panic: attempt to copy freed scalar ...

[EnDe]

new bug reported in issue 136 by @KylaG

But when running ./o-saft.pl --version (I had to do chmod +x o-saft.pl), I got :
panic: attempt to copy freed scalar eb7df0 to cbcc80 at ./o-saft.pl line 407.

[kylak]

Running ./o-saft.pl -no-warn +version gives the same panic error.

./o-saft.pl localhost +cn gives panic: attempt to copy freed scalar 129ddb0 to 10a2b28 at ./o-saft.pl line 407.
./o-saft.pl localhost +cipher gives panic: attempt to copy freed scalar 27c9db0 to 25ceb28 at ./o-saft.pl line 407.
./o-saft.pl localhost --help gives panic: attempt to copy freed scalar 1ad5db0 to 18dab28 at ./o-saft.pl line 407.

[kylak]

According to what I understand, the error is a forbidden memory access problem (segfault).
It's in such situations that I miss the Rust programming language.. ^^

[EnDe]

Is this a hardened system, like SELinux?

Would you like to help me get closer to the problem, as I cannot reproduce it with my systems.
If so please start:
perl -d ./o-saft.pl +version
then at the prompt, issue following commands:
b 388
c
n
you should see now:
main::(./o-saft.pl:407): our %ciphers = %Ciphers::ciphers;
if not, repeat the n commands until you see this line. Then repeat nagain until the panic occurs and post the line from the debugger.
Use q to quit the debugger.
If the panic occurs earlier (before the first n), I need more information.
Thanks

[kylak]

Sure.

So concerning the commands you asked me to type in, I got the correct replies.

Well, it's not my machine, but yes I think that the OS is hardened.

Here are some infos about the OS :

• name : CentOS Linux 7 - 64 bits
• it uses GNOME, version 3.28.2.
• for the graphics, it uses llvmpipe (LLVM 7.0, 256 bits).

I use the OS under VMware Workstation 17.

[EnDe]

I got the correct replies.

did you see the panic there?

My rough idea is that the problem occurs in these variable setting starting at that line.
Currently I'm rewriting this part. If the panic really originates there, it's a bug in my code which Perl silently ignores, for good or bad ...

[kylak]

No, I didn't find the panic there.

[EnDe]

doh, then I need to find another way to debug the problem ...

Meanwhile it would be nice if you can perform:
env PERLDB_OPTS="NonStop frame=2 LineInfo=o-saft.pl-panic.out" perl -d ./o-saft.pl +version

o-saft.pl-panic.out will be a huge file, please don't post here. Grep for the panic message, post that result, for example:

grep -A9 -B9 "panic: attempt to copy freed" o-saft.pl-panic.out

may be I find something there ...
Thanks.

[EnDe]

according you fuzzing approach:
please keep in mind that --range=full consumes about 3.5GB memory!
The lowest footprint is --range=SSLv2 with 20MB, --range=huge about 65MB.

[kylak]

Thanks for the info.

[kylak]

Hi.

My computer is now again accessible.

So here is the result for
env PERLDB_OPTS="NonStop frame=2 LineInfo=o-saft.pl-panic.out" perl -d ./o-saft.pl +version :

panic: attempt to copy freed scalar 23d6760 to 22883f0 at ./o-saft.pl line 407.``
 at ./o-saft.pl line 407.

And I got nothing for grep -A9 -B9 "panic: attempt to copy freed" o-saft.pl-panic.out

The word "panic" has not been found in o-saft.pl-panic.out, neither "attempt", "copy", nor "freed".

Regards.

[EnDe]

Thanks.
So I assume the message comes from SELinux.

I've just updated some files on github, so you may clone again.
It fixes some memory consumptions, avoids pointers, but I guess it will not fix the "panic".

Can you plese check.

[kylak]

I could only on Monday. I plan to do that on this day, asap.

[kylak]

Ok so I updated the code and executed ./o-saft.pl --version and didn't get any panic error !

However I got :

[...]
= Required (and used) Modules =
=   module name            VERSION  found in
=   ----------------------+--------+------------------------------------------
    IO::Socket::INET       1.33     /usr/lib64/perl5/IO/Socket/INET.pm
    IO::Socket::SSL        1.94     /usr/share/perl5/vendor_perl/IO/Socket/SSL.pm
    Time::Local            1.2300   /usr/share/perl5/vendor_perl/Time/Local.pm
    Net::DNS               0.72     /usr/lib64/perl5/vendor_perl/Net/DNS.pm
    Net::SSLeay            1.55     /usr/lib64/perl5/vendor_perl/Net/SSLeay.pm
    Ciphers                24.06.24 lib/Ciphers.pm
    OCfg                   24.06.24 lib/OCfg.pm
    OData                  24.06.24 lib/OData.pm
    ODoc                   24.06.24 <<not loaded>>
    error_handler          24.01.24 lib/error_handler.pm
    SSLinfo                24.06.24 lib/SSLinfo.pm
    SSLhello               24.06.24 lib/SSLhello.pm
    OMan                   24.06.24 <<not loaded>>
    OText                  24.06.24 lib/OText.pm
Having no space between pattern and following word is deprecated at lib/OTrace.pm line 415.
Bareword found where operator expected at lib/OTrace.pm line 415, near "s/(}[;,])?\s*$//gn"
Unquoted string "n" may clash with future reserved word at lib/OTrace.pm line 415.
Having no space between pattern and following word is deprecated at lib/OTrace.pm line 416.
Bareword found where operator expected at lib/OTrace.pm line 416, near "s/use\s*(strict|warnings);//gn"
Unquoted string "n" may clash with future reserved word at lib/OTrace.pm line 416.
syntax error at lib/OTrace.pm line 415, near "s/(}[;,])?\s*$//gn"
syntax error at lib/OTrace.pm line 416, near "s/use\s*(strict|warnings);//gn"
Execution of lib/OTrace.pm aborted due to compilation errors.
    OTrace                          <<not loaded>>
    OUsr                   24.06.24 <<not loaded>>
!!Hint: use '--v' to get list of all modules

[EnDe]

sounds good.
Beside the error you posted (se next comment), doe sthe tool work no as expected, for example ./o-saft.pl +cn you-host or ./o-saft.pl +cipher you-host ?

If so, I'd close this issue as fixed.

[EnDe]

syntax error at lib/OTrace.pm line 415, ...

can you please post the result of perl -le 'print $]'
I guess it's perl < v5.22 aka 5.022000 ...

[kylak]

Here is the result of perl -le 'print $]' :
5.016003.

And here what I have for ./o-saft.pl +cn MY_HOST :

**WARNING: 058: given path '/etc/ssl/certs/' does not contain a CA file
Use of uninitialized value $ret in concatenation (.) or string at lib/SSLinfo.pm line 1998.
Use of uninitialized value $ret in concatenation (.) or string at lib/SSLinfo.pm line 1998.
Use of uninitialized value $ret in concatenation (.) or string at lib/SSLinfo.pm line 1998.
Use of uninitialized value $ret in concatenation (.) or string at lib/SSLinfo.pm line 1998.
Use of uninitialized value $ret in concatenation (.) or string at lib/SSLinfo.pm line 1998.
**WARNING: 204: Can't make a connection to 'MY_HOST:443' without SNI; no initial data (compare with and without SNI not possible)
**WARNING: 203: connection without SNI succeded with errors; errors ignored
!!Hint: use '--v' to show more information about SSLinfo::do_ssl_open() errors
Use of uninitialized value $ret in concatenation (.) or string at lib/SSLinfo.pm line 1998.
Use of uninitialized value $ret in concatenation (.) or string at lib/SSLinfo.pm line 1998.
Use of uninitialized value $ret in concatenation (.) or string at lib/SSLinfo.pm line 1998.
Use of uninitialized value $ret in concatenation (.) or string at lib/SSLinfo.pm line 1998.
Use of uninitialized value $ret in concatenation (.) or string at lib/SSLinfo.pm line 1998.
**WARNING: 205: Can't make a connection to 'MY_HOST:443'; target ignored
!!Hint: use '--v' to show more information
!!Hint: use '--socket-reuse' it may help in some cases
!!Hint: use '--ignore-no-conn' to disable this check

Knowing that I replaced MY_HOST with my host name.

[EnDe]

I've opened new issue 141 and issue 142
Can you please continue there for these issues.

Then I'll close this one.

[kylak]

Sure.