[gnutls-dev] gnutls-0.8.4 valgrind diagnosis
Rupert Kittinger
r.kittinger@efkon.com
Wed Mar 12 13:08:01 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello everybody,
I just decided to take a look at gnutls.
I ran gnutls-serv and and gnutls-cli-debug on the loopback interface,
using valgrind for diagnosis. The session log follows. It was created with
the following command:
$ valgrind --num-callers=8 --leak-check=yes --show-reachable=yes
gnutls-cli-debug -p 5556 localhost &> /tmp/message
System: linux
compiler: ggc-2.95.3
libgcrypt: libgcrypt-1.1.12
==31365== valgrind-1.0.4, a memory error detector for x86 GNU/Linux.
==31365== Copyright (C) 2000-2002, and GNU GPL'd, by Julian Seward.
==31365== Estimated CPU clock rate is 952 MHz
==31365== For more details, rerun with: -v
==31365==
Connecting to '127.0.0.1:5556'...
==31365== Conditional jump or move depends on uninitialised value(s)
==31365== at 0x402BE756: gcry_mpi_print (mpicoder.c:482)
==31365== by 0x40297AD7: sexp_sscan (sexp.c:1033)
==31365== by 0x40297FA2: gcry_sexp_build (sexp.c:1180)
==31365== by 0x4025C76B: ??? (gnutls_pk.c:516)
==31365== by 0x4025C084: ??? (gnutls_pk.c:124)
==31365== by 0x4025B3A9: ??? (auth_rsa.c:309)
==31365== by 0x402569A2: ??? (gnutls_kx.c:183)
==31365== by 0x40253E1E: ??? (gnutls_handshake.c:1978)
==31365==
==31365== Conditional jump or move depends on uninitialised value(s)
==31365== at 0x402BE756: gcry_mpi_print (mpicoder.c:482)
==31365== by 0x40297AD7: sexp_sscan (sexp.c:1033)
==31365== by 0x40297FA2: gcry_sexp_build (sexp.c:1180)
==31365== by 0x4025C796: ??? (gnutls_pk.c:532)
==31365== by 0x4025C084: ??? (gnutls_pk.c:124)
==31365== by 0x4025B3A9: ??? (auth_rsa.c:309)
==31365== by 0x402569A2: ??? (gnutls_kx.c:183)
==31365== by 0x40253E1E: ??? (gnutls_handshake.c:1978)
==31365==
==31365== Conditional jump or move depends on uninitialised value(s)
==31365== at 0x402BE756: gcry_mpi_print (mpicoder.c:482)
==31365== by 0x40297AD7: sexp_sscan (sexp.c:1033)
==31365== by 0x40297FA2: gcry_sexp_build (sexp.c:1180)
==31365== by 0x4029DF9D: gcry_pk_encrypt (pubkey.c:1304)
==31365== by 0x4025C7C7: ??? (gnutls_pk.c:539)
==31365== by 0x4025C084: ??? (gnutls_pk.c:124)
==31365== by 0x4025B3A9: ??? (auth_rsa.c:309)
==31365== by 0x402569A2: ??? (gnutls_kx.c:183)
==31365==
==31365== Conditional jump or move depends on uninitialised value(s)
==31365== at 0x402BE7B1: gcry_mpi_print (mpicoder.c:503)
==31365== by 0x4025BDB9: ??? (gnutls_mpi.c:74)
==31365== by 0x4026F3B2: ??? (auth_dh_common.c:110)
==31365== by 0x402569A2: ??? (gnutls_kx.c:183)
==31365== by 0x40253E1E: ??? (gnutls_handshake.c:1978)
==31365== by 0x40253BA9: gnutls_handshake (gnutls_handshake.c:1857)
==31365== by 0x804B2E9: do_handshake (tests.c:50)
==31365== by 0x804C0D2: test_anonymous (tests.c:509)
==31365==
==31365== Conditional jump or move depends on uninitialised value(s)
==31365== at 0x402BE7B1: gcry_mpi_print (mpicoder.c:503)
==31365== by 0x4025BDB9: ??? (gnutls_mpi.c:74)
==31365== by 0x40289969: ??? (gnutls_srp.c:147)
==31365== by 0x4028AC5F: ??? (auth_srp.c:217)
==31365== by 0x402569A2: ??? (gnutls_kx.c:183)
==31365== by 0x40253E1E: ??? (gnutls_handshake.c:1978)
==31365== by 0x40253BA9: gnutls_handshake (gnutls_handshake.c:1857)
==31365== by 0x804B2E9: do_handshake (tests.c:50)
==31365==
==31365== Conditional jump or move depends on uninitialised value(s)
==31365== at 0x402BE7B1: gcry_mpi_print (mpicoder.c:503)
==31365== by 0x4025BDB9: ??? (gnutls_mpi.c:74)
==31365== by 0x4028997B: ??? (gnutls_srp.c:149)
==31365== by 0x4028AC5F: ??? (auth_srp.c:217)
==31365== by 0x402569A2: ??? (gnutls_kx.c:183)
==31365== by 0x40253E1E: ??? (gnutls_handshake.c:1978)
==31365== by 0x40253BA9: gnutls_handshake (gnutls_handshake.c:1857)
==31365== by 0x804B2E9: do_handshake (tests.c:50)
==31365==
==31365== Conditional jump or move depends on uninitialised value(s)
==31365== at 0x402BE7B1: gcry_mpi_print (mpicoder.c:503)
==31365== by 0x4025BDB9: ??? (gnutls_mpi.c:74)
==31365== by 0x4028AD4F: ??? (auth_srp.c:249)
==31365== by 0x402569A2: ??? (gnutls_kx.c:183)
==31365== by 0x40253E1E: ??? (gnutls_handshake.c:1978)
==31365== by 0x40253BA9: gnutls_handshake (gnutls_handshake.c:1857)
==31365== by 0x804B2E9: do_handshake (tests.c:50)
==31365== by 0x804B718: test_srp (tests.c:180)
Resolving 'localhost'...
Checking for TLS 1.0 support... yes
Checking for SSL 3.0 support... yes
Checking for certificate information...
- - Certificate type: X.509
- Certificate info:
# Certificate is valid since: Tue Nov 12 10:49:00 CET 2002
# Certificate expires: Wed Nov 12 10:49:00 CET 2003
# Certificate fingerprint: 87 68 6b 07 dc ad 05 0d 46 6e 82 3d ef 55 30 1e
# Certificate serial number: 01
# Certificate version: #3
# Certificate public key algorithm: RSA
# Modulus: 712 bits
# CN=cch_agent test,OU=Software Department,O=Efkon AG,ST=ST,C=AT
# Certificate Issuer's info:
# CN=internal testing ca,OU=Software Department,O=Efkon AG,L=Graz,ST=ST,C=AT
Checking for version rollback bug in RSA PMS... no
Checking for version rollback bug in Client Hello... no
Checking whether we need to disable TLS 1.0... no
Checking whether the server can accept Hello Extensions... yes
Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
Checking whether the server understands TLS closure alerts... yes
Checking whether the server supports session resumption... yes
Checking for export-grade ciphersuite support... no
Checking for anonymous authentication support... yes
Checking for ephemeral Diffie Hellman support... yes
Checking for AES cipher support... yes
Checking for 3DES cipher support... yes
Checking for ARCFOUR cipher support... yes
Checking for MD5 MAC support... yes
Checking for SHA1 MAC support... yes
Checking for max record size TLS extension... yes
Checking for SRP authentication support (gnutls extension)... yes
Checking for OpenPGP authentication support (gnutls extension)... no
==31365==
==31365== ERROR SUMMARY: 56 errors from 7 contexts (suppressed: 3 from 1)
==31365== malloc/free: in use at exit: 4958 bytes in 23 blocks.
==31365== malloc/free: 29498 allocs, 29475 frees, 3140240 bytes allocated.
==31365== For counts of detected errors, rerun with: -v
==31365== searching for pointers to 23 not-freed blocks.
==31365== checked 4479860 bytes.
==31365==
==31365== definitely lost: 60 bytes in 3 blocks.
==31365== possibly lost: 0 bytes in 0 blocks.
==31365== still reachable: 4898 bytes in 20 blocks.
==31365==
==31365== 23 bytes in 1 blocks are still reachable in loss record 1 of 9
==31365== at 0x40048DEB: malloc (vg_clientfuncs.c:100)
==31365== by 0x4000AC39: _dl_new_object (dl-object.c:106)
==31365== by 0x400062AE: _dl_map_object_from_fd (dl-load.c:833)
==31365== by 0x400079D9: _dl_map_object (dl-load.c:1747)
==31365== by 0x4041786C: dl_open_worker (dl-open.c:217)
==31365== by 0x4000D7C3: _dl_catch_error (dl-error.c:153)
==31365== by 0x40417D4E: _dl_open (dl-open.c:407)
==31365== by 0x40418BB1: do_dlopen (dl-libc.c:78)
==31365==
==31365== 23 bytes in 1 blocks are still reachable in loss record 2 of 9
==31365== at 0x40048DEB: malloc (vg_clientfuncs.c:100)
==31365== by 0x40007CF8: _dl_map_object (dl-load.c:164)
==31365== by 0x4041786C: dl_open_worker (dl-open.c:217)
==31365== by 0x4000D7C3: _dl_catch_error (dl-error.c:153)
==31365== by 0x40417D4E: _dl_open (dl-open.c:407)
==31365== by 0x40418BB1: do_dlopen (dl-libc.c:78)
==31365== by 0x4000D7C3: _dl_catch_error (dl-error.c:153)
==31365== by 0x40418A5C: __libc_dlopen (dl-libc.c:44)
==31365==
==31365== 28 bytes in 1 blocks are still reachable in loss record 3 of 9
==31365== at 0x40048DEB: malloc (vg_clientfuncs.c:100)
==31365== by 0x4000C74E: _dl_map_object_deps (dl-deps.c:528)
==31365== by 0x40417901: dl_open_worker (dl-open.c:255)
==31365== by 0x4000D7C3: _dl_catch_error (dl-error.c:153)
==31365== by 0x40417D4E: _dl_open (dl-open.c:407)
==31365== by 0x40418BB1: do_dlopen (dl-libc.c:78)
==31365== by 0x4000D7C3: _dl_catch_error (dl-error.c:153)
==31365== by 0x40418A5C: __libc_dlopen (dl-libc.c:44)
==31365==
==31365== 60 bytes in 3 blocks are definitely lost in loss record 4 of 9
==31365== at 0x40048DEB: malloc (vg_clientfuncs.c:100)
==31365== by 0x40295FB6: gcry_malloc (global.c:386)
==31365== by 0x402962A9: gcry_xmalloc (global.c:502)
==31365== by 0x402BFED5: _gcry_mpi_alloc (mpiutil.c:43)
==31365== by 0x402C064C: gcry_mpi_new (mpiutil.c:320)
==31365== by 0x40289A86: ??? (gnutls_srp.c:299)
==31365== by 0x4028AC9D: ??? (auth_srp.c:228)
==31365== by 0x402569A2: ??? (gnutls_kx.c:183)
==31365==
==31365== 128 bytes in 1 blocks are still reachable in loss record 5 of 9
==31365== at 0x400492E3: calloc (vg_clientfuncs.c:239)
==31365== by 0x4000ED0A: _dl_check_map_versions (dl-version.c:289)
==31365== by 0x40417C20: dl_open_worker (dl-open.c:257)
==31365== by 0x4000D7C3: _dl_catch_error (dl-error.c:153)
==31365== by 0x40417D4E: _dl_open (dl-open.c:407)
==31365== by 0x40418BB1: do_dlopen (dl-libc.c:78)
==31365== by 0x4000D7C3: _dl_catch_error (dl-error.c:153)
==31365== by 0x40418A5C: __libc_dlopen (dl-libc.c:44)
==31365==
==31365== 550 bytes in 1 blocks are still reachable in loss record 6 of 9
==31365== at 0x400492E3: calloc (vg_clientfuncs.c:239)
==31365== by 0x4000A9C0: _dl_new_object (dl-object.c:43)
==31365== by 0x400062AE: _dl_map_object_from_fd (dl-load.c:833)
==31365== by 0x400079D9: _dl_map_object (dl-load.c:1747)
==31365== by 0x4041786C: dl_open_worker (dl-open.c:217)
==31365== by 0x4000D7C3: _dl_catch_error (dl-error.c:153)
==31365== by 0x40417D4E: _dl_open (dl-open.c:407)
==31365== by 0x40418BB1: do_dlopen (dl-libc.c:78)
==31365==
==31365== 836 bytes in 4 blocks are still reachable in loss record 7 of 9
==31365== at 0x400493FE: realloc (vg_clientfuncs.c:270)
==31365== by 0x402960A7: gcry_realloc (global.c:428)
==31365== by 0x4029631A: gcry_xrealloc (global.c:516)
==31365== by 0x402C00A6: _gcry_mpi_resize (mpiutil.c:120)
==31365== by 0x402BCB25: gcry_mpi_mul_ui (mpi-mul.c:52)
==31365== by 0x40289AF7: ??? (gnutls_srp.c:308)
==31365== by 0x4028AC9D: ??? (auth_srp.c:228)
==31365== by 0x402569A2: ??? (gnutls_kx.c:183)
==31365==
==31365== 1595 bytes in 1 blocks are still reachable in loss record 8 of 9
==31365== at 0x40048DEB: malloc (vg_clientfuncs.c:100)
==31365== by 0x804B3F5: do_handshake (tests.c:84)
==31365== by 0x804C216: test_openpgp1 (tests.c:293)
==31365== by 0x804B11D: main (tls_test.c:191)
==31365== by 0x403186F7: __libc_start_main (../sysdeps/generic/libc-start.c:129)
==31365== by 0x8049E91: alarm@@GLIBC_2.0 (in /usr/local/bin/gnutls-cli-debug)
==31365==
==31365== 1715 bytes in 10 blocks are still reachable in loss record 9 of 9
==31365== at 0x40048DEB: malloc (vg_clientfuncs.c:100)
==31365== by 0x40295FB6: gcry_malloc (global.c:386)
==31365== by 0x402962A9: gcry_xmalloc (global.c:502)
==31365== by 0x402963C4: gcry_xcalloc (global.c:538)
==31365== by 0x402B20C5: initialize (random.c:148)
==31365== by 0x402B2140: _gcry_random_initialize (random.c:164)
==31365== by 0x402958C3: gcry_control (global.c:245)
==31365== by 0x4025DC16: gnutls_global_init (gnutls_global.c:172)
==31365==
==31365== LEAK SUMMARY:
==31365== definitely lost: 60 bytes in 3 blocks.
==31365== possibly lost: 0 bytes in 0 blocks.
==31365== still reachable: 4898 bytes in 20 blocks.
==31365==
Notes:
- - the unitialized memory errors in libgcrypt gcry_mpi_print() seem to be
caused by passing an uninitialized size_t in *nbytes.
- - the 60 byte memory leak is probably worth looking at.
- - suppressed errors are probably from glibc. No supressions have been
added beside those provided by the valgrind team.
These errors do not look very platform-specific at first sight, but if
you want more details (libc, binutils, whatever), please mail me.
Hope this helps improving the software :-)
cheers,
Rupert
- --
Rupert Kittinger <r.kittinger@efkon.com>
EFKON AG, Software Development Department
Andritzer Reichsstrasse 66
Austria, 8045 Graz
Tel: +43 316 695675-714
Fax: +43 316 695675-9
pgp-keyID: A500DBAD
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/
iD8DBQE+bePq3Cm/56UA260RAr52AJ0WqBgw3Sz8PpX87TIQxL4nv/ObpwCgjjVQ
HdpQUjdHE7Cpm0yvgsXPiis=
=rlcw
-----END PGP SIGNATURE-----