Skip to content

Commit

Permalink
Fix error handling in ASN1_mbstring_ncopy
Browse files Browse the repository at this point in the history
Sometimes the error handling returns an ASN1_STRING
object in *out although that was not passed in by the
caller, and sometimes the error handling deletes the
ASN1_STRING but forgets to clear the *out parameter.
Therefore the caller has no chance to know, if the leaked
object in *out shall be deleted or not.
This may cause a use-after-free error e.g. in asn1_str2type:

==63312==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000073280 at pc 0x7f2652e93b08 bp 0x7ffe0e1951c0 sp 0x7ffe0e1951b0
READ of size 8 at 0x603000073280 thread T0
    #0 0x7f2652e93b07 in asn1_string_embed_free crypto/asn1/asn1_lib.c:354
    #1 0x7f2652eb521a in asn1_primitive_free crypto/asn1/tasn_fre.c:204
    #2 0x7f2652eb50a9 in asn1_primitive_free crypto/asn1/tasn_fre.c:199
    #3 0x7f2652eb5b67 in ASN1_item_free crypto/asn1/tasn_fre.c:20
    #4 0x7f2652e8e13b in asn1_str2type crypto/asn1/asn1_gen.c:740
    #5 0x7f2652e8e13b in generate_v3 crypto/asn1/asn1_gen.c:137
    #6 0x7f2652e9166c in ASN1_generate_v3 crypto/asn1/asn1_gen.c:92
    openssl#7 0x7f2653307b9b in do_othername crypto/x509v3/v3_alt.c:577
    openssl#8 0x7f2653307b9b in a2i_GENERAL_NAME crypto/x509v3/v3_alt.c:492
    openssl#9 0x7f26533087c2 in v2i_subject_alt crypto/x509v3/v3_alt.c:327
    openssl#10 0x7f26533107fc in do_ext_nconf crypto/x509v3/v3_conf.c:100
    openssl#11 0x7f2653310f33 in X509V3_EXT_nconf crypto/x509v3/v3_conf.c:45
    openssl#12 0x7f2653311426 in X509V3_EXT_add_nconf_sk crypto/x509v3/v3_conf.c:312
    openssl#13 0x7f265331170c in X509V3_EXT_REQ_add_nconf crypto/x509v3/v3_conf.c:360
    openssl#14 0x564ed19d5f25 in req_main apps/req.c:806
    openssl#15 0x564ed19b8de0 in do_cmd apps/openssl.c:564
    openssl#16 0x564ed1985165 in main apps/openssl.c:183
    openssl#17 0x7f2651c4a082 in __libc_start_main ../csu/libc-start.c:308
    openssl#18 0x564ed1985acd in _start (/home/ed/OPCToolboxV5/Source/Core/OpenSSL/openssl/apps/openssl+0x139acd)

0x603000073280 is located 16 bytes inside of 24-byte region [0x603000073270,0x603000073288)
freed by thread T0 here:
    #0 0x7f265413440f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x7f265315a429 in CRYPTO_free crypto/mem.c:311
    #2 0x7f265315a429 in CRYPTO_free crypto/mem.c:300
    #3 0x7f2652e757b9 in ASN1_mbstring_ncopy crypto/asn1/a_mbstr.c:191
    #4 0x7f2652e75ec5 in ASN1_mbstring_copy crypto/asn1/a_mbstr.c:38
    #5 0x7f2652e8e227 in asn1_str2type crypto/asn1/asn1_gen.c:681
    #6 0x7f2652e8e227 in generate_v3 crypto/asn1/asn1_gen.c:137
    openssl#7 0x7f2652e9166c in ASN1_generate_v3 crypto/asn1/asn1_gen.c:92
    openssl#8 0x7f2653307b9b in do_othername crypto/x509v3/v3_alt.c:577
    openssl#9 0x7f2653307b9b in a2i_GENERAL_NAME crypto/x509v3/v3_alt.c:492
    openssl#10 0x7f26533087c2 in v2i_subject_alt crypto/x509v3/v3_alt.c:327
    openssl#11 0x7f26533107fc in do_ext_nconf crypto/x509v3/v3_conf.c:100
    openssl#12 0x7f2653310f33 in X509V3_EXT_nconf crypto/x509v3/v3_conf.c:45
    openssl#13 0x7f2653311426 in X509V3_EXT_add_nconf_sk crypto/x509v3/v3_conf.c:312
    openssl#14 0x7f265331170c in X509V3_EXT_REQ_add_nconf crypto/x509v3/v3_conf.c:360
    openssl#15 0x564ed19d5f25 in req_main apps/req.c:806
    openssl#16 0x564ed19b8de0 in do_cmd apps/openssl.c:564
    openssl#17 0x564ed1985165 in main apps/openssl.c:183
    openssl#18 0x7f2651c4a082 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7f2654134808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7f265315a4fd in CRYPTO_malloc crypto/mem.c:221
    #2 0x7f265315a4fd in CRYPTO_malloc crypto/mem.c:198
    #3 0x7f265315a945 in CRYPTO_zalloc crypto/mem.c:236
    #4 0x7f2652e939a4 in ASN1_STRING_type_new crypto/asn1/asn1_lib.c:341
    #5 0x7f2652e74e51 in ASN1_mbstring_ncopy crypto/asn1/a_mbstr.c:150
    #6 0x7f2652e75ec5 in ASN1_mbstring_copy crypto/asn1/a_mbstr.c:38
    openssl#7 0x7f2652e8e227 in asn1_str2type crypto/asn1/asn1_gen.c:681
    openssl#8 0x7f2652e8e227 in generate_v3 crypto/asn1/asn1_gen.c:137
    openssl#9 0x7f2652e9166c in ASN1_generate_v3 crypto/asn1/asn1_gen.c:92
    openssl#10 0x7f2653307b9b in do_othername crypto/x509v3/v3_alt.c:577
    openssl#11 0x7f2653307b9b in a2i_GENERAL_NAME crypto/x509v3/v3_alt.c:492
    openssl#12 0x7f26533087c2 in v2i_subject_alt crypto/x509v3/v3_alt.c:327
    openssl#13 0x7f26533107fc in do_ext_nconf crypto/x509v3/v3_conf.c:100
    openssl#14 0x7f2653310f33 in X509V3_EXT_nconf crypto/x509v3/v3_conf.c:45
    openssl#15 0x7f2653311426 in X509V3_EXT_add_nconf_sk crypto/x509v3/v3_conf.c:312
    openssl#16 0x7f265331170c in X509V3_EXT_REQ_add_nconf crypto/x509v3/v3_conf.c:360
    openssl#17 0x564ed19d5f25 in req_main apps/req.c:806
    openssl#18 0x564ed19b8de0 in do_cmd apps/openssl.c:564
    openssl#19 0x564ed1985165 in main apps/openssl.c:183
    openssl#20 0x7f2651c4a082 in __libc_start_main ../csu/libc-start.c:308

Reviewed-by: Paul Yang <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#23138)
  • Loading branch information
bernd-edlinger authored and t8m committed Dec 29, 2023
1 parent bcd9275 commit 73ebaac
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions crypto/asn1/a_mbstr.c
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
if (*out) {
free_out = 0;
dest = *out;
ASN1_STRING_set0(dest, NULL, 0);
ASN1_STRING_set0(dest, NULL, 0);
dest->type = str_type;
} else {
free_out = 1;
Expand All @@ -153,6 +153,10 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
/* If both the same type just copy across */
if (inform == outform) {
if (!ASN1_STRING_set(dest, in, len)) {
if (free_out) {
ASN1_STRING_free(dest);
*out = NULL;
}
ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
return -1;
}
Expand Down Expand Up @@ -183,8 +187,10 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
break;
}
if ((p = OPENSSL_malloc(outlen + 1)) == NULL) {
if (free_out)
if (free_out) {
ASN1_STRING_free(dest);
*out = NULL;
}
return -1;
}
dest->length = outlen;
Expand Down

0 comments on commit 73ebaac

Please sign in to comment.