Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Coverity 1522032: use after free #20528

Closed
wants to merge 3 commits into from
Closed

Coverity 1522032: use after free #20528

wants to merge 3 commits into from

Conversation

paulidale
Copy link
Contributor

Fix use after free error.

  • documentation is added or updated
  • tests are added or updated

@paulidale
Coverity 1522032: use after free
f9c7a43 
Fix use after free error.
@paulidale paulidale added branch: master Merge to master branch approval: review pending This pull request needs review by a committer approval: otc review pending This pull request needs review by an OTC member triaged: bug The issue/pr is/fixes a bug tests: exempted The PR is exempt from requirements for testing labels Mar 17, 2023
@paulidale paulidale self-assigned this Mar 17, 2023
slontis
slontis reviewed Mar 17, 2023
View reviewed changes
Copy link
Member

@slontis slontis left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this fix is not right.
freeing the ctx here seems completely wrong.. The derive did not create the ctx, So it should also not free it.

slontis
slontis reviewed Mar 17, 2023
View reviewed changes
Copy link
Member

@slontis slontis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same on line 1029

slontis
slontis reviewed Mar 17, 2023
View reviewed changes
Copy link
Member

@slontis slontis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also dislike multiple exit branches.. it should just set a flag and goto exit.

@t8m
Copy link
Member

t8m commented Mar 17, 2023

Better fix in #20534

@paulidale
Copy link
Contributor Author

The context free is existing code. I've no idea why it was done that way, I just preserved the behaviour.

I don't agree think that #20534 is proper fix: it doesn't cater for loading a provider (or having a dynamic provider) which changes the fetched algorithms between calls to derive.

@tom-cosgrove-arm
Copy link
Contributor

Agree this PR clearly fixes the use-after-free of ctx at line 1140 by performing that before freeing ctx itself at line 1038.

This matches the behaviour in the block at line 1028 when ctx->md == NULL.

However, there is the issue that only those two error returns (returning 0) free ctx; the many others afterwards don't. So a caller getting success (1) back could reasonably expect the context to still exist; but if this function returns 0 the caller doesn't know whether the context was freed or not without examining the specific error, so there's something weird going on here.

This PR doesn't address the pre-existing "what happens to ctx on errors" confusion, but it does clearly fix the use-after-free on an error path

@paulidale
Avoid freeing context on error
e27efe6 
Freeing the allocated KDF context seems wrong when derive errors.
@paulidale
Copy link
Contributor Author

I've added a commit that takes out the ctx frees.

@slontis
Copy link
Member

slontis commented Mar 19, 2023

The context free is existing code. I've no idea why it was done that way, I just preserved the behaviour.

Thanks for changing..
The code is clearly wrong and behaves differently to every other kdf that has been written. The ctx should only be freed in the free method. If you don't do this then I would expect checks for ctx being NULL in every single function. This ctx is passed from core, it is not expected that someone can change it to NULL under the hood and then potentially have a floating pointer back in core.

tom-cosgrove-arm
tom-cosgrove-arm approved these changes Mar 19, 2023
View reviewed changes
Copy link
Contributor

@tom-cosgrove-arm tom-cosgrove-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is clearly an improvement over the existing code!

@tom-cosgrove-arm tom-cosgrove-arm removed the approval: review pending This pull request needs review by a committer label Mar 19, 2023
slontis
slontis reviewed Mar 19, 2023
View reviewed changes
Copy link
Member

@slontis slontis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is line 1125 correct.. ? If these are no longer needed shouldnt they also be set to NULL? (Or is this a downref)..

@paulidale
Copy link
Contributor Author

That line is correct. I was being zealous in nulling out pointers.

tom-cosgrove-arm
tom-cosgrove-arm approved these changes Mar 19, 2023
View reviewed changes
Copy link
Contributor

@tom-cosgrove-arm tom-cosgrove-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@slontis slontis added approval: done This pull request has the required number of approvals and removed approval: otc review pending This pull request needs review by an OTC member labels Mar 19, 2023
@slontis
Copy link
Member

slontis commented Mar 19, 2023

#20534 seems to cover a bit more than is required for this fix..

@t8m
Copy link
Member

t8m commented Mar 20, 2023

I still think #20534 is more correct. And yeah, I can then rebase it on top of this one if you insist on merging it first.

It does not make sense to re-fetch the internal MD and MAC on every derive call (unless the propq is changed). You do not refetch the Argon2 kdf implementation within the ctx so why should the internal details of it be refetched?

There are also other unnecessary things within the current code such as saving the kdf output within the ctx but never read it again. That is simply wrong and should be removed which #20534 does.

@paulidale
Copy link
Contributor Author

Merged.

@paulidale paulidale closed this Mar 20, 2023
openssl-machine pushed a commit that referenced this pull request Mar 20, 2023
@paulidale
Coverity 1522032: use after free
7c45b7c 
Fix use after free error.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from #20528)
openssl-machine pushed a commit that referenced this pull request Mar 20, 2023
@paulidale
Avoid freeing context on error
6ec3d31 
Freeing the allocated KDF context seems wrong when derive errors.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from #20528)
@paulidale paulidale deleted the coverity-1522032 branch March 30, 2023 22:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slontis slontis slontis approved these changes

@tom-cosgrove-arm tom-cosgrove-arm tom-cosgrove-arm approved these changes

Assignees

@paulidale paulidale

Labels
approval: done This pull request has the required number of approvals branch: master Merge to master branch tests: exempted The PR is exempt from requirements for testing triaged: bug The issue/pr is/fixes a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@paulidale @t8m @tom-cosgrove-arm @slontis