Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Three double free bugs in test/evp_extra_test.c #14916

Closed
Yunlongs opened this issue Apr 18, 2021 · 0 comments
Closed

[BUG] Three double free bugs in test/evp_extra_test.c #14916

Yunlongs opened this issue Apr 18, 2021 · 0 comments
Labels
branch: master Merge to master branch triaged: bug The issue/pr is/fixes a bug
Milestone
3.0.0

Comments

@Yunlongs
Copy link

File: test/evp_extra_test.c
Bug Function: test_EVP_PKEY_ffc_priv_pub
Version: Git-master (2021-4-18)

Description:
In function test_EVP_PKEY_ffc_priv_pub, params is freed via OSSL_PARAM_free() at line 577.
If the condition at line 581 is true, the execution will goto err, and params will be freed again at line 630.

The same problem also happens at line 593 and line 609, which causes two double free bugs.

Code Description:

static int test_EVP_PKEY_ffc_priv_pub(char *keytype)
{
    ....
577:    OSSL_PARAM_free(params);   // param is freed at the first time !
        OSSL_PARAM_BLD_free(bld);

    /* Test priv and !pub */
581:    if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p))
        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q))
        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g))
        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY,
                                             priv)))
            goto err;
      ....
593:    OSSL_PARAM_free(params); // param is freed at the first time !
        OSSL_PARAM_BLD_free(bld);

    /* Test !priv and pub */
    if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p))
        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q))
        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g))
        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY,
                                             pub)))
            goto err;

609:     OSSL_PARAM_free(params);// param is freed at the first time !
        OSSL_PARAM_BLD_free(bld);

    /* Test priv and pub */
    if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p))
        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q))
        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g))
        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY,
                                             pub))
        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY,
                                             priv)))
            goto err;

 err:
630:    OSSL_PARAM_free(params);// param is freed at the second time !
    ...
    return ret;
}
@Yunlongs Yunlongs added the issue: bug report The issue was opened to report a bug label Apr 18, 2021
@devnexen devnexen mentioned this issue Apr 19, 2021
Closed
t8m added a commit to t8m/openssl that referenced this issue May 4, 2021
@t8m
evp_extra_test: Avoid potential double free of params
809084e 
Fixes openssl#14916
@t8m t8m mentioned this issue May 4, 2021
Closed
@t8m t8m added branch: master Merge to master branch triaged: bug The issue/pr is/fixes a bug and removed issue: bug report The issue was opened to report a bug labels May 4, 2021
@t8m t8m added this to the 3.0.0 milestone May 4, 2021
devnexen pushed a commit to devnexen/openssl that referenced this issue Jul 7, 2021
@t8m @devnexen
evp_extra_test: Avoid potential double free of params
527d837 
Fixes openssl#14916

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from openssl#15135)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
branch: master Merge to master branch triaged: bug The issue/pr is/fixes a bug
Projects
None yet
Milestone
3.0.0
2 participants
@t8m @Yunlongs