frame
Double Free with SSL FLAG enabled on multithreaded webserver environment
If there are four webserver listening on different port and have it own thread. All the webserver are created at same time and mg_mgr_init() is called inside webserver thread function, leads to corruption.
The reason could be in mg_mgr_init() init_done is set to after returning from SSL_library_init().
Calling mg_mgr_init() at same time from multiple threads leads to corruption.
if (!init_done)
{
SSL_library_init();
init_done++;
}
#3 0xf71b525c in __libc_message (do_abort=2, fmt=0xf72ade28 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#4 0xf71bb577 in malloc_printerr (action=<optimised out>, str=0xf72ade98 "double free or corruption (!prev)", ptr=<optimised out>, ar_ptr=0xf2200010) at malloc.c:5007
#5 0xf71bbd31 in _int_free (av=av@entry=0xf2200010, p=<optimised out>, p@entry=0xf2200a78, have_lock=have_lock@entry=1) at malloc.c:3868
#6 0xf71be38f in _int_realloc (av=av@entry=0xf2200010, oldp=oldp@entry=0xf2200a78, oldsize=oldsize@entry=72, nb=136) at malloc.c:4359
#7 0xf71bf53e in __GI___libc_realloc (oldmem=0xf2200a80, bytes=128) at malloc.c:3046
#8 0xf71bf603 in __GI___libc_realloc (oldmem=0xf2200a80, bytes=128) at malloc.c:2984
#9 0xf74d4a0b in ?? () from /lib/i386-linux-gnu/libcrypto.so.1.0.0
#10 0xf74d50c0 in CRYPTO_realloc () from /lib/i386-linux-gnu/libcrypto.so.1.0.0
#11 0xf75557ec in lh_insert () from /lib/i386-linux-gnu/libcrypto.so.1.0.0
#12 0xf74d815d in OBJ_NAME_add () from /lib/i386-linux-gnu/libcrypto.so.1.0.0
#13 0xf7560c26 in EVP_add_cipher () from /lib/i386-linux-gnu/libcrypto.so.1.0.0
#14 0xf76e0687 in SSL_library_init () from /lib/i386-linux-gnu/libssl.so.1.0.0
#15 0x0877d732 in mg_mgr_init (m=0xe23ecf3c, user_data=0x0)
Comments
There is a race, but there is a workaround.
Before spawning your threads, make a dummy manager, and mg_mgr_init() on it.
That would initialize OpenSSL once and prevent further threads to call it again.