/[smecontribs]/rpms/openssl3/contribs10/0103-CVE-2022-4450-pem-read-bio.patch
ViewVC logotype

Annotation of /rpms/openssl3/contribs10/0103-CVE-2022-4450-pem-read-bio.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Wed Jan 31 17:24:51 2024 UTC (9 months, 4 weeks ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Initial import

1 jpp 1.1 From 63bcf189be73a9cc1264059bed6f57974be74a83 Mon Sep 17 00:00:00 2001
2     From: Matt Caswell <matt@openssl.org>
3     Date: Tue, 13 Dec 2022 14:54:55 +0000
4     Subject: [PATCH 04/18] Avoid dangling ptrs in header and data params for
5     PEM_read_bio_ex
6    
7     In the event of a failure in PEM_read_bio_ex() we free the buffers we
8     allocated for the header and data buffers. However we were not clearing
9     the ptrs stored in *header and *data. Since, on success, the caller is
10     responsible for freeing these ptrs this can potentially lead to a double
11     free if the caller frees them even on failure.
12    
13     Thanks to Dawei Wang for reporting this issue.
14    
15     Based on a proposed patch by Kurt Roeckx.
16    
17     CVE-2022-4450
18    
19     Reviewed-by: Paul Dale <pauli@openssl.org>
20     Reviewed-by: Hugo Landau <hlandau@openssl.org>
21     ---
22     crypto/pem/pem_lib.c | 2 ++
23     1 file changed, 2 insertions(+)
24    
25     diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
26     index f9ff80162a..85c47fb627 100644
27     --- a/crypto/pem/pem_lib.c
28     +++ b/crypto/pem/pem_lib.c
29     @@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
30    
31     out_free:
32     pem_free(*header, flags, 0);
33     + *header = NULL;
34     pem_free(*data, flags, 0);
35     + *data = NULL;
36     end:
37     EVP_ENCODE_CTX_free(ctx);
38     pem_free(name, flags, 0);
39     --
40     2.39.1
41    
42     From cbafa34b5a057794c5c08cd4657038e1f643c1ac Mon Sep 17 00:00:00 2001
43     From: Matt Caswell <matt@openssl.org>
44     Date: Tue, 13 Dec 2022 15:02:26 +0000
45     Subject: [PATCH 05/18] Add a test for CVE-2022-4450
46    
47     Call PEM_read_bio_ex() and expect a failure. There should be no dangling
48     ptrs and therefore there should be no double free if we free the ptrs on
49     error.
50    
51     Reviewed-by: Paul Dale <pauli@openssl.org>
52     Reviewed-by: Hugo Landau <hlandau@openssl.org>
53     ---
54     test/pemtest.c | 30 ++++++++++++++++++++++++++++++
55     1 file changed, 30 insertions(+)
56    
57     diff --git a/test/pemtest.c b/test/pemtest.c
58     index a8d2d49bb5..a5d28cb256 100644
59     --- a/test/pemtest.c
60     +++ b/test/pemtest.c
61     @@ -96,6 +96,35 @@ static int test_cert_key_cert(void)
62     return 1;
63     }
64    
65     +static int test_empty_payload(void)
66     +{
67     + BIO *b;
68     + static char *emptypay =
69     + "-----BEGIN CERTIFICATE-----\n"
70     + "-\n" /* Base64 EOF character */
71     + "-----END CERTIFICATE-----";
72     + char *name = NULL, *header = NULL;
73     + unsigned char *data = NULL;
74     + long len;
75     + int ret = 0;
76     +
77     + b = BIO_new_mem_buf(emptypay, strlen(emptypay));
78     + if (!TEST_ptr(b))
79     + return 0;
80     +
81     + /* Expected to fail because the payload is empty */
82     + if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
83     + goto err;
84     +
85     + ret = 1;
86     + err:
87     + OPENSSL_free(name);
88     + OPENSSL_free(header);
89     + OPENSSL_free(data);
90     + BIO_free(b);
91     + return ret;
92     +}
93     +
94     int setup_tests(void)
95     {
96     if (!TEST_ptr(pemfile = test_get_argument(0)))
97     @@ -103,5 +132,6 @@ int setup_tests(void)
98     ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
99     ADD_TEST(test_invalid);
100     ADD_TEST(test_cert_key_cert);
101     + ADD_TEST(test_empty_payload);
102     return 1;
103     }
104     --
105     2.39.1
106    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed