Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix error handling in ASN1_mbstring_ncopy
Sometimes the error handling returns an ASN1_STRING object in *out although that was not passed in by the caller, and sometimes the error handling deletes the ASN1_STRING but forgets to clear the *out parameter. Therefore the caller has no chance to know, if the leaked object in *out shall be deleted or not. This may cause a use-after-free error e.g. in asn1_str2type: ==63312==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000073280 at pc 0x7f2652e93b08 bp 0x7ffe0e1951c0 sp 0x7ffe0e1951b0 READ of size 8 at 0x603000073280 thread T0 #0 0x7f2652e93b07 in asn1_string_embed_free crypto/asn1/asn1_lib.c:354 #1 0x7f2652eb521a in asn1_primitive_free crypto/asn1/tasn_fre.c:204 #2 0x7f2652eb50a9 in asn1_primitive_free crypto/asn1/tasn_fre.c:199 #3 0x7f2652eb5b67 in ASN1_item_free crypto/asn1/tasn_fre.c:20 #4 0x7f2652e8e13b in asn1_str2type crypto/asn1/asn1_gen.c:740 #5 0x7f2652e8e13b in generate_v3 crypto/asn1/asn1_gen.c:137 #6 0x7f2652e9166c in ASN1_generate_v3 crypto/asn1/asn1_gen.c:92 openssl#7 0x7f2653307b9b in do_othername crypto/x509v3/v3_alt.c:577 openssl#8 0x7f2653307b9b in a2i_GENERAL_NAME crypto/x509v3/v3_alt.c:492 openssl#9 0x7f26533087c2 in v2i_subject_alt crypto/x509v3/v3_alt.c:327 openssl#10 0x7f26533107fc in do_ext_nconf crypto/x509v3/v3_conf.c:100 openssl#11 0x7f2653310f33 in X509V3_EXT_nconf crypto/x509v3/v3_conf.c:45 openssl#12 0x7f2653311426 in X509V3_EXT_add_nconf_sk crypto/x509v3/v3_conf.c:312 openssl#13 0x7f265331170c in X509V3_EXT_REQ_add_nconf crypto/x509v3/v3_conf.c:360 openssl#14 0x564ed19d5f25 in req_main apps/req.c:806 openssl#15 0x564ed19b8de0 in do_cmd apps/openssl.c:564 openssl#16 0x564ed1985165 in main apps/openssl.c:183 openssl#17 0x7f2651c4a082 in __libc_start_main ../csu/libc-start.c:308 openssl#18 0x564ed1985acd in _start (/home/ed/OPCToolboxV5/Source/Core/OpenSSL/openssl/apps/openssl+0x139acd) 0x603000073280 is located 16 bytes inside of 24-byte region [0x603000073270,0x603000073288) freed by thread T0 here: #0 0x7f265413440f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 #1 0x7f265315a429 in CRYPTO_free crypto/mem.c:311 #2 0x7f265315a429 in CRYPTO_free crypto/mem.c:300 #3 0x7f2652e757b9 in ASN1_mbstring_ncopy crypto/asn1/a_mbstr.c:191 #4 0x7f2652e75ec5 in ASN1_mbstring_copy crypto/asn1/a_mbstr.c:38 #5 0x7f2652e8e227 in asn1_str2type crypto/asn1/asn1_gen.c:681 #6 0x7f2652e8e227 in generate_v3 crypto/asn1/asn1_gen.c:137 openssl#7 0x7f2652e9166c in ASN1_generate_v3 crypto/asn1/asn1_gen.c:92 openssl#8 0x7f2653307b9b in do_othername crypto/x509v3/v3_alt.c:577 openssl#9 0x7f2653307b9b in a2i_GENERAL_NAME crypto/x509v3/v3_alt.c:492 openssl#10 0x7f26533087c2 in v2i_subject_alt crypto/x509v3/v3_alt.c:327 openssl#11 0x7f26533107fc in do_ext_nconf crypto/x509v3/v3_conf.c:100 openssl#12 0x7f2653310f33 in X509V3_EXT_nconf crypto/x509v3/v3_conf.c:45 openssl#13 0x7f2653311426 in X509V3_EXT_add_nconf_sk crypto/x509v3/v3_conf.c:312 openssl#14 0x7f265331170c in X509V3_EXT_REQ_add_nconf crypto/x509v3/v3_conf.c:360 openssl#15 0x564ed19d5f25 in req_main apps/req.c:806 openssl#16 0x564ed19b8de0 in do_cmd apps/openssl.c:564 openssl#17 0x564ed1985165 in main apps/openssl.c:183 openssl#18 0x7f2651c4a082 in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7f2654134808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 #1 0x7f265315a4fd in CRYPTO_malloc crypto/mem.c:221 #2 0x7f265315a4fd in CRYPTO_malloc crypto/mem.c:198 #3 0x7f265315a945 in CRYPTO_zalloc crypto/mem.c:236 #4 0x7f2652e939a4 in ASN1_STRING_type_new crypto/asn1/asn1_lib.c:341 #5 0x7f2652e74e51 in ASN1_mbstring_ncopy crypto/asn1/a_mbstr.c:150 #6 0x7f2652e75ec5 in ASN1_mbstring_copy crypto/asn1/a_mbstr.c:38 openssl#7 0x7f2652e8e227 in asn1_str2type crypto/asn1/asn1_gen.c:681 openssl#8 0x7f2652e8e227 in generate_v3 crypto/asn1/asn1_gen.c:137 openssl#9 0x7f2652e9166c in ASN1_generate_v3 crypto/asn1/asn1_gen.c:92 openssl#10 0x7f2653307b9b in do_othername crypto/x509v3/v3_alt.c:577 openssl#11 0x7f2653307b9b in a2i_GENERAL_NAME crypto/x509v3/v3_alt.c:492 openssl#12 0x7f26533087c2 in v2i_subject_alt crypto/x509v3/v3_alt.c:327 openssl#13 0x7f26533107fc in do_ext_nconf crypto/x509v3/v3_conf.c:100 openssl#14 0x7f2653310f33 in X509V3_EXT_nconf crypto/x509v3/v3_conf.c:45 openssl#15 0x7f2653311426 in X509V3_EXT_add_nconf_sk crypto/x509v3/v3_conf.c:312 openssl#16 0x7f265331170c in X509V3_EXT_REQ_add_nconf crypto/x509v3/v3_conf.c:360 openssl#17 0x564ed19d5f25 in req_main apps/req.c:806 openssl#18 0x564ed19b8de0 in do_cmd apps/openssl.c:564 openssl#19 0x564ed1985165 in main apps/openssl.c:183 openssl#20 0x7f2651c4a082 in __libc_start_main ../csu/libc-start.c:308 Reviewed-by: Paul Yang <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#23138)
- Loading branch information