The segfault occurs during exit when __run_exit_handlers calls lftp_ssl_openssl_instance>::~Ref
which calls SSL_CTX_free and segfaults on a null openssl global_engine_lock:
bt
0 __pthread_rwlock_wrlock_full (abstime=0x0, clockid=0, rwlock=0x0) at pthread_rwlock_common.c:604
1 __GI___pthread_rwlock_wrlock (rwlock=0x0) at pthread_rwlock_wrlock.c:27
2 0x000003ff892a6f8a in CRYPTO_THREAD_write_lock (lock=) at crypto/threads_pthread.c:78
3 0x000003ff89223cb6 in ENGINE_finish (e=0x2aa2ff73670) at crypto/engine/eng_init.c:101
4 0x000003ff892864c6 in RSA_free (r=0x2aa2ffc3ed0) at crypto/rsa/rsa_lib.c:137
5 0x000003ff892408de in EVP_PKEY_free_it (x=x@entry=0x2aa2ffc57f0) at crypto/evp/p_lib.c:618
6 0x000003ff8924178a in EVP_PKEY_free (x=0x2aa2ffc57f0) at crypto/evp/p_lib.c:608
7 0x000003ff892c375e in pubkey_cb (operation=, pval=, it=, exarg=) at crypto/x509/x_pubkey.c:34
8 0x000003ff891a93d4 in asn1_item_embed_free (pval=0x2aa2ffc4e10, it=0x3ff89397720 , embed=) at crypto/asn1/tasn_fre.c:113
9 0x000003ff891a963e in asn1_template_free (pval=0x2aa2ffc4e10, tt=tt@entry=0x3ff893a0e20) at crypto/asn1/tasn_fre.c:142
10 0x000003ff891a93a8 in asn1_item_embed_free (pval=0x3ffde2fe990, it=0x3ff89397878 , embed=) at crypto/asn1/tasn_fre.c:110
11 0x000003ff891a963e in asn1_template_free (pval=0x3ffde2fe990, tt=tt@entry=0x3ff893a0cb8 ) at crypto/asn1/tasn_fre.c:142
12 0x000003ff891a93a8 in asn1_item_embed_free (pval=0x3ffde2feae8, it=0x3ff89397818 , embed=) at crypto/asn1/tasn_fre.c:110
13 0x000003ff891a9538 in ASN1_item_free (val=, it=) at crypto/asn1/tasn_fre.c:20
14 0x000003ff892b64ae in X509_OBJECT_free (a=0x2aa2ffc4a00) at crypto/x509/x509_lu.c:470
15 0x000003ff892a3024 in OPENSSL_sk_pop_free (st=0x2aa2ffb8240, func=0x3ff892b6498 ) at crypto/stack/stack.c:368
16 0x000003ff892b6aa4 in sk_X509_OBJECT_pop_free (freefunc=, sk=) at include/openssl/x509_vfy.h:58
17 X509_STORE_free (vfy=0x2aa2ffb7e30) at crypto/x509/x509_lu.c:225
18 0x000003ff8803e426 in SSL_CTX_free (a=0x2aa2ff9efb0) at ssl/ssl_lib.c:3254
19 0x000003ff881995cc in lftp_ssl_openssl_instance::~lftp_ssl_openssl_instance (this=0x2aa2ff7d4b0, __in_chrg=) at lftp_ssl.cc:922
20 0x000003ff8819aa80 in Ref::~Ref (this=, __in_chrg=) at Ref.h:34
21 0x000003ff894cbcd2 in run_exit_handlers (status=, listp=0x3ff896288c0 <exit_funcs>, run_list_atexit=run_list_atexit@entry=true,
run_dtors=run_dtors@entry=true) at exit.c:108
22 0x000003ff894cbde8 in __GI_exit (status=) at exit.c:139
I'm analyzing a problem with lftp on s390x
The problem occurs with an https or and ftp server with 'set ftp:ssl-force true'. With ftp, at least one ftp command needs to be run.
To reproduce it, I've been using
lftp -e "set ftp:ssl-force true; set ssl:verify-certificate false; ls; quit" -u
The segfault occurs during exit when __run_exit_handlers calls lftp_ssl_openssl_instance>::~Ref which calls SSL_CTX_free and segfaults on a null openssl global_engine_lock:
bt
0 __pthread_rwlock_wrlock_full (abstime=0x0, clockid=0, rwlock=0x0) at pthread_rwlock_common.c:604
1 __GI___pthread_rwlock_wrlock (rwlock=0x0) at pthread_rwlock_wrlock.c:27
2 0x000003ff892a6f8a in CRYPTO_THREAD_write_lock (lock=) at crypto/threads_pthread.c:78
3 0x000003ff89223cb6 in ENGINE_finish (e=0x2aa2ff73670) at crypto/engine/eng_init.c:101
4 0x000003ff892864c6 in RSA_free (r=0x2aa2ffc3ed0) at crypto/rsa/rsa_lib.c:137
5 0x000003ff892408de in EVP_PKEY_free_it (x=x@entry=0x2aa2ffc57f0) at crypto/evp/p_lib.c:618
6 0x000003ff8924178a in EVP_PKEY_free (x=0x2aa2ffc57f0) at crypto/evp/p_lib.c:608
7 0x000003ff892c375e in pubkey_cb (operation=, pval=, it=, exarg=) at crypto/x509/x_pubkey.c:34
8 0x000003ff891a93d4 in asn1_item_embed_free (pval=0x2aa2ffc4e10, it=0x3ff89397720, embed=) at crypto/asn1/tasn_fre.c:113
9 0x000003ff891a963e in asn1_template_free (pval=0x2aa2ffc4e10, tt=tt@entry=0x3ff893a0e20) at crypto/asn1/tasn_fre.c:142
10 0x000003ff891a93a8 in asn1_item_embed_free (pval=0x3ffde2fe990, it=0x3ff89397878, embed=) at crypto/asn1/tasn_fre.c:110
11 0x000003ff891a963e in asn1_template_free (pval=0x3ffde2fe990, tt=tt@entry=0x3ff893a0cb8) at crypto/asn1/tasn_fre.c:142
12 0x000003ff891a93a8 in asn1_item_embed_free (pval=0x3ffde2feae8, it=0x3ff89397818, embed=) at crypto/asn1/tasn_fre.c:110
13 0x000003ff891a9538 in ASN1_item_free (val=, it=) at crypto/asn1/tasn_fre.c:20
14 0x000003ff892b64ae in X509_OBJECT_free (a=0x2aa2ffc4a00) at crypto/x509/x509_lu.c:470
15 0x000003ff892a3024 in OPENSSL_sk_pop_free (st=0x2aa2ffb8240, func=0x3ff892b6498) at crypto/stack/stack.c:368
16 0x000003ff892b6aa4 in sk_X509_OBJECT_pop_free (freefunc=, sk=) at include/openssl/x509_vfy.h:58
17 X509_STORE_free (vfy=0x2aa2ffb7e30) at crypto/x509/x509_lu.c:225
18 0x000003ff8803e426 in SSL_CTX_free (a=0x2aa2ff9efb0) at ssl/ssl_lib.c:3254
19 0x000003ff881995cc in lftp_ssl_openssl_instance::~lftp_ssl_openssl_instance (this=0x2aa2ff7d4b0, __in_chrg=) at lftp_ssl.cc:922
20 0x000003ff8819aa80 in Ref::~Ref (this=, __in_chrg=) at Ref.h:34
21 0x000003ff894cbcd2 in run_exit_handlers (status=, listp=0x3ff896288c0 < exit_funcs>, run_list_atexit=run_list_atexit@entry=true,
22 0x000003ff894cbde8 in __GI_exit (status=) at exit.c:139
23 0x000003ff894ab250 in __libc_start_main (main=0x2aa2df896f0 <main(int, char**)>, argc=, argv=0x3ffde2ff228, init=, fini=,
24 0x000002aa2df8a164 in _start () at ../sysdeps/s390/s390-64/start.S:90
The openssl global_engine_lock is null because the openssl exit cleanup handler, OPENSSL_cleanup has already run.
So, this appears to be an issue with the order the OPENSSL_cleanup exit handler is running in relation to lftp_ssl_openssl_instance>::~Ref
A possible solution may be to cleanup those instances before exit, so they're already cleaned up by the time the openssl exit handler runs.