-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
possible NULL dereference in context.c (openssl-3.0.0) #17312
Comments
I don't see how Lines 150 to 154 in 0d4c523
Do you know how your fuzzer managed to get here? |
I suppose when CRYPTO_THREAD_init_local() or context_init() fails the default_context_int will be uninitialized, i.e. all zeros. Not sure we have to guard against such kind of failures. Similarly for #17313 |
I.e., should we really guard against situation when initialization of global data that is "always expected to be in there" fails? |
Your supposition is right! Here is the injection log.
161 static OSSL_LIB_CTX *get_thread_default_context(void)
162 {
// `default_context_init` fail, return NULL.
163 if (!RUN_ONCE(&default_context_init, default_context_do_init))
164 return NULL;
165
166 return CRYPTO_THREAD_get_local(&default_context_thread_local);
167 }
168
169 static OSSL_LIB_CTX *get_default_context(void)
170 {
// `default_context_init` fail, `current_defctx = NULL`.
171 OSSL_LIB_CTX *current_defctx = get_thread_default_context();
172
173 if (current_defctx == NULL)
// Point to `default_context_int` again. In fact it is all zero.
174 current_defctx = &default_context_int;
175 return current_defctx;
176 } |
I agree with you. Ignoring some errors and let it crash is also a good solution in some situations. |
Shouldn't we detect that the initialisation failed and return an error? If an application then continues using us, crash is acceptable, although more errors would be better IMO. |
A real life example from a program using libldap 2.6.2 and OpenSSL 3.0.1 (CentOS 9).
Then SSL_CTX_free() is called indirectly by ldap_int_destroy_global_options() (not shown on stacktrace, registered with Program received signal SIGSEGV, Segmentation fault.
Segfault happens only when legacy providers are loaded. But the point is that even when there is no segfault, the order of deinitialization is wrong and it is left undetected. |
I am seeing this exact issue with FreeBSD pkg using libcurl as a fetch backend on FreeBSD CURRENT (OpenSSL 3.0.11). |
So, it seems this issue is caused by libcurl not initializing OpenSSL with Library consumers of OpenSSL should probably by default use |
Hi!
We are using improved fuzzing technology with fault injection. These are possible NULL dereference issues.
Different from traditional fuzzing, fault injection can test error-handling codes while the errors happen in some extreme conditions. (such as malloc() return NULL when out of memory). So it is hard to reproduce without our fault injection environment. I try to analysis the related codes to find the cause but not sure, needing your helps. I'm glad to provide more details if you need.
Analysis:
error logs:
The text was updated successfully, but these errors were encountered: