Package: libssl1.1 Version: 1.1.1d-0+deb10u6 Severity: normal Dear Maintainer,
This bug appears to be fixed by 1.1.1k-1 in testing. I couldn't spot it in the issue tracker but thought I'd mention it just in case. On my arm64 machine (Apple M1) if I run Debian buster (in a Linux container inside a qemu VM) with 1.1.1d-0+deb10u6 *and* expose the host's CPUID to the VM running the container i.e. ``` root@1a99ac25e4fd:/# cat /proc/cpuinfo processor : 0 BogoMIPS : 48.00 Features : fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp cpuid asimdrdm jscvt fcma lrcpc dcpop sha3 asimddp sha512 asimdfhm dit uscat ilrcpc flagm ssbs sb paca pacg dcpodp flagm2 frint ``` then this crashes: ``` root@1a99ac25e4fd:/# curl -vvv https://dl.yarnpkg.com * Expire in 0 ms for 6 (transfer 0xaaaafbedef30) * Expire in 1 ms for 1 (transfer 0xaaaafbedef30) ... * Trying 104.18.126.100... * TCP_NODELAY set * Expire in 149997 ms for 3 (transfer 0xaaaafbedef30) * Expire in 200 ms for 4 (transfer 0xaaaafbedef30) * Connected to dl.yarnpkg.com (104.18.126.100) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com * start date: Aug 18 00:00:00 2020 GMT * expire date: Aug 18 12:00:00 2021 GMT * subjectAltName: host "dl.yarnpkg.com" matched cert's "*.yarnpkg.com" * issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0xaaaafbedef30) > GET / HTTP/2 > Host: dl.yarnpkg.com > User-Agent: curl/7.64.0 > Accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 256)! Segmentation fault ``` Other URLs work fine. The `curl` succeeds if I hide some of the CPUID flags e.g. by pretending the system is a cortex-a57 (with `qemu -cpu cortex-a57`): ``` / # cat /proc/cpuinfo processor : 0 BogoMIPS : 48.00 Features : fp asimd evtstrm aes pmull sha1 sha2 crc32 fphp asimdhp cpuid dit ``` If I take a broken buster system and replace the `libcrypto.so.1.1` with the one from testing, the bug is fixed. So I think it's a bug in the buster version of libssl1.1, detecting some CPU feature, misusing it and crashing. The bug appears to be fixed in testing. -- System Information: Debian Release: 10.9 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: arm64 (aarch64) Kernel: Linux 5.10.25-linuxkit (SMP w/4 CPU cores; PREEMPT) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_RANDSTRUCT Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages libssl1.1 depends on: ii debconf [debconf-2.0] 1.5.71 ii libc6 2.28-10 libssl1.1 recommends no packages. libssl1.1 suggests no packages. -- no debconf information Thanks for all your work! David
