Issue 14171: warnings from valgrind about openssl as used by CPython (original) (raw)

Created on 2012-03-02 06:48 by zooko, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
cpython-openssl101.supp zooko,2012-03-02 06:48 valgrind suppressions file
Messages (7)
msg154742 - (view) Author: Zooko O'Whielacronx (zooko) Date: 2012-03-02 06:48
The buildbot for the Tahoe-LAFS and pycryptopp projects runs CPython under valgrind on Fedora, and valgrind emits warnings like this: ==30127== Conditional jump or move depends on uninitialised value(s) ==30127== at 0x4C2AD01: bcmp (mc_replace_strmem.c:889) ==30127== by 0xC1D1646: fips_get_entropy (fips_drbg_lib.c:166) ==30127== by 0xC1D1D6E: FIPS_drbg_instantiate (fips_drbg_lib.c:234) ==30127== by 0xC15F590: RAND_init_fips (rand_lib.c:286) ==30127== by 0xC0F54D3: OPENSSL_init_library (o_init.c:106) ==30127== by 0xBE76AF8: SSL_library_init (ssl_algs.c:68) ==30127== by 0xBC2B39D: init_hashlib (in /usr/lib64/python2.7/lib-dynload/_hashlib.so) ==30127== by 0x4F1DB00: _PyImport_LoadDynamicModule (in /usr/lib64/libpython2.7.so.1.0) You can see the full output from such a buildbot run here: https://tahoe-lafs.org/buildbot-pycryptopp/builders/Ruben%20Fedora%20syslib/builds/58/steps/test%20valgrind/logs/valgrind Here is information about the versions of software involved: https://tahoe-lafs.org/buildbot-pycryptopp/builders/Ruben%20Fedora%20syslib/builds/58/steps/show-tool-versions/logs/stdio The owner of the buildslave machine says that the openssl package was "openssl-1.0.1-0.1.beta2.fc17.x86_64". Not having looked closer, I assume this is just a case of openssl using uninitialized memory as part of the initialization of the PRNG. Accordingly, I wrote suppressions stanzas for our valgrind suppressions file, which made the warnings go away. Here are the suppression expressions: # generated on buildbot.rubenkerkhof.com, which had, according to Ruben # Fedora's package "openssl-1.0.1-0.1.beta2.fc17.x86_64" { buildbot.rubenkerkhof.com cond fips openssl 1 Memcheck:Cond fun:bcmp fun:fips_get_entropy fun:FIPS_drbg_instantiate fun:RAND_init_fips fun:OPENSSL_init_library fun:SSL_library_init fun:init_hashlib } { buildbot.rubenkerkhof.com cond fips openssl 2 Memcheck:Cond fun:fips_get_entropy fun:FIPS_drbg_instantiate fun:RAND_init_fips fun:OPENSSL_init_library fun:SSL_library_init fun:init_hashlib } { buildbot.rubenkerkhof.com val _x86_64_AES_encrypt_compact Memcheck:Value8 fun:_x86_64_AES_encrypt_compact fun:AES_encrypt } I opened this ticket on launchpad.net to track the handling of this issue in various projects such as openssl, pycryptopp, CPython, valgrind, and Fedora: https://bugs.launchpad.net/pycryptopp/+bug/944585
msg154817 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2012-03-03 01:03
Why are you reporting this issue here?
msg154823 - (view) Author: Zooko O'Whielacronx (zooko) Date: 2012-03-03 03:33
Oh, I'm sorry I didn't make that clear at first. First of all, so that others who encounter these warnings can see how I worked-around them so that they can do that as well. Second, because Python comes with a valgrind suppressions file. Here is a patch to that file to suppress these warnings. --- a/Misc/valgrind-python.supp Wed Feb 22 00:28:46 2012 +0100 +++ b/Misc/valgrind-python.supp Fri Mar 02 20:31:55 2012 -0700 @@ -286,6 +286,38 @@ ### fun:MD5_Update ###} +# Fedora's package "openssl-1.0.1-0.1.beta2.fc17.x86_64" on x86_64 +# See http://bugs.python.org/issue14171 +{ + openssl 1.0.1 prng 1 + Memcheck:Cond + fun:bcmp + fun:fips_get_entropy + fun:FIPS_drbg_instantiate + fun:RAND_init_fips + fun:OPENSSL_init_library + fun:SSL_library_init + fun:init_hashlib +} + +{ + openssl 1.0.1 prng 2 + Memcheck:Cond + fun:fips_get_entropy + fun:FIPS_drbg_instantiate + fun:RAND_init_fips + fun:OPENSSL_init_library + fun:SSL_library_init + fun:init_hashlib +} + +{ + openssl 1.0.1 prng 3 + Memcheck:Value8 + fun:_x86_64_AES_encrypt_compact + fun:AES_encrypt +} + # # All of these problems come from using test_socket_ssl #
msg154837 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2012-03-03 13:38
> # generated on buildbot.rubenkerkhof.com, which had, according to Ruben > # Fedora's package "openssl-1.0.1-0.1.beta2.fc17.x86_64" I think openssl needs to be compiled with -DPURIFY to avoid this.
msg154858 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2012-03-03 23:18
It remembers me a funny story. http://wiki.debian.org/SSLkeys
msg154908 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2012-03-04 20:16
New changeset 9a69b47f194e by Martin v. Löwis in branch 'default': Issue #14171: Add valgrind suppressions for OpenSSL issue. http://hg.python.org/cpython/rev/9a69b47f194e
msg154909 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2012-03-04 20:17
It may indeed be that recompiling OpenSSL properly could fix this. I added this anyway since it probably doesn't cause harm. Thanks for the patch.
History
Date User Action Args
2022-04-11 14:57:27 admin set github: 58379
2012-03-04 20:17:45 loewis set status: open -> closedresolution: fixedmessages: +
2012-03-04 20:16:47 python-dev set nosy: + python-devmessages: +
2012-03-03 23🔞17 vstinner set nosy: + vstinnermessages: +
2012-03-03 13:38:27 skrah set nosy: + skrahmessages: +
2012-03-03 03:33:31 zooko set messages: +
2012-03-03 01:03:18 loewis set nosy: + loewismessages: +
2012-03-02 06:48:20 zooko create