Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix off-by-1 bug on provider_activate with custom error strings #11427

Closed
wants to merge 2 commits into from
Closed

Fix off-by-1 bug on provider_activate with custom error strings #11427

wants to merge 2 commits into from

Conversation

romen
Copy link
Member

@romen romen commented Mar 27, 2020

Starting cnt from 1 would work if we weren't using cnt itself to access elements of the array returned calling the provider callback.

As it is before this commit, we have 2 problems:

  • first, in the unlikely case that the incoming array was "empty" (only contains the terminator item) we would skip past it and potentially end up with oob reads;
  • otherwise, at the end of the while loop, cnt will be equal to the number of items in the input array, not 1 more. We then add 1 more to the zalloc call to account for the library name item, and we fill all of it (relying on zalloc to have zeroed the terminator item).
    The first read access that will read the list up to the terminator will result in a OOB read as we did not allocate enough space to also contain the terminator.
Checklist
  • tests are added or updated

Nicola Tuveri added 2 commits March 27, 2020 19:53
Add test for providers exposing OSSL_FUNC_PROVIDER_GET_REASON_STRINGS
f6ffdba 
This test currently fails, next commit has the description of the bug
and the fix.
Fix off-by-1 bug on provider_activate with custom error strings
57dc8a2 
Starting `cnt` from 1 would work if we weren't using cnt itself to
access elements of the array returned calling the provider callback.

As it is before this commit, we have 2 problems:
- first, in the unlikely case that the incoming array was "empty" (only
  contains the terminator item) we would skip past it and potentially
  end up with oob reads;
- otherwise, at the end of the while loop, `cnt` will be equal to the
  number of items in the input array, not 1 more. We then add 1 more to
  the zalloc call to account for the library name item, and we fill all
  of it (relying on zalloc to have zeroed the terminator item).
  The first read access that will read the list up to the terminator
  will result in a OOB read as we did not allocate enough space to also
  contain the terminator.
@romen romen added the branch: master Merge to master branch label Mar 27, 2020
@romen romen self-assigned this Mar 27, 2020
@romen
Copy link
Member Author

romen commented Mar 27, 2020

Ping to @p-steuer that brought this item to my attention while working on testing with external providers!

@levitte @paulidale I believe one of you might want to review this!

@mattcaswell mattcaswell added the approval: done This pull request has the required number of approvals label Mar 27, 2020
@openssl-machine openssl-machine added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: done This pull request has the required number of approvals labels Mar 28, 2020
@openssl-machine
Copy link
Collaborator

This pull request is ready to merge

openssl-machine pushed a commit that referenced this pull request Mar 30, 2020
@romen
Add test for providers exposing OSSL_FUNC_PROVIDER_GET_REASON_STRINGS
551543e 
This test currently fails, next commit has the description of the bug
and the fix.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from #11427)
openssl-machine pushed a commit that referenced this pull request Mar 30, 2020
@romen
Fix off-by-1 bug on provider_activate with custom error strings
fd03868 
Starting `cnt` from 1 would work if we weren't using cnt itself to
access elements of the array returned calling the provider callback.

As it is before this commit, we have 2 problems:
- first, in the unlikely case that the incoming array was "empty" (only
  contains the terminator item) we would skip past it and potentially
  end up with oob reads;
- otherwise, at the end of the while loop, `cnt` will be equal to the
  number of items in the input array, not 1 more. We then add 1 more to
  the zalloc call to account for the library name item, and we fill all
  of it (relying on zalloc to have zeroed the terminator item).
  The first read access that will read the list up to the terminator
  will result in a OOB read as we did not allocate enough space to also
  contain the terminator.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from #11427)
@romen
Copy link
Member Author

romen commented Mar 30, 2020

Merged to master with:

  • 551543e Add test for providers exposing OSSL_FUNC_PROVIDER_GET_REASON_STRINGS
  • fd03868 Fix off-by-1 bug on provider_activate with custom error strings

@romen romen closed this Mar 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@levitte levitte levitte approved these changes

@mattcaswell mattcaswell mattcaswell approved these changes

Assignees

@romen romen

Labels
approval: ready to merge The 24 hour grace period has passed, ready to merge branch: master Merge to master branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@romen @openssl-machine @levitte @mattcaswell