/[smecontribs]/rpms/openssl3/contribs10/0103-CVE-2022-4450-pem-read-bio.patch
ViewVC logotype

Contents of /rpms/openssl3/contribs10/0103-CVE-2022-4450-pem-read-bio.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Wed Jan 31 17:24:51 2024 UTC (10 months ago) by jpp
Branch: MAIN
CVS Tags: openssl3-3_0_7-5_el7_sme_1, HEAD
Initial import

1 From 63bcf189be73a9cc1264059bed6f57974be74a83 Mon Sep 17 00:00:00 2001
2 From: Matt Caswell <matt@openssl.org>
3 Date: Tue, 13 Dec 2022 14:54:55 +0000
4 Subject: [PATCH 04/18] Avoid dangling ptrs in header and data params for
5 PEM_read_bio_ex
6
7 In the event of a failure in PEM_read_bio_ex() we free the buffers we
8 allocated for the header and data buffers. However we were not clearing
9 the ptrs stored in *header and *data. Since, on success, the caller is
10 responsible for freeing these ptrs this can potentially lead to a double
11 free if the caller frees them even on failure.
12
13 Thanks to Dawei Wang for reporting this issue.
14
15 Based on a proposed patch by Kurt Roeckx.
16
17 CVE-2022-4450
18
19 Reviewed-by: Paul Dale <pauli@openssl.org>
20 Reviewed-by: Hugo Landau <hlandau@openssl.org>
21 ---
22 crypto/pem/pem_lib.c | 2 ++
23 1 file changed, 2 insertions(+)
24
25 diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
26 index f9ff80162a..85c47fb627 100644
27 --- a/crypto/pem/pem_lib.c
28 +++ b/crypto/pem/pem_lib.c
29 @@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
30
31 out_free:
32 pem_free(*header, flags, 0);
33 + *header = NULL;
34 pem_free(*data, flags, 0);
35 + *data = NULL;
36 end:
37 EVP_ENCODE_CTX_free(ctx);
38 pem_free(name, flags, 0);
39 --
40 2.39.1
41
42 From cbafa34b5a057794c5c08cd4657038e1f643c1ac Mon Sep 17 00:00:00 2001
43 From: Matt Caswell <matt@openssl.org>
44 Date: Tue, 13 Dec 2022 15:02:26 +0000
45 Subject: [PATCH 05/18] Add a test for CVE-2022-4450
46
47 Call PEM_read_bio_ex() and expect a failure. There should be no dangling
48 ptrs and therefore there should be no double free if we free the ptrs on
49 error.
50
51 Reviewed-by: Paul Dale <pauli@openssl.org>
52 Reviewed-by: Hugo Landau <hlandau@openssl.org>
53 ---
54 test/pemtest.c | 30 ++++++++++++++++++++++++++++++
55 1 file changed, 30 insertions(+)
56
57 diff --git a/test/pemtest.c b/test/pemtest.c
58 index a8d2d49bb5..a5d28cb256 100644
59 --- a/test/pemtest.c
60 +++ b/test/pemtest.c
61 @@ -96,6 +96,35 @@ static int test_cert_key_cert(void)
62 return 1;
63 }
64
65 +static int test_empty_payload(void)
66 +{
67 + BIO *b;
68 + static char *emptypay =
69 + "-----BEGIN CERTIFICATE-----\n"
70 + "-\n" /* Base64 EOF character */
71 + "-----END CERTIFICATE-----";
72 + char *name = NULL, *header = NULL;
73 + unsigned char *data = NULL;
74 + long len;
75 + int ret = 0;
76 +
77 + b = BIO_new_mem_buf(emptypay, strlen(emptypay));
78 + if (!TEST_ptr(b))
79 + return 0;
80 +
81 + /* Expected to fail because the payload is empty */
82 + if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
83 + goto err;
84 +
85 + ret = 1;
86 + err:
87 + OPENSSL_free(name);
88 + OPENSSL_free(header);
89 + OPENSSL_free(data);
90 + BIO_free(b);
91 + return ret;
92 +}
93 +
94 int setup_tests(void)
95 {
96 if (!TEST_ptr(pemfile = test_get_argument(0)))
97 @@ -103,5 +132,6 @@ int setup_tests(void)
98 ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
99 ADD_TEST(test_invalid);
100 ADD_TEST(test_cert_key_cert);
101 + ADD_TEST(test_empty_payload);
102 return 1;
103 }
104 --
105 2.39.1
106

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed