tools: fix openssl segfault for replay and cabana#37409
tools: fix openssl segfault for replay and cabana#37409TheSecurityDev wants to merge 1 commit intocommaai:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the SCons build configuration for replay and cabana to avoid runtime OpenSSL symbol interposition that can cause segfaults when the binaries are statically linked against vendored OpenSSL while also loading system OpenSSL via other shared libraries (e.g., libcurl).
Changes:
- Add linker flags on non-macOS builds to hide symbols from
libssl.aandlibcrypto.ainreplay. - Add the same non-macOS linker flags to
cabana.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| tools/replay/SConscript | Appends --exclude-libs linker flags (non-Darwin) to prevent exported static OpenSSL symbols in replay. |
| tools/cabana/SConscript | Appends --exclude-libs linker flags (non-Darwin) to prevent exported static OpenSSL symbols in cabana. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Tested and working for me 👍 |
|
Hmm, this might fix it, but it's clearly not a clean fix. Why is it loading the system version of these? |
It seems it's due to using the system's libcurl under the hood which is built with the system's openssl. Sounds like vendoring libcurl might be more of a "proper" solution. But you have to build after building the vendored openssl, so perhaps just include it along with openssl? Even though that's confusing? |
Fixes the segfaults in
replayandcabanacaused by a linking issue with the vendored OpenSSL package from pip that conflicts with the one built in the replay or cabana binary.Relevant Discord thread: https://discord.com/channels/469524606043160576/1476126000495726623/1476151475628412958
Claude's analysis: