x509: Fix possible use-after-free when OOM #21040
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bernd-edlinger
requested changes
May 24, 2023
mattcaswell
reviewed
May 24, 2023
neverpanic
force-pushed
the
cal-x509-policy-uaf
branch
from
b6b3cd1
to
b481826
Compare
bernd-edlinger
requested changes
May 24, 2023
neverpanic
force-pushed
the
cal-x509-policy-uaf
branch
from
b481826
to
b1d61d2
Compare
neverpanic
force-pushed
the
cal-x509-policy-uaf
branch
from
b1d61d2
to
8c1fa9d
Compare
t8m
requested changes
May 25, 2023
t8m
added
branch: master
tmshort
added
approval: review pending
ossl_policy_level_add_node() first adds the new node to the level->nodes stack, and then attempts to add extra data if extra_data is true. If memory allocation or adding the extra data to tree->extra_data fails, the allocated node (that has already been added to the level->nodes stack) is freed using ossl_policy_node_free(), which leads to a potential use after free. Additionally, the tree's node count and the parent's child count would not be updated, despite the new node being added. Fix this by either performing the function's purpose completely, or not at all by reverting the changes on error. Signed-off-by: Clemens Lang <cllang@redhat.com>
The invocation of ossl_policy_level_add_node in tree_calculate_user_set did not have any error handling. Add it to prevent a memory leak for the allocated extra policy data. Also add error handling to sk_X509_POLICY_NODE_push to ensure that if a new node was allocated, but could not be added to the stack, it is freed correctly. Fix error handling if tree->user_policies cannot be allocated by returning 0, indicating failure, rather than 1. Signed-off-by: Clemens Lang <cllang@redhat.com>
neverpanic
force-pushed
the
cal-x509-policy-uaf
branch
from
8c1fa9d
to
cb54d16
Compare
t8m
approved these changes
May 26, 2023
t8m
removed
the
approval: otc review pending
beldmit
added
approval: done
|
Backport to 1.1.1 in #21066 |
mattcaswell
approved these changes
May 26, 2023
bernd-edlinger
approved these changes
May 26, 2023
|
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
openssl-machine
pushed a commit
that referenced
this pull request
May 29, 2023
ossl_policy_level_add_node() first adds the new node to the level->nodes stack, and then attempts to add extra data if extra_data is true. If memory allocation or adding the extra data to tree->extra_data fails, the allocated node (that has already been added to the level->nodes stack) is freed using ossl_policy_node_free(), which leads to a potential use after free. Additionally, the tree's node count and the parent's child count would not be updated, despite the new node being added. Fix this by either performing the function's purpose completely, or not at all by reverting the changes on error. Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21040)
openssl-machine
pushed a commit
that referenced
this pull request
May 29, 2023
The invocation of ossl_policy_level_add_node in tree_calculate_user_set did not have any error handling. Add it to prevent a memory leak for the allocated extra policy data. Also add error handling to sk_X509_POLICY_NODE_push to ensure that if a new node was allocated, but could not be added to the stack, it is freed correctly. Fix error handling if tree->user_policies cannot be allocated by returning 0, indicating failure, rather than 1. Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21040)
|
Merged to master, 3.1, and 3.0 branches. Thank you for your contribution. |
openssl-machine
pushed a commit
that referenced
this pull request
May 29, 2023
ossl_policy_level_add_node() first adds the new node to the level->nodes stack, and then attempts to add extra data if extra_data is true. If memory allocation or adding the extra data to tree->extra_data fails, the allocated node (that has already been added to the level->nodes stack) is freed using ossl_policy_node_free(), which leads to a potential use after free. Additionally, the tree's node count and the parent's child count would not be updated, despite the new node being added. Fix this by either performing the function's purpose completely, or not at all by reverting the changes on error. Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21040) (cherry picked from commit de53817)
openssl-machine
pushed a commit
that referenced
this pull request
May 29, 2023
The invocation of ossl_policy_level_add_node in tree_calculate_user_set did not have any error handling. Add it to prevent a memory leak for the allocated extra policy data. Also add error handling to sk_X509_POLICY_NODE_push to ensure that if a new node was allocated, but could not be added to the stack, it is freed correctly. Fix error handling if tree->user_policies cannot be allocated by returning 0, indicating failure, rather than 1. Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21040) (cherry picked from commit 95a8aa6)
openssl-machine
pushed a commit
that referenced
this pull request
May 29, 2023
ossl_policy_level_add_node() first adds the new node to the level->nodes stack, and then attempts to add extra data if extra_data is true. If memory allocation or adding the extra data to tree->extra_data fails, the allocated node (that has already been added to the level->nodes stack) is freed using ossl_policy_node_free(), which leads to a potential use after free. Additionally, the tree's node count and the parent's child count would not be updated, despite the new node being added. Fix this by either performing the function's purpose completely, or not at all by reverting the changes on error. Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21040) (cherry picked from commit de53817)
openssl-machine
pushed a commit
that referenced
this pull request
May 29, 2023
The invocation of ossl_policy_level_add_node in tree_calculate_user_set did not have any error handling. Add it to prevent a memory leak for the allocated extra policy data. Also add error handling to sk_X509_POLICY_NODE_push to ensure that if a new node was allocated, but could not be added to the stack, it is freed correctly. Fix error handling if tree->user_policies cannot be allocated by returning 0, indicating failure, rather than 1. Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21040) (cherry picked from commit 95a8aa6)
MrE-Fog
pushed a commit
to MrE-Fog/opensslxxixx
that referenced
this pull request
Jun 4, 2023
ossl_policy_level_add_node() first adds the new node to the level->nodes stack, and then attempts to add extra data if extra_data is true. If memory allocation or adding the extra data to tree->extra_data fails, the allocated node (that has already been added to the level->nodes stack) is freed using ossl_policy_node_free(), which leads to a potential use after free. Additionally, the tree's node count and the parent's child count would not be updated, despite the new node being added. Fix this by either performing the function's purpose completely, or not at all by reverting the changes on error. Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl/openssl#21040)
MrE-Fog
pushed a commit
to MrE-Fog/opensslxxixx
that referenced
this pull request
Jun 4, 2023
The invocation of ossl_policy_level_add_node in tree_calculate_user_set did not have any error handling. Add it to prevent a memory leak for the allocated extra policy data. Also add error handling to sk_X509_POLICY_NODE_push to ensure that if a new node was allocated, but could not be added to the stack, it is freed correctly. Fix error handling if tree->user_policies cannot be allocated by returning 0, indicating failure, rather than 1. Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl/openssl#21040)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ossl_policy_level_add_node()first adds the new node to thelevel->nodesstack, and then attempts to add extra data ifextra_datais true. If memory allocation or adding the extra data totree->extra_datafails, the allocated node (that has already been added to thelevel->nodesstack) is freed usingossl_policy_node_free(), which leads to a potential use after free.Additionally, the tree's node count and the parent's child count would not be updated, despite the new node being added.
Checklist
documentation is added or updatedtests are added or updated