| 1 |
From 63bcf189be73a9cc1264059bed6f57974be74a83 Mon Sep 17 00:00:00 2001 |
| 2 |
From: Matt Caswell <matt@openssl.org> |
| 3 |
Date: Tue, 13 Dec 2022 14:54:55 +0000 |
| 4 |
Subject: [PATCH 04/18] Avoid dangling ptrs in header and data params for |
| 5 |
PEM_read_bio_ex |
| 6 |
|
| 7 |
In the event of a failure in PEM_read_bio_ex() we free the buffers we |
| 8 |
allocated for the header and data buffers. However we were not clearing |
| 9 |
the ptrs stored in *header and *data. Since, on success, the caller is |
| 10 |
responsible for freeing these ptrs this can potentially lead to a double |
| 11 |
free if the caller frees them even on failure. |
| 12 |
|
| 13 |
Thanks to Dawei Wang for reporting this issue. |
| 14 |
|
| 15 |
Based on a proposed patch by Kurt Roeckx. |
| 16 |
|
| 17 |
CVE-2022-4450 |
| 18 |
|
| 19 |
Reviewed-by: Paul Dale <pauli@openssl.org> |
| 20 |
Reviewed-by: Hugo Landau <hlandau@openssl.org> |
| 21 |
--- |
| 22 |
crypto/pem/pem_lib.c | 2 ++ |
| 23 |
1 file changed, 2 insertions(+) |
| 24 |
|
| 25 |
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c |
| 26 |
index f9ff80162a..85c47fb627 100644 |
| 27 |
--- a/crypto/pem/pem_lib.c |
| 28 |
+++ b/crypto/pem/pem_lib.c |
| 29 |
@@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, |
| 30 |
|
| 31 |
out_free: |
| 32 |
pem_free(*header, flags, 0); |
| 33 |
+ *header = NULL; |
| 34 |
pem_free(*data, flags, 0); |
| 35 |
+ *data = NULL; |
| 36 |
end: |
| 37 |
EVP_ENCODE_CTX_free(ctx); |
| 38 |
pem_free(name, flags, 0); |
| 39 |
-- |
| 40 |
2.39.1 |
| 41 |
|
| 42 |
From cbafa34b5a057794c5c08cd4657038e1f643c1ac Mon Sep 17 00:00:00 2001 |
| 43 |
From: Matt Caswell <matt@openssl.org> |
| 44 |
Date: Tue, 13 Dec 2022 15:02:26 +0000 |
| 45 |
Subject: [PATCH 05/18] Add a test for CVE-2022-4450 |
| 46 |
|
| 47 |
Call PEM_read_bio_ex() and expect a failure. There should be no dangling |
| 48 |
ptrs and therefore there should be no double free if we free the ptrs on |
| 49 |
error. |
| 50 |
|
| 51 |
Reviewed-by: Paul Dale <pauli@openssl.org> |
| 52 |
Reviewed-by: Hugo Landau <hlandau@openssl.org> |
| 53 |
--- |
| 54 |
test/pemtest.c | 30 ++++++++++++++++++++++++++++++ |
| 55 |
1 file changed, 30 insertions(+) |
| 56 |
|
| 57 |
diff --git a/test/pemtest.c b/test/pemtest.c |
| 58 |
index a8d2d49bb5..a5d28cb256 100644 |
| 59 |
--- a/test/pemtest.c |
| 60 |
+++ b/test/pemtest.c |
| 61 |
@@ -96,6 +96,35 @@ static int test_cert_key_cert(void) |
| 62 |
return 1; |
| 63 |
} |
| 64 |
|
| 65 |
+static int test_empty_payload(void) |
| 66 |
+{ |
| 67 |
+ BIO *b; |
| 68 |
+ static char *emptypay = |
| 69 |
+ "-----BEGIN CERTIFICATE-----\n" |
| 70 |
+ "-\n" /* Base64 EOF character */ |
| 71 |
+ "-----END CERTIFICATE-----"; |
| 72 |
+ char *name = NULL, *header = NULL; |
| 73 |
+ unsigned char *data = NULL; |
| 74 |
+ long len; |
| 75 |
+ int ret = 0; |
| 76 |
+ |
| 77 |
+ b = BIO_new_mem_buf(emptypay, strlen(emptypay)); |
| 78 |
+ if (!TEST_ptr(b)) |
| 79 |
+ return 0; |
| 80 |
+ |
| 81 |
+ /* Expected to fail because the payload is empty */ |
| 82 |
+ if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0))) |
| 83 |
+ goto err; |
| 84 |
+ |
| 85 |
+ ret = 1; |
| 86 |
+ err: |
| 87 |
+ OPENSSL_free(name); |
| 88 |
+ OPENSSL_free(header); |
| 89 |
+ OPENSSL_free(data); |
| 90 |
+ BIO_free(b); |
| 91 |
+ return ret; |
| 92 |
+} |
| 93 |
+ |
| 94 |
int setup_tests(void) |
| 95 |
{ |
| 96 |
if (!TEST_ptr(pemfile = test_get_argument(0))) |
| 97 |
@@ -103,5 +132,6 @@ int setup_tests(void) |
| 98 |
ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data)); |
| 99 |
ADD_TEST(test_invalid); |
| 100 |
ADD_TEST(test_cert_key_cert); |
| 101 |
+ ADD_TEST(test_empty_payload); |
| 102 |
return 1; |
| 103 |
} |
| 104 |
-- |
| 105 |
2.39.1 |
| 106 |
|
Parent Directory
| 
Revision Log
| 
Revision Graph
