openssl3/contribs10/0105-CVE-2023-0216-pkcs7-deref.patch

From 934a04f0e775309cadbef0aa6b9692e1b12a76c6 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 16 Jan 2023 19:45:23 +0100
Subject: [PATCH 08/18] Do not dereference PKCS7 object data if not set

Fixes CVE-2023-0216

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
---
 crypto/pkcs7/pk7_lib.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
index 753f1276e6..936e50da54 100644
--- a/crypto/pkcs7/pk7_lib.c
+++ b/crypto/pkcs7/pk7_lib.c
@@ -414,6 +414,8 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
 
 static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7)
 {
+    if (p7->d.ptr == NULL)
+        return NULL;
     if (PKCS7_type_is_signed(p7))
         return p7->d.sign->cert;
     if (PKCS7_type_is_signedAndEnveloped(p7))
@@ -423,6 +425,8 @@ static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7)
 
 static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7)
 {
+    if (p7->d.ptr == NULL)
+        return NULL;
     if (PKCS7_type_is_signedAndEnveloped(p7))
         return p7->d.signed_and_enveloped->recipientinfo;
     if (PKCS7_type_is_enveloped(p7))
@@ -440,13 +444,17 @@ void ossl_pkcs7_resolve_libctx(PKCS7 *p7)
     const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
     OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx);
     const char *propq = ossl_pkcs7_ctx_get0_propq(ctx);
-    STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7);
-    STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7);
-    STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7);
+    STACK_OF(PKCS7_RECIP_INFO) *rinfos;
+    STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
+    STACK_OF(X509) *certs;
 
-    if (ctx == NULL)
+    if (ctx == NULL || p7->d.ptr == NULL)
         return;
 
+    rinfos = pkcs7_get_recipient_info(p7);
+    sinfos = PKCS7_get_signer_info(p7);
+    certs = pkcs7_get_signer_certs(p7);
+
     for (i = 0; i < sk_X509_num(certs); i++)
         ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq);
 
-- 
2.39.1

From 67813d8a4d110f4174bbd2fee8a2f15388e324b5 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 16 Jan 2023 19:56:20 +0100
Subject: [PATCH 09/18] Add test for d2i_PKCS7 NULL dereference

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
---
 test/recipes/25-test_pkcs7.t                    | 7 +++++--
 test/recipes/25-test_pkcs7_data/malformed.pkcs7 | 3 +++
 2 files changed, 8 insertions(+), 2 deletions(-)
 create mode 100644 test/recipes/25-test_pkcs7_data/malformed.pkcs7

diff --git a/test/recipes/25-test_pkcs7.t b/test/recipes/25-test_pkcs7.t
index 37cd43dc6b..d61cd6abad 100644
--- a/test/recipes/25-test_pkcs7.t
+++ b/test/recipes/25-test_pkcs7.t
@@ -11,11 +11,11 @@ use strict;
 use warnings;
 
 use File::Spec;
-use OpenSSL::Test qw/:DEFAULT srctop_file/;
+use OpenSSL::Test qw/:DEFAULT srctop_file data_file/;
 
 setup("test_pkcs7");
 
-plan tests => 3;
+plan tests => 4;
 
 require_ok(srctop_file('test','recipes','tconversion.pl'));
 
@@ -27,3 +27,6 @@ subtest 'pkcs7 conversions -- pkcs7d' => sub {
     tconversion( -type => 'p7d', -in => srctop_file("test", "pkcs7-1.pem"),
                  -args => ["pkcs7"] );
 };
+
+my $malformed = data_file('malformed.pkcs7');
+ok(run(app(["openssl", "pkcs7", "-in", $malformed])));
diff --git a/test/recipes/25-test_pkcs7_data/malformed.pkcs7 b/test/recipes/25-test_pkcs7_data/malformed.pkcs7
new file mode 100644
index 0000000000..e30d1b582c
--- /dev/null
+++ b/test/recipes/25-test_pkcs7_data/malformed.pkcs7
@@ -0,0 +1,3 @@
+-----BEGIN PKCS7-----
+MAsGCSqGSIb3DQEHAg==
+-----END PKCS7-----
-- 
2.39.1

1	jpp	1.1	From 934a04f0e775309cadbef0aa6b9692e1b12a76c6 Mon Sep 17 00:00:00 2001
2			From: Tomas Mraz <tomas@openssl.org>
3			Date: Mon, 16 Jan 2023 19:45:23 +0100
4			Subject: [PATCH 08/18] Do not dereference PKCS7 object data if not set
5
6			Fixes CVE-2023-0216
7
8			Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
9			Reviewed-by: Paul Dale <pauli@openssl.org>
10			---
11			crypto/pkcs7/pk7_lib.c \| 16 ++++++++++++----
12			1 file changed, 12 insertions(+), 4 deletions(-)
13
14			diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
15			index 753f1276e6..936e50da54 100644
16			--- a/crypto/pkcs7/pk7_lib.c
17			+++ b/crypto/pkcs7/pk7_lib.c
18			@@ -414,6 +414,8 @@ PKCS7_SIGNER_INFO PKCS7_add_signature(PKCS7 p7, X509 x509, EVP_PKEY pkey,
19
20			static STACK_OF(X509) pkcs7_get_signer_certs(const PKCS7 p7)
21			{
22			+ if (p7->d.ptr == NULL)
23			+ return NULL;
24			if (PKCS7_type_is_signed(p7))
25			return p7->d.sign->cert;
26			if (PKCS7_type_is_signedAndEnveloped(p7))
27			@@ -423,6 +425,8 @@ static STACK_OF(X509) pkcs7_get_signer_certs(const PKCS7 p7)
28
29			static STACK_OF(PKCS7_RECIP_INFO) pkcs7_get_recipient_info(const PKCS7 p7)
30			{
31			+ if (p7->d.ptr == NULL)
32			+ return NULL;
33			if (PKCS7_type_is_signedAndEnveloped(p7))
34			return p7->d.signed_and_enveloped->recipientinfo;
35			if (PKCS7_type_is_enveloped(p7))
36			@@ -440,13 +444,17 @@ void ossl_pkcs7_resolve_libctx(PKCS7 *p7)
37			const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
38			OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx);
39			const char *propq = ossl_pkcs7_ctx_get0_propq(ctx);
40			- STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7);
41			- STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7);
42			- STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7);
43			+ STACK_OF(PKCS7_RECIP_INFO) *rinfos;
44			+ STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
45			+ STACK_OF(X509) *certs;
46
47			- if (ctx == NULL)
48			+ if (ctx == NULL \|\| p7->d.ptr == NULL)
49			return;
50
51			+ rinfos = pkcs7_get_recipient_info(p7);
52			+ sinfos = PKCS7_get_signer_info(p7);
53			+ certs = pkcs7_get_signer_certs(p7);
54			+
55			for (i = 0; i < sk_X509_num(certs); i++)
56			ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq);
57
58			--
59			2.39.1
60
61			From 67813d8a4d110f4174bbd2fee8a2f15388e324b5 Mon Sep 17 00:00:00 2001
62			From: Tomas Mraz <tomas@openssl.org>
63			Date: Mon, 16 Jan 2023 19:56:20 +0100
64			Subject: [PATCH 09/18] Add test for d2i_PKCS7 NULL dereference
65
66			Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
67			Reviewed-by: Paul Dale <pauli@openssl.org>
68			---
69			test/recipes/25-test_pkcs7.t \| 7 +++++--
70			test/recipes/25-test_pkcs7_data/malformed.pkcs7 \| 3 +++
71			2 files changed, 8 insertions(+), 2 deletions(-)
72			create mode 100644 test/recipes/25-test_pkcs7_data/malformed.pkcs7
73
74			diff --git a/test/recipes/25-test_pkcs7.t b/test/recipes/25-test_pkcs7.t
75			index 37cd43dc6b..d61cd6abad 100644
76			--- a/test/recipes/25-test_pkcs7.t
77			+++ b/test/recipes/25-test_pkcs7.t
78			@@ -11,11 +11,11 @@ use strict;
79			use warnings;
80
81			use File::Spec;
82			-use OpenSSL::Test qw/:DEFAULT srctop_file/;
83			+use OpenSSL::Test qw/:DEFAULT srctop_file data_file/;
84
85			setup("test_pkcs7");
86
87			-plan tests => 3;
88			+plan tests => 4;
89
90			require_ok(srctop_file('test','recipes','tconversion.pl'));
91
92			@@ -27,3 +27,6 @@ subtest 'pkcs7 conversions -- pkcs7d' => sub {
93			tconversion( -type => 'p7d', -in => srctop_file("test", "pkcs7-1.pem"),
94			-args => ["pkcs7"] );
95			};
96			+
97			+my $malformed = data_file('malformed.pkcs7');
98			+ok(run(app(["openssl", "pkcs7", "-in", $malformed])));
99			diff --git a/test/recipes/25-test_pkcs7_data/malformed.pkcs7 b/test/recipes/25-test_pkcs7_data/malformed.pkcs7
100			new file mode 100644
101			index 0000000000..e30d1b582c
102			--- /dev/null
103			+++ b/test/recipes/25-test_pkcs7_data/malformed.pkcs7
104			@@ -0,0 +1,3 @@
105			+-----BEGIN PKCS7-----
106			+MAsGCSqGSIb3DQEHAg==
107			+-----END PKCS7-----
108			--
109			2.39.1
110