1 |
From 934a04f0e775309cadbef0aa6b9692e1b12a76c6 Mon Sep 17 00:00:00 2001 |
2 |
From: Tomas Mraz <tomas@openssl.org> |
3 |
Date: Mon, 16 Jan 2023 19:45:23 +0100 |
4 |
Subject: [PATCH 08/18] Do not dereference PKCS7 object data if not set |
5 |
|
6 |
Fixes CVE-2023-0216 |
7 |
|
8 |
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> |
9 |
Reviewed-by: Paul Dale <pauli@openssl.org> |
10 |
--- |
11 |
crypto/pkcs7/pk7_lib.c | 16 ++++++++++++---- |
12 |
1 file changed, 12 insertions(+), 4 deletions(-) |
13 |
|
14 |
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c |
15 |
index 753f1276e6..936e50da54 100644 |
16 |
--- a/crypto/pkcs7/pk7_lib.c |
17 |
+++ b/crypto/pkcs7/pk7_lib.c |
18 |
@@ -414,6 +414,8 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey, |
19 |
|
20 |
static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7) |
21 |
{ |
22 |
+ if (p7->d.ptr == NULL) |
23 |
+ return NULL; |
24 |
if (PKCS7_type_is_signed(p7)) |
25 |
return p7->d.sign->cert; |
26 |
if (PKCS7_type_is_signedAndEnveloped(p7)) |
27 |
@@ -423,6 +425,8 @@ static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7) |
28 |
|
29 |
static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7) |
30 |
{ |
31 |
+ if (p7->d.ptr == NULL) |
32 |
+ return NULL; |
33 |
if (PKCS7_type_is_signedAndEnveloped(p7)) |
34 |
return p7->d.signed_and_enveloped->recipientinfo; |
35 |
if (PKCS7_type_is_enveloped(p7)) |
36 |
@@ -440,13 +444,17 @@ void ossl_pkcs7_resolve_libctx(PKCS7 *p7) |
37 |
const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); |
38 |
OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx); |
39 |
const char *propq = ossl_pkcs7_ctx_get0_propq(ctx); |
40 |
- STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7); |
41 |
- STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7); |
42 |
- STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7); |
43 |
+ STACK_OF(PKCS7_RECIP_INFO) *rinfos; |
44 |
+ STACK_OF(PKCS7_SIGNER_INFO) *sinfos; |
45 |
+ STACK_OF(X509) *certs; |
46 |
|
47 |
- if (ctx == NULL) |
48 |
+ if (ctx == NULL || p7->d.ptr == NULL) |
49 |
return; |
50 |
|
51 |
+ rinfos = pkcs7_get_recipient_info(p7); |
52 |
+ sinfos = PKCS7_get_signer_info(p7); |
53 |
+ certs = pkcs7_get_signer_certs(p7); |
54 |
+ |
55 |
for (i = 0; i < sk_X509_num(certs); i++) |
56 |
ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq); |
57 |
|
58 |
-- |
59 |
2.39.1 |
60 |
|
61 |
From 67813d8a4d110f4174bbd2fee8a2f15388e324b5 Mon Sep 17 00:00:00 2001 |
62 |
From: Tomas Mraz <tomas@openssl.org> |
63 |
Date: Mon, 16 Jan 2023 19:56:20 +0100 |
64 |
Subject: [PATCH 09/18] Add test for d2i_PKCS7 NULL dereference |
65 |
|
66 |
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> |
67 |
Reviewed-by: Paul Dale <pauli@openssl.org> |
68 |
--- |
69 |
test/recipes/25-test_pkcs7.t | 7 +++++-- |
70 |
test/recipes/25-test_pkcs7_data/malformed.pkcs7 | 3 +++ |
71 |
2 files changed, 8 insertions(+), 2 deletions(-) |
72 |
create mode 100644 test/recipes/25-test_pkcs7_data/malformed.pkcs7 |
73 |
|
74 |
diff --git a/test/recipes/25-test_pkcs7.t b/test/recipes/25-test_pkcs7.t |
75 |
index 37cd43dc6b..d61cd6abad 100644 |
76 |
--- a/test/recipes/25-test_pkcs7.t |
77 |
+++ b/test/recipes/25-test_pkcs7.t |
78 |
@@ -11,11 +11,11 @@ use strict; |
79 |
use warnings; |
80 |
|
81 |
use File::Spec; |
82 |
-use OpenSSL::Test qw/:DEFAULT srctop_file/; |
83 |
+use OpenSSL::Test qw/:DEFAULT srctop_file data_file/; |
84 |
|
85 |
setup("test_pkcs7"); |
86 |
|
87 |
-plan tests => 3; |
88 |
+plan tests => 4; |
89 |
|
90 |
require_ok(srctop_file('test','recipes','tconversion.pl')); |
91 |
|
92 |
@@ -27,3 +27,6 @@ subtest 'pkcs7 conversions -- pkcs7d' => sub { |
93 |
tconversion( -type => 'p7d', -in => srctop_file("test", "pkcs7-1.pem"), |
94 |
-args => ["pkcs7"] ); |
95 |
}; |
96 |
+ |
97 |
+my $malformed = data_file('malformed.pkcs7'); |
98 |
+ok(run(app(["openssl", "pkcs7", "-in", $malformed]))); |
99 |
diff --git a/test/recipes/25-test_pkcs7_data/malformed.pkcs7 b/test/recipes/25-test_pkcs7_data/malformed.pkcs7 |
100 |
new file mode 100644 |
101 |
index 0000000000..e30d1b582c |
102 |
--- /dev/null |
103 |
+++ b/test/recipes/25-test_pkcs7_data/malformed.pkcs7 |
104 |
@@ -0,0 +1,3 @@ |
105 |
+-----BEGIN PKCS7----- |
106 |
+MAsGCSqGSIb3DQEHAg== |
107 |
+-----END PKCS7----- |
108 |
-- |
109 |
2.39.1 |
110 |
|