This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: PySSL segmentation fault
Type: crash Stage: resolved
Components: Extension Modules Versions: Python 2.7
process
Status: closed Resolution: third party
Dependencies: Superseder:
Assigned To: Nosy List: alex, christian.heimes, dstufft, giampaolo.rodola, janssen, mbasti, pitrou, vstinner
Priority: normal Keywords:

Created on 2014-10-24 15:03 by mbasti, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (5)
msg229924 - (view) Author: mbasti (mbasti) Date: 2014-10-24 15:03 
Hello,

I'm getting null pointer dereference which leads to segmentation fault.
I have no stable reproducer, but don't hesitate to contact me.

Additional info is here: https://fedorahosted.org/freeipa/ticket/4649

python 2.7.8-4.1 (Fedora 21)

#0  0x00007f3c4a66dde4 in newPySSLObject (ciphers=0x7f3c4544eeb4 "DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2", cacerts_file=<optimized out>, proto_version=PY_SSL_VERSION_SSL23, 
    certreq=<optimized out>, socket_type=<optimized out>, cert_file=0x0, key_file=0x0, Sock=0x7f3c3fbafc30) at /usr/src/debug/Python-2.7.8/Modules/_ssl.c:317
317	        self->ctx->options &= ~(SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);

(gdb) p self->ctx
$1 = (SSL_CTX *) 0x0
msg229927 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2014-10-24 15:08 
Are you able to test this against the 2.7 branch from hg? The ssl module received some significant attention for 2.7.9.
msg229929 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2014-10-24 15:13 
> 317	        self->ctx->options &= ~(SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);

I don't see this line in Python 2.7.8 vanilla:
https://hg.python.org/cpython/file/ee879c0ffa11/Modules/_ssl.c

It looks like Fedora patched the source code:
http://pkgs.fedoraproject.org/cgit/python.git/tree/00195-enable-sslv23-in-ssl.patch

I see an obvious bug in the Fedora patch: it dereferences self->ctx before checking if self->ctx is NULL.

diff -up Python-2.7.8/Modules/_ssl.c.orig Python-2.7.8/Modules/_ssl.c
--- Python-2.7.8/Modules/_ssl.c.orig	2014-07-17 14:17:32.584362667 +0200
+++ Python-2.7.8/Modules/_ssl.c	2014-07-17 14:17:38.215405930 +0200
@@ -312,8 +312,10 @@ newPySSLObject(PySocketSockObject *Sock,
     else if (proto_version == PY_SSL_VERSION_SSL2)
         self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
 #endif
-    else if (proto_version == PY_SSL_VERSION_SSL23)
+    else if (proto_version == PY_SSL_VERSION_SSL23) {
         self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
+        self->ctx->options &= ~(SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+    }
     PySSL_END_ALLOW_THREADS
 
     if (self->ctx == NULL) {
msg229930 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2014-10-24 15:14 
Other Fedora patches on Python:
https://apps.fedoraproject.org/packages/python/sources

I see another *huge* patch on the ssl module, "ssl backport":
http://pkgs.fedoraproject.org/cgit/python.git/tree/00196-ssl-backport.patch
msg229932 - (view) Author: mbasti (mbasti) Date: 2014-10-24 15:21 
Thank you for your fast reply!

So I will file a fedora bug.
Thanks again.
History
Date User Action Args
2022-04-11 14:58:09adminsetgithub: 66906
2014-10-24 15:23:26r.david.murraysetstatus: open -> closed
resolution: third party
stage: resolved
2014-10-24 15:21:40mbastisetmessages: + msg229932
2014-10-24 15:14:35vstinnersetmessages: + msg229930
2014-10-24 15:13:05vstinnersetnosy: + vstinner
messages: + msg229929
2014-10-24 15:08:17alexsetnosy: + janssen, pitrou, giampaolo.rodola, christian.heimes, alex, dstufft
messages: + msg229927
2014-10-24 15:03:05mbasticreate