crypto/evp/bio_ok.c:Integer Overflow in BIO_f_reliable record parser leads to Out-of-Bounds Read #28504
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…leads to Out-of-Bounds Read
openssl-machine
added
the
hold: cla required
t8m
added
branch: master
|
Could you please submit an ICLA? We already have your company CCLA, but we also need an ICLA. |
paulidale
approved these changes
Sep 10, 2025
openssl-machine
removed
the
hold: cla required
t8m
approved these changes
Sep 22, 2025
t8m
added
approval: done
openssl-machine
added
approval: ready to merge
|
This pull request is ready to merge |
openssl-machine
pushed a commit
that referenced
this pull request
Sep 23, 2025
…ut-of-Bounds Read Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #28504)
|
Merged to all the active branches. Thank you for your contribution. |
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.5.4 CHANGES.md includes the following: * openssl#28098 * openssl#28415 * openssl#28504 * openssl#28535 * openssl#28569 * openssl#28573 * openssl#28576 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 * openssl#28676 3.5.4 NEWS.md includes the following: * openssl#28603 Updated the changes and news in the previous branches. Removed the attribution in NEWS.md incorrectly introduced in e551da6 "Update news and changes for the 3.5.3 release". Release: Yes Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.4.3 CHANGES.md includes the following: * openssl#28098 * openssl#28415 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.4.3 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.5.4 CHANGES.md includes the following: * openssl#28098 * openssl#28415 * openssl#28504 * openssl#28535 * openssl#28569 * openssl#28573 * openssl#28576 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 * openssl#28676 3.5.4 NEWS.md includes the following: * openssl#28603 Updated the changes and news in the previous branches. Removed the attribution in NEWS.md incorrectly introduced in e551da6 "Update news and changes for the 3.5.3 release". Release: Yes Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.3.5 CHANGES.md includes the following: * openssl#28098 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.3.5 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.2.6 CHANGES.md includes the following: * openssl#28098 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.2.6 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.0.18 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28624 Release: Yes Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.2.6 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.2.6 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.3.5 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.3.5 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.4.3 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28415 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.4.3 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.5.4 CHANGES.md includes the following: * openssl#28098 * openssl#28415 * openssl#28504 * openssl#28535 * openssl#28569 * openssl#28573 * openssl#28576 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 * openssl#28676 3.5.4 NEWS.md includes the following: * openssl#28603 Updated the changes and news in the previous branches. Removed the attribution in NEWS.md incorrectly introduced in e551da6 "Update news and changes for the 3.5.3 release". Release: Yes Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.5.4 CHANGES.md includes the following: * openssl#28098 * openssl#28415 * openssl#28504 * openssl#28535 * openssl#28569 * openssl#28573 * openssl#28576 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 * openssl#28676 3.5.4 NEWS.md includes the following: * openssl#28603 Updated the changes and news in the previous branches. Removed the attribution in NEWS.md incorrectly introduced in e551da6 "Update news and changes for the 3.5.3 release". Release: Yes Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.3.5 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.3.5 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.4.3 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28415 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.4.3 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.2.6 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.2.6 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.0.18 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28624 Release: Yes Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
eclipse-oniro-oh-bot
pushed a commit
to eclipse-oniro-mirrors/third_party_openssl
that referenced
this pull request
Oct 10, 2025
…ut-of-Bounds Read Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl/openssl#28504) (cherry picked from commit 312904b216f917646ad1909ce8bca8bf8a52e5d7) Signed-off-by: jing-wang177 <wangjing561@huawei.com>
eclipse-oniro-oh-bot
pushed a commit
to eclipse-oniro-mirrors/third_party_openssl
that referenced
this pull request
Oct 15, 2025
…ut-of-Bounds Read Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl/openssl#28504) (cherry picked from commit 312904b216f917646ad1909ce8bca8bf8a52e5d7) Signed-off-by: jing-wang177 <wangjing561@huawei.com>
eclipse-oniro-oh-bot
pushed a commit
to eclipse-oniro-mirrors/third_party_openssl
that referenced
this pull request
Oct 16, 2025
…ut-of-Bounds Read Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl/openssl#28504) (cherry picked from commit 312904b216f917646ad1909ce8bca8bf8a52e5d7) Signed-off-by: jing-wang177 <wangjing561@huawei.com>
|
This contribution was included in a recent blog post. Just thought you might be interested, @LuiginoC . |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes a potential out-of-bounds read and denial of service in BIO_f_reliable on 32-bit platforms (ILP32, Windows LLP64). The bug is caused by using unsigned long arithmetic in the block_in() length check, which can overflow and bypass validation.
Vulnerability Details
File: crypto/evp/bio_ok.c
Function: block_in()
Issue: Length tl is decoded from attacker-controlled input and stored in an unsigned long. On 32-bit builds, tl + OK_BLOCK_BLOCK + md_size can wrap, allowing the bounds check to be bypassed.
Impact: EVP_DigestUpdate() is then invoked with a very large size, leading to an out-of-bounds read from ctx->buf.