Detailed Description of the Problem
building WolfSSL with ASAN enabled disclosed UAF bug.
long story short: I've hired copilot to look at WolfSSL failure https://github.com/haproxy/haproxy/actions/runs/23570870709
copilot told me that there;s use after free.
ok, we are not using asan for WolfSSL itself, what if we'll add it ?
here it is
https://github.com/chipitsine/haproxy/actions/runs/23860316506/job/69564904529
2026-04-01T16:57:02.3889571Z *** h1 debug|==18639==ERROR: AddressSanitizer: heap-use-after-free on address 0x52200000b79c at pc 0x7fc2141872ca bp 0x7fff3e5bf9c0 sp 0x7fff3e5bf9b0
2026-04-01T16:57:02.3889687Z *** h1 debug|READ of size 4 at 0x52200000b79c thread T0
2026-04-01T16:57:02.3889749Z **** dT 0.174
2026-04-01T16:57:02.3889884Z *** h1 debug| #0 0x7fc2141872c9 in X509NameHash src/x509.c:3885
2026-04-01T16:57:02.3890042Z *** h1 debug| #1 0x7fc2141875e5 in wolfSSL_X509_NAME_hash src/x509.c:3919
2026-04-01T16:57:02.3890216Z *** h1 debug| #2 0x562c6f1b0159 in ssl_get_client_ca_file src/ssl_sock.c:708
2026-04-01T16:57:02.3890479Z *** h1 debug| #3 0x562c6f1b0159 in ssl_sock_prepare_ctx src/ssl_sock.c:4641
2026-04-01T16:57:02.3890669Z *** h1 debug| #4 0x562c6f1c584a in ssl_sock_prep_ctx_and_inst src/ssl_sock.c:4827
2026-04-01T16:57:02.3890848Z *** h1 debug| #5 0x562c6f1c584a in ssl_sock_prepare_all_ctx src/ssl_sock.c:5344
2026-04-01T16:57:02.3891037Z *** h1 debug| #6 0x562c6f1c60fa in ssl_sock_prepare_bind_conf src/ssl_sock.c:5475
2026-04-01T16:57:02.3891207Z *** h1 debug| #7 0x562c6f62135f in check_config_validity src/cfgparse.c:2529
2026-04-01T16:57:02.3891351Z *** h1 debug| #8 0x562c6f763ee0 in step_init_2 src/haproxy.c:2219
2026-04-01T16:57:02.3891473Z *** h1 debug| #9 0x562c6f18b6fd in main src/haproxy.c:3492
2026-04-01T16:57:02.3891817Z *** h1 debug| #10 0x7fc213a2a1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb)
2026-04-01T16:57:02.3892229Z *** h1 debug| #11 0x7fc213a2a28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb)
2026-04-01T16:57:02.3892663Z *** h1 debug| #12 0x562c6f18fca4 in _start (/home/runner/work/haproxy/haproxy/haproxy+0x26aca4) (BuildId: 21908c36d7763499f8dccebdfd3bb60c2b0bf680)
2026-04-01T16:57:02.3892727Z *** h1 debug|
2026-04-01T16:57:02.3893016Z *** h1 debug|0x52200000b79c is located 3740 bytes inside of 5368-byte region [0x52200000a900,0x52200000bdf8)
2026-04-01T16:57:02.3893100Z *** h1 debug|freed by thread T0 here:
2026-04-01T16:57:02.3893161Z **** dT 0.175
2026-04-01T16:57:02.3893405Z *** h1 debug| #0 0x7fc2146fc4d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
2026-04-01T16:57:02.3893576Z *** h1 debug| #1 0x7fc213f3fd43 in wolfSSL_Free wolfcrypt/src/memory.c:449
2026-04-01T16:57:02.3893719Z *** h1 debug| #2 0x7fc214186e86 in ExternalFreeX509 src/x509.c:3804
2026-04-01T16:57:02.3893866Z *** h1 debug| #3 0x7fc214186f2e in wolfSSL_X509_free src/x509.c:3818
2026-04-01T16:57:02.3894035Z *** h1 debug| #4 0x7fc2141aee39 in wolfSSL_X509_OBJECT_free src/x509.c:15343
2026-04-01T16:57:02.3894188Z *** h1 debug| #5 0x7fc21412d794 in wolfSSL_sk_pop_free src/ssl_sk.c:985
2026-04-01T16:57:02.3894379Z *** h1 debug| #6 0x7fc2141b0a47 in wolfSSL_sk_X509_OBJECT_pop_free src/x509.c:15949
2026-04-01T16:57:02.3894556Z *** h1 debug| #7 0x7fc2141c1dd2 in X509StoreFreeObjList src/x509_str.c:1362
2026-04-01T16:57:02.3894755Z *** h1 debug| #8 0x7fc2141c4897 in wolfSSL_X509_STORE_get0_objects src/x509_str.c:2049
2026-04-01T16:57:02.3894923Z *** h1 debug| #9 0x562c6f1b00e8 in ssl_get_client_ca_file src/ssl_sock.c:699
2026-04-01T16:57:02.3895091Z *** h1 debug| #10 0x562c6f1b00e8 in ssl_sock_prepare_ctx src/ssl_sock.c:4641
2026-04-01T16:57:02.3895279Z *** h1 debug| #11 0x562c6f1c584a in ssl_sock_prep_ctx_and_inst src/ssl_sock.c:4827
2026-04-01T16:57:02.3895459Z *** h1 debug| #12 0x562c6f1c584a in ssl_sock_prepare_all_ctx src/ssl_sock.c:5344
2026-04-01T16:57:02.3895653Z *** h1 debug| #13 0x562c6f1c60fa in ssl_sock_prepare_bind_conf src/ssl_sock.c:5475
2026-04-01T16:57:02.3895825Z *** h1 debug| #14 0x562c6f62135f in check_config_validity src/cfgparse.c:2529
2026-04-01T16:57:02.3895970Z *** h1 debug| #15 0x562c6f763ee0 in step_init_2 src/haproxy.c:2219
2026-04-01T16:57:02.3896184Z *** h1 debug| #16 0x562c6f18b6fd in main src/haproxy.c:3492
2026-04-01T16:57:02.3896523Z *** h1 debug| #17 0x7fc213a2a1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb)
2026-04-01T16:57:02.3896921Z *** h1 debug| #18 0x7fc213a2a28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb)
2026-04-01T16:57:02.3897466Z *** h1 debug| #19 0x562c6f18fca4 in _start (/home/runner/work/haproxy/haproxy/haproxy+0x26aca4) (BuildId: 21908c36d7763499f8dccebdfd3bb60c2b0bf680)
2026-04-01T16:57:02.3897532Z *** h1 debug|
2026-04-01T16:57:02.3897755Z *** h1 debug|previously allocated by thread T0 here:
2026-04-01T16:57:02.3897823Z **** dT 0.187
2026-04-01T16:57:02.3898070Z *** h1 debug| #0 0x7fc2146fd9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
2026-04-01T16:57:02.3898241Z *** h1 debug| #1 0x7fc213f3fcff in wolfSSL_Malloc wolfcrypt/src/memory.c:364
2026-04-01T16:57:02.3898429Z *** h1 debug| #2 0x7fc21418e484 in loadX509orX509REQFromBuffer src/x509.c:6108
2026-04-01T16:57:02.3898635Z *** h1 debug| #3 0x7fc21418e62b in wolfSSL_X509_load_certificate_buffer src/x509.c:6143
2026-04-01T16:57:02.3898809Z *** h1 debug| #4 0x7fc2141c318d in X509StoreLoadCertBuffer src/x509_str.c:1685
2026-04-01T16:57:02.3898967Z *** h1 debug| #5 0x7fc2141c3897 in X509StoreLoadFile src/x509_str.c:1766
2026-04-01T16:57:02.3899180Z *** h1 debug| #6 0x7fc2141c3e1b in wolfSSL_X509_STORE_load_locations src/x509_str.c:1821
2026-04-01T16:57:02.3899382Z *** h1 debug| #7 0x562c6f1f6460 in __ssl_store_load_locations_file src/ssl_ckch.c:1564
2026-04-01T16:57:02.3899592Z *** h1 debug| #8 0x562c6f2306d0 in ssl_bind_parse_ca_file_common src/cfgparse-ssl.c:811
2026-04-01T16:57:02.3899762Z *** h1 debug| #9 0x562c6f77c7bc in bind_parse_args_list src/listener.c:2406
2026-04-01T16:57:02.3899943Z *** h1 debug| #10 0x562c6f7a3538 in cfg_parse_listen src/cfgparse-listen.c:606
2026-04-01T16:57:02.3900086Z *** h1 debug| #11 0x562c6f61bc04 in parse_cfg src/cfgparse.c:2202
2026-04-01T16:57:02.3900231Z *** h1 debug| #12 0x562c6f75c873 in read_cfg src/haproxy.c:1141
2026-04-01T16:57:02.3900368Z *** h1 debug| #13 0x562c6f18cfbf in main src/haproxy.c:3473
2026-04-01T16:57:02.3900712Z *** h1 debug| #14 0x7fc213a2a1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb)
2026-04-01T16:57:02.3901122Z *** h1 debug| #15 0x7fc213a2a28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 8e9fd827446c24067541ac5390e6f527fb5947bb)
2026-04-01T16:57:02.3901546Z *** h1 debug| #16 0x562c6f18fca4 in _start (/home/runner/work/haproxy/haproxy/haproxy+0x26aca4) (BuildId: 21908c36d7763499f8dccebdfd3bb60c2b0bf680)
2026-04-01T16:57:02.3901608Z *** h1 debug|
2026-04-01T16:57:02.3901850Z *** h1 debug|SUMMARY: AddressSanitizer: heap-use-after-free src/x509.c:3885 in X509NameHash
2026-04-01T16:57:02.3901966Z *** h1 debug|Shadow bytes around the buggy address:
2026-04-01T16:57:02.3902137Z *** h1 debug| 0x52200000b500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2026-04-01T16:57:02.3902306Z *** h1 debug| 0x52200000b580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2026-04-01T16:57:02.3902467Z *** h1 debug| 0x52200000b600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2026-04-01T16:57:02.3902627Z *** h1 debug| 0x52200000b680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2026-04-01T16:57:02.3902789Z *** h1 debug| 0x52200000b700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2026-04-01T16:57:02.3902951Z *** h1 debug|=>0x52200000b780: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
2026-04-01T16:57:02.3903111Z *** h1 debug| 0x52200000b800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2026-04-01T16:57:02.3903271Z *** h1 debug| 0x52200000b880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2026-04-01T16:57:02.3903545Z *** h1 debug| 0x52200000b900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2026-04-01T16:57:02.3903706Z *** h1 debug| 0x52200000b980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2026-04-01T16:57:02.3903868Z *** h1 debug| 0x52200000ba00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2026-04-01T16:57:02.3904063Z *** h1 debug|Shadow byte legend (one shadow byte represents 8 application bytes):
2026-04-01T16:57:02.3904151Z *** h1 debug| Addressable: 00
2026-04-01T16:57:02.3904278Z *** h1 debug| Partially addressable: 01 02 03 04 05 06 07
2026-04-01T16:57:02.3904442Z *** h1 debug| Heap left redzone: fa
2026-04-01T16:57:02.3904533Z *** h1 debug| Freed heap region: fd
2026-04-01T16:57:02.3904619Z *** h1 debug| Stack left redzone: f1
2026-04-01T16:57:02.3904706Z *** h1 debug| Stack mid redzone: f2
2026-04-01T16:57:02.3904791Z *** h1 debug| Stack right redzone: f3
2026-04-01T16:57:02.3904879Z *** h1 debug| Stack after return: f5
2026-04-01T16:57:02.3904965Z *** h1 debug| Stack use after scope: f8
2026-04-01T16:57:02.3905048Z *** h1 debug| Global redzone: f9
2026-04-01T16:57:02.3905130Z *** h1 debug| Global init order: f6
2026-04-01T16:57:02.3905215Z *** h1 debug| Poisoned by user: f7
2026-04-01T16:57:02.3905303Z *** h1 debug| Container overflow: fc
2026-04-01T16:57:02.3905383Z *** h1 debug| Array cookie: ac
2026-04-01T16:57:02.3905467Z *** h1 debug| Intra object redzone: bb
2026-04-01T16:57:02.3905551Z *** h1 debug| ASan internal: fe
2026-04-01T16:57:02.3905639Z *** h1 debug| Left alloca redzone: ca
2026-04-01T16:57:02.3905725Z *** h1 debug| Right alloca redzone: cb
2026-04-01T16:57:02.3905798Z *** h1 debug|==18639==ABORTING
2026-04-01T16:57:02.3905864Z **** dT 0.192
so ... copilot is thinking that WolfSSL api varies a lot from OpenSSL (but for me it looks like a bug).
I'm leaving it to @wlallemand
on myselfm @wlallemand do you mind if I'll add ASAN to build-ssl.sh script ? keeping current behaviour, as an additional option
Expected Behavior
pour coffee maybe....
Steps to Reproduce the Behavior
run WolfSSL tests with something like that
CFLAGS="-fsanitize=address -g" ./configure --enable-haproxy --enable-quic --prefix="${BUILDSSL_DESTDIR}" ${WOLFSSL_DEBUG}
Do you have any idea what may have caused this?
No response
Do you have an idea how to solve the issue?
No response
What is your configuration?
Output of haproxy -vv
Last Outputs and Backtraces
Additional Information
No response
Detailed Description of the Problem
building WolfSSL with ASAN enabled disclosed UAF bug.
long story short: I've hired copilot to look at WolfSSL failure https://github.com/haproxy/haproxy/actions/runs/23570870709
copilot told me that there;s use after free.
ok, we are not using asan for WolfSSL itself, what if we'll add it ?
here it is
https://github.com/chipitsine/haproxy/actions/runs/23860316506/job/69564904529
so ... copilot is thinking that WolfSSL api varies a lot from OpenSSL (but for me it looks like a bug).
I'm leaving it to @wlallemand
on myselfm @wlallemand do you mind if I'll add ASAN to build-ssl.sh script ? keeping current behaviour, as an additional option
Expected Behavior
pour coffee maybe....
Steps to Reproduce the Behavior
run WolfSSL tests with something like that
CFLAGS="-fsanitize=address -g" ./configure --enable-haproxy --enable-quic --prefix="${BUILDSSL_DESTDIR}" ${WOLFSSL_DEBUG}
Do you have any idea what may have caused this?
No response
Do you have an idea how to solve the issue?
No response
What is your configuration?
Output of
haproxy -vvLast Outputs and Backtraces
Additional Information
No response