OpenSSL 3.6.0 leaks memory

[oerdnj]

In BIND 9, it is possible to use a custom allocator that tracks the memory allocations. When enabled, the tracking reports unreleased memory after calling OPENSSL_cleanup():

add 0x7228000002a0 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x72b400014020
add 0x721000007c60 size 32 func isc__crypto_malloc_ex file crypto/sparse_array.c line 60 mctx 0x72b400014020
add 0x7218000008c0 size 56 func isc__crypto_malloc_ex file crypto/threads_common.c line 358 mctx 0x72b400014020

First pointer is the allocated memory, file and line comes from OpenSSL itself, the isc__crypto_malloc_ex() is just a thin wrapper around the malloc() and mctx is an internal structure for every memory context (tracking object).

This leaked memory is consistent both in the single and multithreaded programs and adding OPENSSL_thread_stop(); after thread exits doesn't really help.

The exit check is done in the program destructor (not library destructor, so the order of destructors is determinate).

There is a total 8109 allocations and only 8106 deallocations.

[oerdnj]

With OpenSSL 3.5.4, there's 8094 allocations and 8094 deallocations. So, this looks like a regression between OpenSSL 3.5.x and 3.6.x.

[nhorman]

Bind9 uses jemalloc to do leak detection, correct?

openssl 3.6 introduced a new thread local storage key that allocates several sparse arrays which are freed on thread exit.

My guess would be that jemalloc is holding that storage in its tcache at the time of process exit and giving you a false positive on the leak. Try adding mallctl("prof.purge") immediately prior to process exit to ensure all tcaches are flushed back to the system.

[oerdnj]

Bind9 uses jemalloc to do leak detection, correct?

It does, but not in this case. BIND 9 was compiled without jemalloc, but it would not matter anyway.

openssl 3.6 introduced a new thread local storage key that allocates several sparse arrays which are freed on thread exit.

My guess would be that jemalloc is holding that storage in its tcache at the time of process exit and giving you a false positive on the leak. Try adding mallctl("prof.purge") immediately prior to process exit to ensure all tcaches are flushed back to the system.

Nope, that’s not it. These are all allocations that happen after CRYPTO_set_mem_function() and the check is done after OPENSSL_cleanup() - which explicitly states that “All resources allocated by OpenSSL are freed”.

[oerdnj]

There are also no other active threads:

(gdb) info threads
  Id   Target Id                           Frame
* 1    Thread 0x7ffff634de80 (LWP 2356349) __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
  2    Thread 0x7ffff02bd680 (LWP 2356350) 0x00007ffff6ecff77 in __sanitizer::internal_usleep (useconds=useconds@entry=100000)
    at ../../../../src/libsanitizer/sanitizer_common/sanitizer_linux.cpp:519

[oerdnj]

FTR Adding OPENSSL_thread_stop() before OPENSSL_cleanup() has no effect. The memory is still reported as allocated and un-freed.

[nhorman]

ok:

1. what version of bind?
2. what configuration are you building with?
3. What command are you running to create the reported problem?

[oerdnj]

1. main branch (or latest 9.21.x) or use ondrej/openssl-28770 branch for extra debugging output below
2. meson setup build --wipe -Ddeveloper=enabled -Dnamed-lto=off -Dleak-detection=enabled && meson compile -C build
3. ./build/dig or you can display the unaccounted memory with ./build/dig 2>&1 | perl util/memleak.pl

The output is going to be something like this:

$ ./build/dig 2>&1 | perl util/memleak.pl
add 0x7228000002a0 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x72b400014020
add 0x7218000008c0 size 56 func isc__crypto_malloc_ex file crypto/threads_common.c line 358 mctx 0x72b400014020
add 0x721000007c60 size 32 func isc__crypto_malloc_ex file crypto/sparse_array.c line 60 mctx 0x72b400014020

[oerdnj]

You can add -Djemalloc=disabled to meson setup if you want to be extra sure, but it makes no difference (the detection layer is on top of jemalloc not the other way around.

[nhorman]

well....this is weird.

I built bind according to your instructions, and sure enough, I get the leak:

nhorman@hmsbeagle:~/git/bind9$ ./build/dig 2>&1 | perl ./util/memleak.pl 
add 0x55e41b3d5ce0 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3ba860 size 64 func isc__crypto_malloc_ex file crypto/threads_common.c line 359 mctx 0x55e41b3a0b30
add 0x55e41b3d6470 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d6890 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d6730 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d5340 size 32 func isc__crypto_malloc_ex file crypto/sparse_array.c line 60 mctx 0x55e41b3a0b30
add 0x55e41b3d6520 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d6940 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d69f0 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d6260 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3bb030 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d6050 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d63c0 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d5b80 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d6680 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d6310 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d65d0 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d5fa0 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3ba920 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d5e40 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d61b0 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d5ef0 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d5c30 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d6100 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3ba8d0 size 32 func isc__crypto_malloc_ex file crypto/sparse_array.c line 60 mctx 0x55e41b3a0b30
add 0x55e41b3d67e0 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30
add 0x55e41b3d5d90 size 128 func isc__crypto_malloc_ex file crypto/sparse_array.c line 176 mctx 0x55e41b3a0b30

These are pretty clearly allocations made by CRYPTO_THREAD_set_local_ex, which we added in 3.6 to mitigate our usage of thread local keys (i.e. we create a sparse array to store multiple thread local keys against a single pthread_key_t, instead of creating a glibc level pthread_key_t for each thread local storage value we want to save. the documentation is out of date in the OPENSSL_cleanup doesn't free this memory, it gets freed on thread exit via a cleanup handler named clean_master_key().

So it would seem that the key cleanup handler isn't getting called on thread exit. As a test I added this:

diff --git a/crypto/threads_common.c b/crypto/threads_common.c
index 3a5597266b..8f08fa8360 100644
--- a/crypto/threads_common.c
+++ b/crypto/threads_common.c
@@ -192,6 +192,7 @@ static void clean_master_key(void *data)
     MASTER_KEY_ENTRY *mkey = data;
     int i;
 
+    fprintf(stderr, "CLEANING MASTER KEY DATA\n");
     for (i = 0; i < CRYPTO_THREAD_LOCAL_KEY_MAX; i++) {
         if (mkey[i].ctx_table != NULL)
             clean_master_key_id(&mkey[i]);

to openssl and ran some of our local unit tests, and sure enough, that printf got produced every time a thread joined via pthread_join(), so that appears to be working. But when I ran dig again, no such message was produced. So it would seem I can confirm that the thread local cleanup routine isn't getting properly called on thread cancellation via pthread_join.

So in doing some googling I saw a suggestion that pthread_exit(NULL) should be called prior to exit from the main routine, which just seems absolutely wrong to me, but I figured, I'll give it a shot.

So I added the following:

nhorman@hmsbeagle:~/git/bind9$ git diff
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index a1297a5396..2e44d1050b 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -3480,6 +3480,6 @@ main(int argc, char **argv) {
        dig_query_setup(false, false, argc, argv);
        dig_startup();
        dig_shutdown();
-
+    pthread_exit(NULL);
        return exitcode;
 }

and rebuilt. Suprisingly, the cleanup handler printf started appearing and the memory leak went away:

nhorman@hmsbeagle:~/git/bind9$ ./build/dig 2>&1 | grep CLEAN
CLEANING MASTER KEY DATA

nhorman@hmsbeagle:~/git/bind9$ ./build/dig 2>&1 | perl util/memleak.pl 
nhorman@hmsbeagle:~/git/bind9$ 

The addition of a pthread_exit call in the dig main routine is obviously wrong, but it begs the question, why is this particular key cleanup routine (clean_master_key()) not getting called on thread exit, without the addition of the above call?

[oerdnj]

Maybe it asserts before the routine gets called? I don’t know the interactions between atexit/.dtor section and at-pthread_exit() routines.

I think it would make sense to call the same thread cleanup when the OPENSSL_cleanup() gets called? That should also make the leak go away and would fix this universally for everyone.

[nhorman]

you can't use OPENSSL_cleanup() here because its per-thread data, and theres no guarantee that each thread will call OPENSSL_cleanup(). Each thread has to use the registered cleanup handler to free its own data.

That said, I think I have at least an explination for whats going on here. Given that pthread_exit(NULL) getting called in the main routine made the problem abate, I started wondering what it was doing that triggered the fix.

I added some printfs to both the dig main routine and the openssl set_local_ex api to match up what threads had what id's, and what threads were actually allocating per-thread data.

As it turns out, the thread created via pthread_create isn't doing any thread local storage, its the main thread (i.e. the thread executing in main() for the dig application thats doing the thread local storage allocation.

The main thread is something of an odd duck. Unlike threads which are created via pthread_create, which clean thread local storage when the exit, the main thread does so when it returns from main(), at which point the same handlers get called to return that memory to glibc.

Tools like valgrind/libasan don't see this as an error because they hook the glibc malloc routines, and wait until the program terminates before checking for leaks, at which point the cleanup handlers for the main routine have been called, and so they correctly see that that memory was properly freed.

Conversely, your internal leak checker does the leak calculation as part of isc__lib_shutdown() which is registered as a destructor. there is no guarantee of the ordering in which desctructors are called, or their ordering vs thread local storage cleanup routines. My guess is that the isc__lib_shutdown desctructor is getting run prior to the main thread memory cleanup handlers, and so frees that are going to happen are not being taken into account when you check for memory leaks. sure enough, if I add a printf to ISC__mem_free, i see it getting called several times after the conclusion of your memory printing traces.

I'm not sure what to do about this. Its not a leak, its just that you're memory leak checker, being part of the process itself, isn't able to wait long enough for all the frees to occur, as the main routine frees memory after it returns in this model. It may be possible to force your destructor to be the lowest priority destructor to get run (using the attribute((destructor(prio))) attribute variant, but thats gcc specific and non-portable, and still doesn't guarantee that process thread local storage happens before destructors are called.

It may be possible to add an api to openssl to explicitly clean the main threads local storage prior to exit, but I wouldn't be supportive of that, as it would have to trust that the calling application only called it from the main thread, and would only be useful for application-internal leak checkers, such as we are discussing here.

The bottom line is that the proper way to do this, is the way valgrind does, by creating a parent process that preloads a library in a child process, which hooks memory allocator calls to record heap transactions, and analyzes them only after the child terminates. Thats how you guarantee that all heap transactions get seen.

[piru]

It's just bad design decision in 3.6.0, really.

Among other changes, #OpenSSL 3.6.0 added a dependency on CRYPTO_THREAD_init_local destructor being called by thread termination. https://github.com/openssl/openssl/blob/512f176185ebcd98810e181601fcaf7f340439e9/crypto/threads_common.c

Before this change, all thread-local keys were deleted at runtime by OPENSSL_cleanup(), and thus no such dependency existed. This also results in the destructor getting called after OPENSSL_cleanup(), something that can be somewhat unexpected and can lead to problems with more exotic threading implementations.

I think it is #baddesign to add such a runtime leak that persists beyond cleanup.

from: https://infosec.exchange/@harrysintonen/115305772519122263

The reasoning is here:

openssl/crypto/threads_common.c

Line 215 in f7feb2d

* Note: We assign a cleanup function here, which is atypical for

I personally "fixed" this by making CRYPTO_THREAD_clean_local_for_fips always available and then calling this function when needed.

[oerdnj]

you can't use OPENSSL_cleanup() here because its per-thread data, and theres no guarantee that each thread will call OPENSSL_cleanup(). Each thread has to use the registered cleanup handler to free its own data.

FTR that’s what not I said. I meant that the main thread that calls OPENSSL_cleanup() should also run the per-thread cleanups.

[oerdnj]

there is no guarantee of the ordering in which desctructors are called

That’s actually not true. The reason why the ctors/dtors are not registered for each internal library, but for each program is that the order is now deterministic. You can’t control the order in which the libraries are loaded into memory, so the stochastic nature of core/dtor section only applies to libraries (because of the inter-dependencies). For main program, the order is actually stable and you can rely on it.