org/buildbot-pycryptopp/builders/Ruben%20Fedora%20syslib/builds/58/steps/show-tool-versions/logs/stdio

The owner of the buildslave machine says that the openssl package was "openssl-1.0.1-0.1.beta2.fc17.x86_64".

Not having looked closer, I assume this is just a case of openssl using uninitialized memory as part of the initialization of the PRNG. Accordingly, I wrote suppressions stanzas for our valgrind suppressions file, which made the warnings go away.

Here are the suppression expressions:

# generated on buildbot.rubenkerkhof.com, which had, according to Ruben
# Fedora's package "openssl-1.0.1-0.1.beta2.fc17.x86_64"
{
   buildbot.rubenkerkhof.com cond fips openssl 1
   Memcheck:Cond
   fun:bcmp
   fun:fips_get_entropy
   fun:FIPS_drbg_instantiate
   fun:RAND_init_fips
   fun:OPENSSL_init_library
   fun:SSL_library_init
   fun:init_hashlib
}

{
   buildbot.rubenkerkhof.com cond fips openssl 2
   Memcheck:Cond
   fun:fips_get_entropy
   fun:FIPS_drbg_instantiate
   fun:RAND_init_fips
   fun:OPENSSL_init_library
   fun:SSL_library_init
   fun:init_hashlib
}

{
   buildbot.rubenkerkhof.com val _x86_64_AES_encrypt_compact
   Memcheck:Value8
   fun:_x86_64_AES_encrypt_compact
   fun:AES_encrypt
}

I opened this ticket on launchpad.net to track the handling of this
issue in various projects such as openssl, pycryptopp, CPython,
valgrind, and Fedora:

https://bugs.launchpad.net/pycryptopp/+bug/944585
msg154817 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2012-03-03 01:03 
Why are you reporting this issue here?
msg154823 - (view) Author: Zooko O'Whielacronx (zooko) Date: 2012-03-03 03:33 
Oh, I'm sorry I didn't make that clear at first. First of all, so that others who encounter these warnings can see how I worked-around them so that they can do that as well. Second, because Python comes with a valgrind suppressions file. Here is a patch to that file to suppress these warnings.

--- a/Misc/valgrind-python.supp Wed Feb 22 00:28:46 2012 +0100
+++ b/Misc/valgrind-python.supp Fri Mar 02 20:31:55 2012 -0700
@@ -286,6 +286,38 @@
 ###   fun:MD5_Update
 ###}
 
+# Fedora's package "openssl-1.0.1-0.1.beta2.fc17.x86_64" on x86_64
+# See http://bugs.python.org/issue14171
+{
+   openssl 1.0.1 prng 1
+   Memcheck:Cond
+   fun:bcmp
+   fun:fips_get_entropy
+   fun:FIPS_drbg_instantiate
+   fun:RAND_init_fips
+   fun:OPENSSL_init_library
+   fun:SSL_library_init
+   fun:init_hashlib
+}
+
+{
+   openssl 1.0.1 prng 2
+   Memcheck:Cond
+   fun:fips_get_entropy
+   fun:FIPS_drbg_instantiate
+   fun:RAND_init_fips
+   fun:OPENSSL_init_library
+   fun:SSL_library_init
+   fun:init_hashlib
+}
+
+{
+   openssl 1.0.1 prng 3
+   Memcheck:Value8
+   fun:_x86_64_AES_encrypt_compact
+   fun:AES_encrypt
+}
+
 #
 # All of these problems come from using test_socket_ssl
 #
msg154837 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2012-03-03 13:38 
> # generated on buildbot.rubenkerkhof.com, which had, according to Ruben
> # Fedora's package "openssl-1.0.1-0.1.beta2.fc17.x86_64"

I think openssl needs to be compiled with -DPURIFY to avoid this.
msg154858 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2012-03-03 23:18 
It remembers me a funny story. http://wiki.debian.org/SSLkeys
msg154908 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2012-03-04 20:16 
New changeset 9a69b47f194e by Martin v. Löwis in branch 'default':
Issue #14171: Add valgrind suppressions for OpenSSL issue.
http://hg.python.org/cpython/rev/9a69b47f194e
msg154909 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2012-03-04 20:17 
It may indeed be that recompiling OpenSSL properly could fix this. I added this anyway since it probably doesn't cause harm. Thanks for the patch.
History
Date User Action Args
2022-04-11 14:57:27adminsetgithub: 58379
2012-03-04 20:17:45loewissetstatus: open -> closed
resolution: fixed
messages: + msg154909
2012-03-04 20:16:47python-devsetnosy: + python-dev
messages: + msg154908
2012-03-03 23:18:17vstinnersetnosy: + vstinner
messages: + msg154858
2012-03-03 13:38:27skrahsetnosy: + skrah
messages: + msg154837
2012-03-03 03:33:31zookosetmessages: + msg154823
2012-03-03 01:03:18loewissetnosy: + loewis
messages: + msg154817
2012-03-02 06:48:20zookocreate