TLS connections fails with OpenSSL 3.2
Description:
With openssl 3.2.0-1, a double free occurs for a TLS connection
psql: error: connection to server at "db.chyen.cc" (::1), port 5432 failed: FATAL: no PostgreSQL user name specified in startup packet
free(): invalid pointer
Aborted
With openssl 3.1.4-1, I got a correct error message (my server requires mTLS, so the error message is expected)
psql: error: connection to server at "db.chyen.cc" (::1), port 5432 failed: FATAL: connection requires a valid client certificate
Additional info:
- openssl 3.2.0-1
- postgresql-libs 16.1-2
Rebuilding postgresql-libs against openssl 3.2 does not help.
I guess this is probably an upstream issue in openssl or postgresql, but I haven't had time to dive deeper.
Here is the gdb log:
gdb log
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1 0x00007ffff7cb78a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2 0x00007ffff7c67668 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3 0x00007ffff7c4f4b8 in __GI_abort () at abort.c:79
#4 0x00007ffff7c50390 in __libc_message (fmt=fmt@entry=0x7ffff7dc755d "%s\n") at ../sysdeps/posix/libc_fatal.c:150
#5 0x00007ffff7cc17b7 in malloc_printerr (str=str@entry=0x7ffff7dc502b "free(): invalid pointer") at malloc.c:5765
#6 0x00007ffff7cc3a74 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=have_lock@entry=0) at malloc.c:4500
#7 0x00007ffff7cc6353 in __GI___libc_free (mem=<optimized out>) at malloc.c:3391
#8 0x00007ffff7f5cac4 in freePGconn (conn=0x55555561b970) at /usr/src/debug/postgresql/postgresql-16.1/src/interfaces/libpq/fe-connect.c:4413
#9 0x00007ffff7f6058b in PQfinish (conn=<optimized out>) at /usr/src/debug/postgresql/postgresql-16.1/src/interfaces/libpq/fe-connect.c:4604
#10 0x000055555556e66a in main (argc=<optimized out>, argv=0x7fffffffd4c8) at /usr/src/debug/postgresql/postgresql-16.1/src/bin/psql/startup.c:305
In valgrind, there are many detections like this:
excerpted valgrind log
==26569== Invalid read of size 8
==26569== at 0x4881ABB: freePGconn (fe-connect.c:4413)
==26569== by 0x122669: main (startup.c:305)
==26569== Address 0x5499230 is 0 bytes inside a block of size 1,192 free'd
==26569== at 0x484488F: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==26569== by 0x4DB360E: sock_free (bss_sock.c:111)
==26569== by 0x4DB132E: BIO_free (bio_lib.c:141)
==26569== by 0x4DB13BC: BIO_free_all (bio_lib.c:858)
==26569== by 0x4C29B16: UnknownInlinedFun (ssl_lib.c:1503)
==26569== by 0x4C29B16: ossl_ssl_connection_free (ssl_lib.c:1415)
==26569== by 0x4C28C45: SSL_free (ssl_lib.c:1406)
==26569== by 0x489A547: pgtls_close (fe-secure-openssl.c:1638)
==26569== by 0x4880B95: UnknownInlinedFun (fe-secure.c:192)
==26569== by 0x4880B95: pqDropConnection (fe-connect.c:472)
==26569== by 0x4885451: closePGconn (fe-connect.c:4581)
==26569== by 0x4885581: UnknownInlinedFun (fe-connect.c:4603)
==26569== by 0x4885581: PQfinish (fe-connect.c:4599)
==26569== by 0x122669: main (startup.c:305)
==26569== Block was alloc'd at
==26569== at 0x4848953: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==26569== by 0x48820D9: makeEmptyPGconn (fe-connect.c:4313)
==26569== by 0x4888792: PQconnectStartParams (fe-connect.c:792)
==26569== by 0x4888DBA: PQconnectdbParams (fe-connect.c:682)
==26569== by 0x121F4C: main (startup.c:272)
==26569==
If I set ask gdb to break at sock_free
, the free'd pointer is the same as the one allocated by by makeEmptyPGconn
. Sounds like something wrong in memory management.
Steps to reproduce:
- Configure a PostgreSQL server that accepts TLS connections
psql "host=db.chyen.cc port=5432 sslmode=verify-full sslrootcert=/etc/ssl/cert.pem"