Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix error handling in ASN1_mbstring_ncopy #23138

Closed
wants to merge 1 commit into from
Closed

Fix error handling in ASN1_mbstring_ncopy #23138

wants to merge 1 commit into from

Commits on Dec 22, 2023

  1. Fix error handling in ASN1_mbstring_ncopy 

    Sometimes the error handling returns an ASN1_STRING
object in *out although that was not passed in by the
caller, and sometimes the error handling deletes the
ASN1_STRING but forgets to clear the *out parameter.
Therefore the caller has no chance to know, if the leaked
object in *out shall be deleted or not.
This may cause a use-after-free error e.g. in asn1_str2type:

==63312==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000073280 at pc 0x7f2652e93b08 bp 0x7ffe0e1951c0 sp 0x7ffe0e1951b0
READ of size 8 at 0x603000073280 thread T0
    #0 0x7f2652e93b07 in asn1_string_embed_free crypto/asn1/asn1_lib.c:354
    openssl#1 0x7f2652eb521a in asn1_primitive_free crypto/asn1/tasn_fre.c:204
    openssl#2 0x7f2652eb50a9 in asn1_primitive_free crypto/asn1/tasn_fre.c:199
    openssl#3 0x7f2652eb5b67 in ASN1_item_free crypto/asn1/tasn_fre.c:20
    openssl#4 0x7f2652e8e13b in asn1_str2type crypto/asn1/asn1_gen.c:740
    openssl#5 0x7f2652e8e13b in generate_v3 crypto/asn1/asn1_gen.c:137
    openssl#6 0x7f2652e9166c in ASN1_generate_v3 crypto/asn1/asn1_gen.c:92
    openssl#7 0x7f2653307b9b in do_othername crypto/x509v3/v3_alt.c:577
    openssl#8 0x7f2653307b9b in a2i_GENERAL_NAME crypto/x509v3/v3_alt.c:492
    openssl#9 0x7f26533087c2 in v2i_subject_alt crypto/x509v3/v3_alt.c:327
    openssl#10 0x7f26533107fc in do_ext_nconf crypto/x509v3/v3_conf.c:100
    openssl#11 0x7f2653310f33 in X509V3_EXT_nconf crypto/x509v3/v3_conf.c:45
    openssl#12 0x7f2653311426 in X509V3_EXT_add_nconf_sk crypto/x509v3/v3_conf.c:312
    openssl#13 0x7f265331170c in X509V3_EXT_REQ_add_nconf crypto/x509v3/v3_conf.c:360
    openssl#14 0x564ed19d5f25 in req_main apps/req.c:806
    openssl#15 0x564ed19b8de0 in do_cmd apps/openssl.c:564
    openssl#16 0x564ed1985165 in main apps/openssl.c:183
    openssl#17 0x7f2651c4a082 in __libc_start_main ../csu/libc-start.c:308
    openssl#18 0x564ed1985acd in _start (/home/ed/OPCToolboxV5/Source/Core/OpenSSL/openssl/apps/openssl+0x139acd)

0x603000073280 is located 16 bytes inside of 24-byte region [0x603000073270,0x603000073288)
freed by thread T0 here:
    #0 0x7f265413440f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    openssl#1 0x7f265315a429 in CRYPTO_free crypto/mem.c:311
    openssl#2 0x7f265315a429 in CRYPTO_free crypto/mem.c:300
    openssl#3 0x7f2652e757b9 in ASN1_mbstring_ncopy crypto/asn1/a_mbstr.c:191
    openssl#4 0x7f2652e75ec5 in ASN1_mbstring_copy crypto/asn1/a_mbstr.c:38
    openssl#5 0x7f2652e8e227 in asn1_str2type crypto/asn1/asn1_gen.c:681
    openssl#6 0x7f2652e8e227 in generate_v3 crypto/asn1/asn1_gen.c:137
    openssl#7 0x7f2652e9166c in ASN1_generate_v3 crypto/asn1/asn1_gen.c:92
    openssl#8 0x7f2653307b9b in do_othername crypto/x509v3/v3_alt.c:577
    openssl#9 0x7f2653307b9b in a2i_GENERAL_NAME crypto/x509v3/v3_alt.c:492
    openssl#10 0x7f26533087c2 in v2i_subject_alt crypto/x509v3/v3_alt.c:327
    openssl#11 0x7f26533107fc in do_ext_nconf crypto/x509v3/v3_conf.c:100
    openssl#12 0x7f2653310f33 in X509V3_EXT_nconf crypto/x509v3/v3_conf.c:45
    openssl#13 0x7f2653311426 in X509V3_EXT_add_nconf_sk crypto/x509v3/v3_conf.c:312
    openssl#14 0x7f265331170c in X509V3_EXT_REQ_add_nconf crypto/x509v3/v3_conf.c:360
    openssl#15 0x564ed19d5f25 in req_main apps/req.c:806
    openssl#16 0x564ed19b8de0 in do_cmd apps/openssl.c:564
    openssl#17 0x564ed1985165 in main apps/openssl.c:183
    openssl#18 0x7f2651c4a082 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7f2654134808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    openssl#1 0x7f265315a4fd in CRYPTO_malloc crypto/mem.c:221
    openssl#2 0x7f265315a4fd in CRYPTO_malloc crypto/mem.c:198
    openssl#3 0x7f265315a945 in CRYPTO_zalloc crypto/mem.c:236
    openssl#4 0x7f2652e939a4 in ASN1_STRING_type_new crypto/asn1/asn1_lib.c:341
    openssl#5 0x7f2652e74e51 in ASN1_mbstring_ncopy crypto/asn1/a_mbstr.c:150
    openssl#6 0x7f2652e75ec5 in ASN1_mbstring_copy crypto/asn1/a_mbstr.c:38
    openssl#7 0x7f2652e8e227 in asn1_str2type crypto/asn1/asn1_gen.c:681
    openssl#8 0x7f2652e8e227 in generate_v3 crypto/asn1/asn1_gen.c:137
    openssl#9 0x7f2652e9166c in ASN1_generate_v3 crypto/asn1/asn1_gen.c:92
    openssl#10 0x7f2653307b9b in do_othername crypto/x509v3/v3_alt.c:577
    openssl#11 0x7f2653307b9b in a2i_GENERAL_NAME crypto/x509v3/v3_alt.c:492
    openssl#12 0x7f26533087c2 in v2i_subject_alt crypto/x509v3/v3_alt.c:327
    openssl#13 0x7f26533107fc in do_ext_nconf crypto/x509v3/v3_conf.c:100
    openssl#14 0x7f2653310f33 in X509V3_EXT_nconf crypto/x509v3/v3_conf.c:45
    openssl#15 0x7f2653311426 in X509V3_EXT_add_nconf_sk crypto/x509v3/v3_conf.c:312
    openssl#16 0x7f265331170c in X509V3_EXT_REQ_add_nconf crypto/x509v3/v3_conf.c:360
    openssl#17 0x564ed19d5f25 in req_main apps/req.c:806
    openssl#18 0x564ed19b8de0 in do_cmd apps/openssl.c:564
    openssl#19 0x564ed1985165 in main apps/openssl.c:183
    openssl#20 0x7f2651c4a082 in __libc_start_main ../csu/libc-start.c:308
    @bernd-edlinger
    bernd-edlinger committed Dec 22, 2023
    Configuration menu
    Copy the full SHA
    14a57ac View commit details
    Browse the repository at this point in the history