Skip to content

OpenSSL bug causes the "keyfromlabel" system test to consistently crash on Debian 12 "bookworm"

A routine Docker image refresh causes the keyfromlabel system test on bind-9.18 to consistently fail on Debian 12 "bookworm" due to the dnssec-signzone utility crashing in non-ISC code:

Click to expand/collapse full backtrace 
2024-07-24 15:06:12 INFO:keyfromlabel     D:Core was generated by `/builds/isc-projects/bind9/bin/dnssec/.libs/dnssec-signzone -E pkcs11 -S -a -g'.
2024-07-24 15:06:12 INFO:keyfromlabel     D:Program terminated with signal SIGSEGV, Segmentation fault.
2024-07-24 15:06:12 INFO:keyfromlabel     D:#0  std::_Rb_tree<unsigned long const, std::pair<unsigned long const, Slot* const>, std::_Select1st<std::pair<unsigned long const, Slot* const> >, std::less<unsigned long const>, std::allocator<std::pair<unsigned long const, Slot* const> > >::_M_mbegin (this=0x8) at /usr/include/c++/11/bits/stl_tree.h:734
2024-07-24 15:06:12 INFO:keyfromlabel     D:[Current thread is 1 (Thread 0x7f1cf9cd8d00 (LWP 184898))]
2024-07-24 15:06:12 INFO:keyfromlabel     D:#0  std::_Rb_tree<unsigned long const, std::pair<unsigned long const, Slot* const>, std::_Select1st<std::pair<unsigned long const, Slot* const> >, std::less<unsigned long const>, std::allocator<std::pair<unsigned long const, Slot* const> > >::_M_mbegin (this=0x8) at /usr/include/c++/11/bits/stl_tree.h:734
2024-07-24 15:06:12 INFO:keyfromlabel     D:#1  std::_Rb_tree<unsigned long const, std::pair<unsigned long const, Slot* const>, std::_Select1st<std::pair<unsigned long const, Slot* const> >, std::less<unsigned long const>, std::allocator<std::pair<unsigned long const, Slot* const> > >::_M_begin (this=0x8) at /usr/include/c++/11/bits/stl_tree.h:739
2024-07-24 15:06:12 INFO:keyfromlabel     D:#2  std::_Rb_tree<unsigned long const, std::pair<unsigned long const, Slot* const>, std::_Select1st<std::pair<unsigned long const, Slot* const> >, std::less<unsigned long const>, std::allocator<std::pair<unsigned long const, Slot* const> > >::lower_bound (__k=<synthetic pointer>: 268977190, this=0x8) at /usr/include/c++/11/bits/stl_tree.h:1270
2024-07-24 15:06:12 INFO:keyfromlabel     D:#3  std::map<unsigned long const, Slot* const, std::less<unsigned long const>, std::allocator<std::pair<unsigned long const, Slot* const> > >::lower_bound (__x=<synthetic pointer>: 268977190, this=0x8) at /usr/include/c++/11/bits/stl_map.h:1259
2024-07-24 15:06:12 INFO:keyfromlabel     D:#4  std::map<unsigned long const, Slot* const, std::less<unsigned long const>, std::allocator<std::pair<unsigned long const, Slot* const> > >::at (__k=<synthetic pointer>: 268977190, this=0x8) at /usr/include/c++/11/bits/stl_map.h:539
2024-07-24 15:06:12 INFO:keyfromlabel     D:#5  SlotManager::getSlot (this=0x0, slotID=slotID@entry=268977190) at ./src/lib/slot_mgr/SlotManager.cpp:174
2024-07-24 15:06:12 INFO:keyfromlabel     D:#6  0x00007f1cf9c23fd9 in SoftHSM::C_CloseAllSessions (this=0x55a5071b3700, slotID=slotID@entry=268977190) at ./src/lib/SoftHSM.cpp:1386
2024-07-24 15:06:12 INFO:keyfromlabel     D:#7  0x00007f1cf9c04414 in C_CloseAllSessions (slotID=268977190) at ./src/lib/main.cpp:347
2024-07-24 15:06:12 INFO:keyfromlabel     D:#8  0x00007f1cf9ccc16a in pkcs11_slot_unref (slot=slot@entry=0x55a5071d6e20) at p11_slot.c:433
2024-07-24 15:06:12 INFO:keyfromlabel     D:#9  0x00007f1cf9ccc200 in pkcs11_release_slot (slot=0x55a5071d6da0) at p11_slot.c:477
2024-07-24 15:06:12 INFO:keyfromlabel     D:#10 pkcs11_release_all_slots (slots=0x55a5071d6da0, nslots=<optimized out>) at p11_slot.c:464
2024-07-24 15:06:12 INFO:keyfromlabel     D:#11 0x00007f1cf9cccab8 in PKCS11_release_all_slots (pctx=<optimized out>, slots=<optimized out>, nslots=<optimized out>) at p11_front.c:111
2024-07-24 15:06:12 INFO:keyfromlabel     D:#12 0x00007f1cf9cc5e0e in ctx_finish (ctx=0x55a507163f60) at eng_back.c:352
2024-07-24 15:06:12 INFO:keyfromlabel     D:#13 0x00007f1cf9cc3e18 in engine_finish (engine=<optimized out>) at eng_front.c:163
2024-07-24 15:06:12 INFO:keyfromlabel     D:#14 0x00007f1cfc57f52f in engine_unlocked_finish (e=0x55a507172500, unlock_for_handlers=unlock_for_handlers@entry=0) at ../crypto/engine/eng_init.c:64
2024-07-24 15:06:12 INFO:keyfromlabel     D:#15 0x00007f1cfc581a52 in int_cleanup_cb_doall (p=0x55a507178930) at ../crypto/engine/eng_table.c:183
2024-07-24 15:06:12 INFO:keyfromlabel     D:#16 int_cleanup_cb_doall (p=0x55a507178930) at ../crypto/engine/eng_table.c:177
2024-07-24 15:06:12 INFO:keyfromlabel     D:#17 0x00007f1cfc5c86f4 in doall_util_fn (arg=0x0, func_arg=0x0, func=func@entry=0x7f1cfc581a30 <int_cleanup_cb_doall>, use_arg=0, lh=0x55a507171c10) at ../crypto/lhash/lhash.c:197
2024-07-24 15:06:12 INFO:keyfromlabel     D:#18 OPENSSL_LH_doall (lh=0x55a507171c10, func=func@entry=0x7f1cfc581a30 <int_cleanup_cb_doall>) at ../crypto/lhash/lhash.c:205
2024-07-24 15:06:12 INFO:keyfromlabel     D:#19 0x00007f1cfc581e31 in lh_ENGINE_PILE_doall (doall=0x7f1cfc581a30 <int_cleanup_cb_doall>, lh=<optimized out>) at ../crypto/engine/eng_local.h:159
2024-07-24 15:06:12 INFO:keyfromlabel     D:#20 engine_table_cleanup (table=0x7f1cfc81b6f8 <rsa_table>) at ../crypto/engine/eng_table.c:192
2024-07-24 15:06:12 INFO:keyfromlabel     D:#21 0x00007f1cfc57f7a6 in engine_cleanup_cb_free (item=0x55a507175d30) at ../crypto/engine/eng_lib.c:169
2024-07-24 15:06:12 INFO:keyfromlabel     D:#22 0x00007f1cfc649d20 in OPENSSL_sk_pop_free (st=0x55a507178d90, func=0x7f1cfc57f7a0 <engine_cleanup_cb_free>) at ../crypto/stack/stack.c:426
2024-07-24 15:06:12 INFO:keyfromlabel     D:#23 0x00007f1cfc57fb89 in sk_ENGINE_CLEANUP_ITEM_pop_free (freefunc=0x7f1cfc57f7a0 <engine_cleanup_cb_free>, sk=<optimized out>) at ../crypto/engine/eng_local.h:48
2024-07-24 15:06:12 INFO:keyfromlabel     D:#24 engine_cleanup_int () at ../crypto/engine/eng_lib.c:176
2024-07-24 15:06:12 INFO:keyfromlabel     D:#25 0x00007f1cfc5cce2e in OPENSSL_cleanup () at ../crypto/init.c:418
2024-07-24 15:06:12 INFO:keyfromlabel     D:#26 OPENSSL_cleanup () at ../crypto/init.c:344
2024-07-24 15:06:12 INFO:keyfromlabel     D:#27 0x00007f1cfcda390f in tls_shutdown () at tls.c:146
2024-07-24 15:06:12 INFO:keyfromlabel     D:#28 0x00007f1cfc8acf97 in __pthread_once_slow (once_control=0x7f1cfcdd70a0 <shut_once>, init_routine=0x7f1cfcda38f0 <tls_shutdown>) at ./nptl/pthread_once.c:116
2024-07-24 15:06:12 INFO:keyfromlabel     D:#29 0x00007f1cfc8ad075 in ___pthread_once (once_control=<optimized out>, init_routine=<optimized out>) at ./nptl/pthread_once.c:143
2024-07-24 15:06:12 INFO:keyfromlabel     D:#30 0x00007f1cfcda38a7 in isc__tls_shutdown () at tls.c:173
2024-07-24 15:06:12 INFO:keyfromlabel     D:#31 0x00007f1cfcd8a5de in isc__shutdown () at lib.c:52
2024-07-24 15:06:12 INFO:keyfromlabel     D:#32 0x00007f1cfcddb12a in _dl_call_fini (closure_map=closure_map@entry=0x7f1cfcdd8300) at ./elf/dl-call_fini.c:43
2024-07-24 15:06:12 INFO:keyfromlabel     D:#33 0x00007f1cfcdde81e in _dl_fini () at ./elf/dl-fini.c:114
2024-07-24 15:06:12 INFO:keyfromlabel     D:#34 0x00007f1cfc85d55d in __run_exit_handlers (status=0, listp=0x7f1cfc9f1820 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at ./stdlib/exit.c:116
2024-07-24 15:06:12 INFO:keyfromlabel     D:#35 0x00007f1cfc85d69a in __GI_exit (status=<optimized out>) at ./stdlib/exit.c:146
2024-07-24 15:06:12 INFO:keyfromlabel     D:#36 0x00007f1cfc846251 in __libc_start_call_main (main=main@entry=0x55a505875ef0 <main>, argc=argc@entry=9, argv=argv@entry=0x7fff946e2f28) at ../sysdeps/nptl/libc_start_call_main.h:74
2024-07-24 15:06:12 INFO:keyfromlabel     D:#37 0x00007f1cfc846305 in __libc_start_main_impl (main=0x55a505875ef0 <main>, argc=9, argv=0x7fff946e2f28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff946e2f18) at ../csu/libc-start.c:360
2024-07-24 15:06:12 INFO:keyfromlabel     D:#38 0x000055a505875e21 in _start ()

I compared the working Docker image (built back in May) with the broken one (built yesterday) and determined that the component triggering these crashes is libssl3 3.0.13-1~deb12u1; simply copying over the shared libraries from libssl3 3.0.11-1~deb12u2 to an affected system makes the problem go away.

Looking further, I came across an OpenSSL bug which looks like a match. Note in particular that this report mentions both libp11 and SoftHSM.

The good news is that the problem has already been solved (or at least the symptom we're interested in here) in OpenSSL 3.0.14.

The bad news is that Debian does not yet ship libssl3 3.0.14.

We can either build our own libssl3 package for OpenSSL 3.0.14 (@ondrej?) and integrate it into our "bookworm" Docker image or disable the keyfromlabel test on the bind-9.18 branch until Debian ships a version of the libssl3 package that makes the issue go away (likely due to some OpenSSL security issue since "bookworm" is the current stable release).

Either way, it doesn't look like our code is at fault here, so we just need to somehow ensure that the system:clang:bookworm:amd64 isn't permanently failing after isc-projects/images!325 gets merged.

For some reason, this does not happen on main. Perhaps a different destructor calling order masks the problem there.

Blocks isc-projects/images!325

Edited by Michał Kępień
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information