Ubuntu
pycryptopp package

warnings from valgrind about openssl as used by CPython

Bug #944585 reported by Zooko Wilcox-O'Hearn on 2012-03-02

This bug affects 1 person

	Status	Importance	Assigned to
OpenSSL	Invalid	Unknown	openssl-rt #2747
Python	Fix Released	Unknown	python-roundup #14171
pycryptopp	Fix Released	Unknown	tahoe-lafs-org-trac-pycryptopp #82
openssl (Fedora)	New	Undecided	Unassigned
pycryptopp (Ubuntu)	New	Undecided	Unassigned

Bug Description

The buildbot for the Tahoe-LAFS and pycryptopp projects runs CPython under valgrind on Fedora, and valgrind emits warnings like this:

==30127== Conditional jump or move depends on uninitialised value(s)
==30127== at 0x4C2AD01: bcmp (mc_replace_strmem.c:889)
==30127== by 0xC1D1646: fips_get_entropy (fips_drbg_lib.c:166)
==30127== by 0xC1D1D6E: FIPS_drbg_instantiate (fips_drbg_lib.c:234)
==30127== by 0xC15F590: RAND_init_fips (rand_lib.c:286)
==30127== by 0xC0F54D3: OPENSSL_init_library (o_init.c:106)
==30127== by 0xBE76AF8: SSL_library_init (ssl_algs.c:68)
==30127== by 0xBC2B39D: init_hashlib (in /usr/lib64/python2.7/lib-dynload/_hashlib.so)
==30127== by 0x4F1DB00: _PyImport_LoadDynamicModule (in /usr/lib64/libpython2.7.so.1.0)

You can see the full output from such a buildbot run here:

https://tahoe-lafs.org/buildbot-pycryptopp/builders/Ruben%20Fedora%20syslib/builds/58/steps/test%20valgrind/logs/valgrind

Here is information about the versions of software involved:

https://tahoe-lafs.org/buildbot-pycryptopp/builders/Ruben%20Fedora%20syslib/builds/58/steps/show-tool-versions/logs/stdio

The owner of the buildslave machine says that the openssl package was "openssl-1.0.1-0.1.beta2.fc17.x86_64".

Not having looked closer, I assume this is just a case of using uninitialized memory as part of the initialization of the PRNG. Accordingly, I wrote suppressions stanzas for our valgrind suppressions file, which made the warnings go away.

Here are the suppression expressions:

# generated on buildbot.rubenkerkhof.com, which had, according to Ruben
# Fedora's package "openssl-1.0.1-0.1.beta2.fc17.x86_64"
{
   buildbot.rubenkerkhof.com cond fips openssl 1
   Memcheck:Cond
   fun:bcmp
   fun:fips_get_entropy
   fun:FIPS_drbg_instantiate
   fun:RAND_init_fips
   fun:OPENSSL_init_library
   fun:SSL_library_init
   fun:init_hashlib
}

{
   buildbot.rubenkerkhof.com cond fips openssl 2
   Memcheck:Cond
   fun:fips_get_entropy
   fun:FIPS_drbg_instantiate
   fun:RAND_init_fips
   fun:OPENSSL_init_library
   fun:SSL_library_init
   fun:init_hashlib
}

{
   buildbot.rubenkerkhof.com val _x86_64_AES_encrypt_compact
   Memcheck:Value8
   fun:_x86_64_AES_encrypt_compact
   fun:AES_encrypt
}

Tags:

Revision history for this message

Zooko Wilcox-O'Hearn (zooko) wrote on 2012-03-02:

cpython-openssl101.supp Edit (716 bytes, text/plain)

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2012-03-02:

The attachment "cpython-openssl101.supp" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags:

added: patch

Bug Watch Updater (bug-watch-updater) on 2012-03-12