Segmentation fault: what's wrong with this code?
75 views
Skip to first unread message
Stef Bon
Jun 5, 2026, 2:33:27 PMJun 5
to openssl-users
Hi,
I've written the following code, but I get a segmentation fault (when calling EVP_PKEY_free).
I do not see what's causing this. Can you see it? Any help appreciated.
static void PK_read_spk_from_OSSL_DECODER(char *buffer, long unsigned int size)
{
OSSL_DECODER_CTX *dctx=NULL;
EVP_PKEY *spk=NULL;
const unsigned char *start=(unsigned char *) buffer;
{
OSSL_DECODER_CTX *dctx=NULL;
EVP_PKEY *spk=NULL;
const unsigned char *start=(unsigned char *) buffer;
/* private key has a PEM encoded key */
dctx=OSSL_DECODER_CTX_new_for_pkey(&spk, "PEM", NULL, NULL, EVP_PKEY_KEYPAIR, NULL, NULL);
if (dctx==NULL) {
fprintf(stdout, "cannot create decoder.\n");
return;
}
if (OSSL_DECODER_from_data(dctx, &start, &size)<=0) {
fprintf(stdout, "decoder error.\n");
} else {
fprintf(stdout, "decoder finished ok.\n");
EVP_PKEY_print_private_stdout(spk);
}
EVP_PKEY_free(spk);
OSSL_DECODER_CTX_free(dctx);
}
Thanks in advance,
dctx=OSSL_DECODER_CTX_new_for_pkey(&spk, "PEM", NULL, NULL, EVP_PKEY_KEYPAIR, NULL, NULL);
if (dctx==NULL) {
fprintf(stdout, "cannot create decoder.\n");
return;
}
if (OSSL_DECODER_from_data(dctx, &start, &size)<=0) {
fprintf(stdout, "decoder error.\n");
} else {
fprintf(stdout, "decoder finished ok.\n");
EVP_PKEY_print_private_stdout(spk);
}
EVP_PKEY_free(spk);
OSSL_DECODER_CTX_free(dctx);
}
Thanks in advance,
Stef Bon
Neil Horman
Jun 5, 2026, 3:48:35 PMJun 5
to Stef Bon, openssl-users
Do you have a backtrace of the crash?
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/d37f0ed9-e315-4449-8e27-9cd1902d9190n%40openssl.org.
Stef Bon
Jun 5, 2026, 4:35:31 PMJun 5
to openssl-users, Neil Horman, openssl-users, Stef Bon
Yes
Module /home/sbon/Projects/archive/openssl/openssh/test without build-id.Module ld-linux-x86-64.so.2 without build-id.
Module libc.so.6 without build-id.
Module libcrypto.so.3 without build-id.
Stack trace of thread 3061:
#0 0x00007f188b982e22 n/a (libcrypto.so.3 + 0x182e22)
#1 0x00007f188b983610 EVP_PKEY_free (libcrypto.so.3 + 0x183610)
#2 0x0000557320c4534c PK_read_spk_from_OSSL_DECODER (/home/sbon/Projects/archive/openssl/openssh/test + 0x334c)
#3 0x0000557320c456b3 PK_read_spk_from_handle (/home/sbon/Projects/archive/openssl/openssh/test + 0x36b3)
#4 0x0000557320c458f3 main (/home/sbon/Projects/archive/openssl/openssh/test + 0x38f3)
#5 0x00007f188b6301ae n/a (libc.so.6 + 0x271ae)
#6 0x00007f188b630269 __libc_start_main (libc.so.6 + 0x27269)
#7 0x0000557320c434e5 _start (/home/sbon/Projects/archive/openssl/openssh/test + 0x14e5)
ELF object binary architecture: AMD x86-64
Neil Horman
Jun 5, 2026, 5:16:15 PMJun 5
to Stef Bon, openssl-users
Nothing looks especially wrong here. Is the decode process successful? I.e. does your private key get printed out after a successful return from OSSL_DECODER_from_data? If not, my first guess would be theres some bug in the decode path in which pkey is allocated and freed but the object pointer isn't reset to NULL leading to in invalid dereference in EVP_PKEY_free because the NULL check there erroneously fails.
Neil
Michael Wojcik
Jun 5, 2026, 5:34:50 PMJun 5
to openssl-users
The easiest way to diagnose this might be to build OpenSSL for debug, then reproduce under valgrind (with memcheck, which is the default tool). Odds are decent that will tell you exactly where it went wrong. Even just running under gdb with debug symbols would be useful.
The usual causes of a SEGV in a free-function are an invalid pointer or prior heap corruption. An invalid pointer could be already freed (though in single-threaded programs I think glibc is generally pretty good at catching this and SIGABRTs instead) or not a pointer to a heap-allocated object (e.g. because someone did pointer arithmetic on it, or overwrote it with a buffer overflow elsewhere, or it's just rubbish). Prior heap corruption could be many things. And, of course, a non-trivial free-function would be attempting to operate on data within the object being freed, and something there could be bogus.
But using the available tooling - valgrind or even glibc's built-in malloc debugging - is generally faster than code inspection, if the issue is easy to reproduce.
--
Michael Wojcik
================================
Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================
This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you.
The usual causes of a SEGV in a free-function are an invalid pointer or prior heap corruption. An invalid pointer could be already freed (though in single-threaded programs I think glibc is generally pretty good at catching this and SIGABRTs instead) or not a pointer to a heap-allocated object (e.g. because someone did pointer arithmetic on it, or overwrote it with a buffer overflow elsewhere, or it's just rubbish). Prior heap corruption could be many things. And, of course, a non-trivial free-function would be attempting to operate on data within the object being freed, and something there could be bogus.
But using the available tooling - valgrind or even glibc's built-in malloc debugging - is generally faster than code inspection, if the issue is easy to reproduce.
--
Michael Wojcik
================================
Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================
This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you.
Stef Bon
Jun 5, 2026, 5:36:04 PMJun 5
to openssl-users, Neil Horman, openssl-users, Stef Bon
I've found it. Sorry my fault. The print function freed the key also, which causes the fault.
Thanks for attention,
Stef
Reply all
Reply to author
Forward
0 new messages