Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#6026 closed Bug (invalid)

Crash in libcrypto's BN_mod_exp_mont_consttime (tr_dh_make_key) on OS X 10.11.1

Reported by: Milorad Owned by: livings124
Priority: Normal Milestone: Sometime
Component: Mac Client Version: 2.84
Severity: Normal Keywords: Crash OS X El Capitan 11.1


Greetings, I'm coming back with two transmissions crashes. One before midnight and one after midnight. User diagnostic report before midnight: User diagnostic report after midnight: OS: El Capitan 10.11.1 Mac Mini (mid 2011) 16Gb of RAM Transmission: 2.84 (14600) Yesterday: 2 files seeding - 2 files downloading This morning: 3 files seeding - 1 file downloading Yesterday: Speed limit on This morning: Speed limit off Speed limit: Does not seem to work. With a limit set to 175 on downloads, the speed goes well above 200, up to 300. Mind you the download speed is very erratic. It can go up to 300 and fall back to zero in a half second.

Change History (17)

comment:1 Changed 6 years ago by x190

Thread 2 Crashed:
0   libcrypto.0.9.8.dylib               0x00007fff96675c83 BN_mod_exp_mont_consttime + 1635
1   libcrypto.0.9.8.dylib               0x00007fff96674c30 BN_mod_exp_mont + 128
2   libcrypto.0.9.8.dylib               0x00007fff966529ac generate_key + 316
3   org.m0k.transmission                0x00000001000968fc tr_dh_make_key + 50
4   org.m0k.transmission                0x000000010007cb84 ensureKeyExists + 73
5   org.m0k.transmission                0x000000010007cb18 tr_cryptoComputeSecret + 18
6   org.m0k.transmission                0x000000010007d654 canRead + 942
7   org.m0k.transmission                0x0000000100081a22 canReadWrapper + 193
8   org.m0k.transmission                0x0000000100080fe5 tr_peerIoFlush + 388
9   org.m0k.transmission                0x0000000100095f71 phaseOne + 136
10  org.m0k.transmission                0x0000000100095cd8 tr_bandwidthAllocate + 249
11  org.m0k.transmission                0x000000010008725f bandwidthPulse + 164
12  org.m0k.transmission                0x00000001000b6fd1 event_base_loop + 1634
13  org.m0k.transmission                0x000000010007c5ea libeventThreadFunc + 141
14  org.m0k.transmission                0x0000000100072fee ThreadFunc + 15
15  libsystem_pthread.dylib             0x00007fff8f6d49b1 _pthread_body + 131
16  libsystem_pthread.dylib             0x00007fff8f6d492e _pthread_start + 168
17  libsystem_pthread.dylib             0x00007fff8f6d2385 thread_start + 13
Global Trace Buffer (reverse chronological seconds):
16900.034739 CFNetwork                  0x00007fff8ee44a0f TCP Conn 0x1004b3470 complete. fd: 30, err: 0
16900.034843 CFNetwork                  0x00007fff8eed31ad TCP Conn 0x1004b3470 event 1. err: 0
16900.103014 CFNetwork                  0x00007fff8ee43cdf TCP Conn 0x1004b3470 started
16900.199119 CFNetwork                  0x00007fff8ee0789e Creating default cookie storage with process/bundle identifier
16900.199119 CFNetwork                  0x00007fff8ee07836 Faulting in CFHTTPCookieStorage singleton
16900.199119 CFNetwork                  0x00007fff8ee076c5 Faulting in NSHTTPCookieStorage singleton

comment:2 Changed 6 years ago by mike.dld

  • Priority changed from High to Normal
  • Severity changed from Major to Normal

The code in Transmission itself didn't change in years as the call to DH_generate_key accepts constant, predefined values. I checked OpenSSL changelog and BN_mod_exp_mont_consttime function was added in 0.9.7h (October 2005, so long ago as well) as a security measure. There is a way to disable its use in this particular place by setting DH_FLAG_NO_EXP_CONSTTIME flag, but that doesn't sound like a good idea. If we report this issue to Apple (which is still a good idea BTW), they are likely to ignore it as they deprecated OpenSSL back in OS X 10.7. The only viable option is to bundle our own OpenSSL libraries, but then again we should test first if this helps.

I wonder if anyone else on El Capitan is seeing this. We would've had lots of reports by now if it wasn't working, right?

comment:4 in reply to: ↑ 3 ; follow-up: Changed 6 years ago by mike.dld

Replying to x190:

Comments 26-30.

I don't think it is related. It is an issue (kind of), but it doesn't lead to crashes.

comment:5 Changed 6 years ago by Milorad

Please find the URL of a new crash that occurred around midnight last night.

My last downloading file was finished at 99.98%, when Transmission asked me to do a file verification, packet # xxxxx is corrupt. I launched the verification, that was just after midnight and went to bed. This morning I found that transmission had crashed again.

Some other piece of information. The machine I'm using for torrenting has only Transmission running. No other applications are opened. Would it help you if I could sent you a list of all the processes that are running ? Is there a way to list all of them on a text file ?

comment:6 in reply to: ↑ 4 Changed 6 years ago by x190

Replying to mike.dld:

Replying to x190:

Comments 26-30.

I don't think it is related. It is an issue (kind of), but it doesn't lead to crashes.

I think it just means the function is somewhat flawed.

@Milorad: Please try a clean install of Transmission.

#1 Move the following folders/files to your Desktop for later disposal.

~/Library/Application Support/Transmission (.torrents can be found here and can be re-added to Transmission. Use "Move Data File To..." (enclosing folder) and "Verify Local Data" as necessary.)
~/Library/Preferences/org.m0k.transmission.plist (re-do Preferences after installation)

"~" = your home folder.

#2 Trash the .app.

#3 D/l a fresh copy and re-install application.

comment:7 Changed 6 years ago by mike.dld

I see that despite OpenSSL version (0.9.8zg) stayed the same between OS X 10.10 and 10.11 releases, libcrypto.0.9.8.dylib binary has changed and it doesn't look like is was simply recompiled with another version of Clang or something.

@Milorad, it would be interesting to check if using libcrypto.0.9.8.dylib from OS X 10.10 changes anything. Since Apple has introduced "System Integrity Protection" in El Capitan you probably won't be able to replace the file in /usr/lib, but you could try placing it somewhere else (say, /tmp) and then running Transmission from Terminal as

env DYLD_LIBRARY_PATH=/tmp /Applications/


env DYLD_INSERT_LIBRARIES=/tmp/libcrypto.0.9.8.dylib /Applications/

comment:8 Changed 6 years ago by Milorad

Greetings, Have not had time to follow your instructions so far. My mother crossed the rainbow bridge saturday. Unfortunately, I can't go and get the file libcrypto.0.9.8.dylib from Yosemite. I made a clean install of El Capitan directly after erasing Maverick. But… I still have a backup clone of Maverick. I did not install Yosemite on my machines as the returns where not good at all. Between today and tomorrow, I'll do a clean install of Transmission according to your instructions. By the way, I know how to disable/reenable SIP in El Capitan. I don't mind doing the procedure to try something new.

comment:9 Changed 6 years ago by mike.dld

Well obviously if you have SIP disabled you could just rename the original /usr/lib/libcrypto.0.9.8.dylib and place an older one there, then just run Transmission as usual. But since messing with system libs is a bit more risky, I wouldn't recommend that unless the way in comment:7 doesn't work :)

comment:10 Changed 6 years ago by Milorad

Alright I finished the clean install of Transmission (14603). But… I did not find the following file: ~/Library/Preferences?/org.m0k.transmission.LSSharedFileList.plist

Also I had to reinstall twice. The first time I had some freezes on transmission. It was while I was attempting to reseed my files. The number of files I was attempting to reseed was 5. The data files are in there prescribed folder as chosen in the preference and I added the .torrent files in the auto add folder. The download started normally and I tried to pause them. By clicking the fourth download to pause, Transmission freezed and I had to restart my machine completely. That's when I trashed Transmission and it's associated files again. Please find the links with the crash logs. Well I can't use, it return the following error: You have exceeded the maximum file size of 512 kilobytes per paste. PRO users don't have this limit!

Once I've finished reseeding my five files, I'll do what you suggest in comment 7. But… Where can I find libcrypto.0.9.8.dylib ? As explained in comment 8, I have not installed Yosemite previously. I only have a Maverick clone.

comment:11 Changed 6 years ago by mike.dld

Here are libs from my 10.10.5 system:

comment:12 Changed 6 years ago by mike.dld

Some more interesting stuff.

The code in function BN_mod_exp_mont_consttime around the place of crash is:

libcrypto.0.9.8.dylib[0xaac75] <+1621>: lea    rax, [rax + rdx + 0x40]
libcrypto.0.9.8.dylib[0xaac7a] <+1626>: mov    qword ptr [rbp - 0x68], rax
libcrypto.0.9.8.dylib[0xaac7e] <+1630>: lea    eax, [r12 + 0x1]
libcrypto.0.9.8.dylib[0xaac83] <+1635>: mov    dword ptr [rbp - 0x98], eax <-- crash here
libcrypto.0.9.8.dylib[0xaac89] <+1641>: mov    qword ptr [rbp - 0x30], r12
libcrypto.0.9.8.dylib[0xaac8d] <+1645>: shl    rcx, 0x3
libcrypto.0.9.8.dylib[0xaac91] <+1649>: mov    qword ptr [rbp - 0xb0], rcx

Three crash reports provided have this information:

CR 1 CR 2 CR 3
KERN_INVALID_ADDRESS at 0x6ffff83222b8 0x6ffff8321368 0x6ffff829e398
rbp value in crashed thread 0x700000322350 0x700000321400 0x70000029e430
difference between the two above 0x8000098 0x8000098 0x8000098

So, despite the fact that the code in question only subtracts 0x98 from rbp, another 0x8000000 is somehow subtracted in addition to that. I have no idea what kind of magic is this, but it definitely has nothing to do with Transmission, and probably even not with OpenSSL.

comment:13 Changed 6 years ago by x190

comment:12 is likely due to this, which apparently maybe done on purpose to add entropy.

I'd still like to know if Milorad is still getting the same crash after a clean re-install as comment:10 would suggest a possible user error in not allowing time for data verification.

comment:14 Changed 6 years ago by mike.dld

  • Component changed from Transmission to Mac Client
  • Owner set to livings124

comment:15 Changed 6 years ago by Milorad

Good evening, Since the clean install yesterday, no crash to report. I've save the file libcrypto.0.9.8.dylib, for future use if need be. Thank you all for your help. If we don't talk again, I wish you all a Merry Christmas and Happy new Year.

comment:16 Changed 6 years ago by mike.dld

  • Resolution set to invalid
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.