Fix additional URI attributes handling #5

ueno · 2016-10-31T11:53:54Z

Followup fixes from https://bugs.freedesktop.org/show_bug.cgi?id=97245

The commit 63644dc introduced several memcmp() calls without checking the length of the first argument. https://bugs.freedesktop.org/show_bug.cgi?id=97245

https://bugs.freedesktop.org/show_bug.cgi?id=97245

Reset mod->init_count when forkid has changed. Otherwise C_Finalize does not get called. GCC's asan spotted this: Direct leak of 48 byte(s) in 1 object(s) allocated from: #0 0x7f89bc7bfe20 in malloc (/lib64/libasan.so.3+0xc6e20) #1 0x7f89bc47a1f1 in p11_dict_new ../common/dict.c:278 #2 0x7f89bc42143d in managed_C_Initialize ../p11-kit/modules.c:1477 #3 0x7f89bc464c72 in binding_C_Initialize ../p11-kit/virtual.c:121 #4 0x7f89bc1b0a51 in ffi_closure_unix64_inner (/lib64/libffi.so.6+0x5a51) #5 0x7f89bc1b0dbf in ffi_closure_unix64 (/lib64/libffi.so.6+0x5dbf) #6 0x7f89bc44f9e8 in rpc_C_Initialize ../p11-kit/rpc-server.c:691

This allows us to do nested locking within one thread avoiding a lockup when remoting the p11-kit-proxy.so module: #0 0x00007f190f35838d in __lll_lock_wait () from /lib64/libpthread.so.0 p11-glue#1 0x00007f190f351e4d in pthread_mutex_lock () from /lib64/libpthread.so.0 p11-glue#2 0x00007f190f98657f in C_GetFunctionList (list=0x7ffe7ec3f798) at p11-kit/proxy.c:2355 p11-glue#3 0x00007f190f993cc9 in dlopen_and_get_function_list (funcs=0x7ffe7ec3f798, path=0x7ffe7ec40926 "/usr/local/lib/p11-kit-proxy.so", mod=0x249e3d0) at p11-kit/modules.c:337 p11-glue#4 load_module_from_file_inlock (name=name@entry=0x0, path=path@entry=0x7ffe7ec40926 "/usr/local/lib/p11-kit-proxy.so", result=result@entry=0x7ffe7ec3f7e8) at p11-kit/modules.c:382 p11-glue#5 0x00007f190f99587f in p11_kit_module_load (module_path=module_path@entry=0x7ffe7ec40926 "/usr/local/lib/p11-kit-proxy.so", flags=flags@entry=0) at p11-kit/modules.c:2427 p11-glue#6 0x0000000000401c4b in serve_module_from_file (file=0x7ffe7ec40926 "/usr/local/lib/p11-kit-proxy.so") at p11-kit/remote.c:105 p11-glue#7 main (argc=1, argv=<optimized out>) at p11-kit/remote.c:169 The Windows NT mutex is aready recursive by default.

This allows us to do nested locking within one thread avoiding a lockup when remoting the p11-kit-proxy.so module: #0 0x00007f190f35838d in __lll_lock_wait () from /lib64/libpthread.so.0 #1 0x00007f190f351e4d in pthread_mutex_lock () from /lib64/libpthread.so.0 #2 0x00007f190f98657f in C_GetFunctionList (list=0x7ffe7ec3f798) at p11-kit/proxy.c:2355 #3 0x00007f190f993cc9 in dlopen_and_get_function_list (funcs=0x7ffe7ec3f798, path=0x7ffe7ec40926 "/usr/local/lib/p11-kit-proxy.so", mod=0x249e3d0) at p11-kit/modules.c:337 #4 load_module_from_file_inlock (name=name@entry=0x0, path=path@entry=0x7ffe7ec40926 "/usr/local/lib/p11-kit-proxy.so", result=result@entry=0x7ffe7ec3f7e8) at p11-kit/modules.c:382 #5 0x00007f190f99587f in p11_kit_module_load (module_path=module_path@entry=0x7ffe7ec40926 "/usr/local/lib/p11-kit-proxy.so", flags=flags@entry=0) at p11-kit/modules.c:2427 #6 0x0000000000401c4b in serve_module_from_file (file=0x7ffe7ec40926 "/usr/local/lib/p11-kit-proxy.so") at p11-kit/remote.c:105 #7 main (argc=1, argv=<optimized out>) at p11-kit/remote.c:169 The Windows NT mutex is aready recursive by default.

Reads after the end of the array happen when removing elements as well as if the last element was removed. Note that the new if is required because memmove() expects a size_t as length, so we must ensure that it can not be negative. The full AddressSanitizer report is: | ================================================================= | ==27174==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000000bb0 at pc 0x00010f8b618d bp 0x7ff7b0b5c3c0 sp 0x7ff7b0b5bb80 | READ of size 560 at 0x616000000bb0 thread T0 | #0 0x10f8b618c in wrap_memcpy+0x16c (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1f18c) | p11-glue#1 0x111a9bac5 in rpc_C_GetMechanismList+0x18c (p11-kit-client.so:x86_64+0x18ac5) | p11-glue#2 0x111823534 in p11prov_GetMechanismList interface.gen.c:138 | p11-glue#3 0x11184e404 in get_slot_mechanisms session.c:113 | p11-glue#4 0x11184c3ba in p11prov_init_slots session.c:226 | p11-glue#5 0x111843fed in p11prov_module_init provider.c:1035 | p11-glue#6 0x1118417a9 in OSSL_provider_init provider.c:1102 | p11-glue#7 0x11080ee97 in provider_activate+0x117 (libcrypto.3.dylib:x86_64+0x12be97) | p11-glue#8 0x11080eced in ossl_provider_activate+0x42 (libcrypto.3.dylib:x86_64+0x12bced) | p11-glue#9 0x11080db4a in provider_conf_init+0x2a2 (libcrypto.3.dylib:x86_64+0x12ab4a) | p11-glue#10 0x11075ae36 in CONF_modules_load+0x37b (libcrypto.3.dylib:x86_64+0x77e36) | p11-glue#11 0x11075b0c9 in CONF_modules_load_file_ex+0x78 (libcrypto.3.dylib:x86_64+0x780c9) | p11-glue#12 0x11075b899 in ossl_config_int+0x36 (libcrypto.3.dylib:x86_64+0x78899) | p11-glue#13 0x110806ac9 in ossl_init_config_ossl_+0xa (libcrypto.3.dylib:x86_64+0x123ac9) | p11-glue#14 0x7ff818b4acc4 in __pthread_once_handler+0x40 (libsystem_pthread.dylib:x86_64+0x2cc4) | p11-glue#15 0x7ff818b61725 in _os_once_callout+0x11 (libsystem_platform.dylib:x86_64+0x1725) | p11-glue#16 0x7ff818b4ac72 in pthread_once+0x49 (libsystem_pthread.dylib:x86_64+0x2c72) | p11-glue#17 0x11081126c in CRYPTO_THREAD_run_once+0x8 (libcrypto.3.dylib:x86_64+0x12e26c) | p11-glue#18 0x11080691d in OPENSSL_init_crypto+0x446 (libcrypto.3.dylib:x86_64+0x12391d) | p11-glue#19 0x10f6032dc in OPENSSL_init_ssl+0x79 (libssl.3.dylib:x86_64+0x102dc) | p11-glue#20 0x10f3c6287 in main+0x62 (openssl:x86_64+0x100024287) | p11-glue#21 0x115f5252d in start+0x1cd (dyld:x86_64+0x552d) | | 0x616000000bb0 is located 0 bytes to the right of 560-byte region [0x616000000980,0x616000000bb0) | allocated by thread T0 here: | #0 0x10f8e1ed0 in wrap_malloc+0xa0 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4aed0) | p11-glue#1 0x111f1432f in CRYPTO_malloc+0x8f (libcrypto.3.dylib:x86_64+0x16332f) | p11-glue#2 0x11184e1a8 in get_slot_mechanisms session.c:107 | p11-glue#3 0x11184c3ba in p11prov_init_slots session.c:226 | p11-glue#4 0x111843fed in p11prov_module_init provider.c:1035 | p11-glue#5 0x1118417a9 in OSSL_provider_init provider.c:1102 | p11-glue#6 0x11080ee97 in provider_activate+0x117 (libcrypto.3.dylib:x86_64+0x12be97) | p11-glue#7 0x11080eced in ossl_provider_activate+0x42 (libcrypto.3.dylib:x86_64+0x12bced) | p11-glue#8 0x11080db4a in provider_conf_init+0x2a2 (libcrypto.3.dylib:x86_64+0x12ab4a) | p11-glue#9 0x11075ae36 in CONF_modules_load+0x37b (libcrypto.3.dylib:x86_64+0x77e36) | p11-glue#10 0x11075b0c9 in CONF_modules_load_file_ex+0x78 (libcrypto.3.dylib:x86_64+0x780c9) | p11-glue#11 0x11075b899 in ossl_config_int+0x36 (libcrypto.3.dylib:x86_64+0x78899) | p11-glue#12 0x110806ac9 in ossl_init_config_ossl_+0xa (libcrypto.3.dylib:x86_64+0x123ac9) | p11-glue#13 0x7ff818b4acc4 in __pthread_once_handler+0x40 (libsystem_pthread.dylib:x86_64+0x2cc4) | p11-glue#14 0x7ff818b61725 in _os_once_callout+0x11 (libsystem_platform.dylib:x86_64+0x1725) | p11-glue#15 0x7ff818b4ac72 in pthread_once+0x49 (libsystem_pthread.dylib:x86_64+0x2c72) | p11-glue#16 0x11081126c in CRYPTO_THREAD_run_once+0x8 (libcrypto.3.dylib:x86_64+0x12e26c) | p11-glue#17 0x11080691d in OPENSSL_init_crypto+0x446 (libcrypto.3.dylib:x86_64+0x12391d) | p11-glue#18 0x10f6032dc in OPENSSL_init_ssl+0x79 (libssl.3.dylib:x86_64+0x102dc) | p11-glue#19 0x10f3c6287 in main+0x62 (openssl:x86_64+0x100024287) | p11-glue#20 0x115f5252d in start+0x1cd (dyld:x86_64+0x552d) | | SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1f18c) in wrap_memcpy+0x16c | Shadow bytes around the buggy address: | 0x1c2c00000120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | 0x1c2c00000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | =>0x1c2c00000170: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa | 0x1c2c00000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | 0x1c2c00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c000001a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c000001b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c000001c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | Shadow byte legend (one shadow byte represents 8 application bytes): | Addressable: 00 | Partially addressable: 01 02 03 04 05 06 07 | Heap left redzone: fa | Freed heap region: fd | Stack left redzone: f1 | Stack mid redzone: f2 | Stack right redzone: f3 | Stack after return: f5 | Stack use after scope: f8 | Global redzone: f9 | Global init order: f6 | Poisoned by user: f7 | Container overflow: fc | Array cookie: ac | Intra object redzone: bb | ASan internal: fe | Left alloca redzone: ca | Right alloca redzone: cb | ==27174==ABORTING | Abort trap: 6 Signed-off-by: Clemens Lang <cllang@redhat.com>

Reads after the end of the array happen when removing elements as well as if the last element was removed. Note that the new if is required because memmove() expects a size_t as length, so we must ensure that it can not be negative. The full AddressSanitizer report is: | ================================================================= | ==27174==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000000bb0 at pc 0x00010f8b618d bp 0x7ff7b0b5c3c0 sp 0x7ff7b0b5bb80 | READ of size 560 at 0x616000000bb0 thread T0 | #0 0x10f8b618c in wrap_memcpy+0x16c (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1f18c) | p11-glue#1 0x111a9bac5 in rpc_C_GetMechanismList+0x18c (p11-kit-client.so:x86_64+0x18ac5) | p11-glue#2 0x111823534 in p11prov_GetMechanismList interface.gen.c:138 | p11-glue#3 0x11184e404 in get_slot_mechanisms session.c:113 | p11-glue#4 0x11184c3ba in p11prov_init_slots session.c:226 | p11-glue#5 0x111843fed in p11prov_module_init provider.c:1035 | p11-glue#6 0x1118417a9 in OSSL_provider_init provider.c:1102 | p11-glue#7 0x11080ee97 in provider_activate+0x117 (libcrypto.3.dylib:x86_64+0x12be97) | p11-glue#8 0x11080eced in ossl_provider_activate+0x42 (libcrypto.3.dylib:x86_64+0x12bced) | p11-glue#9 0x11080db4a in provider_conf_init+0x2a2 (libcrypto.3.dylib:x86_64+0x12ab4a) | p11-glue#10 0x11075ae36 in CONF_modules_load+0x37b (libcrypto.3.dylib:x86_64+0x77e36) | p11-glue#11 0x11075b0c9 in CONF_modules_load_file_ex+0x78 (libcrypto.3.dylib:x86_64+0x780c9) | p11-glue#12 0x11075b899 in ossl_config_int+0x36 (libcrypto.3.dylib:x86_64+0x78899) | p11-glue#13 0x110806ac9 in ossl_init_config_ossl_+0xa (libcrypto.3.dylib:x86_64+0x123ac9) | p11-glue#14 0x7ff818b4acc4 in __pthread_once_handler+0x40 (libsystem_pthread.dylib:x86_64+0x2cc4) | p11-glue#15 0x7ff818b61725 in _os_once_callout+0x11 (libsystem_platform.dylib:x86_64+0x1725) | p11-glue#16 0x7ff818b4ac72 in pthread_once+0x49 (libsystem_pthread.dylib:x86_64+0x2c72) | p11-glue#17 0x11081126c in CRYPTO_THREAD_run_once+0x8 (libcrypto.3.dylib:x86_64+0x12e26c) | p11-glue#18 0x11080691d in OPENSSL_init_crypto+0x446 (libcrypto.3.dylib:x86_64+0x12391d) | p11-glue#19 0x10f6032dc in OPENSSL_init_ssl+0x79 (libssl.3.dylib:x86_64+0x102dc) | p11-glue#20 0x10f3c6287 in main+0x62 (openssl:x86_64+0x100024287) | p11-glue#21 0x115f5252d in start+0x1cd (dyld:x86_64+0x552d) | | 0x616000000bb0 is located 0 bytes to the right of 560-byte region [0x616000000980,0x616000000bb0) | allocated by thread T0 here: | #0 0x10f8e1ed0 in wrap_malloc+0xa0 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4aed0) | p11-glue#1 0x111f1432f in CRYPTO_malloc+0x8f (libcrypto.3.dylib:x86_64+0x16332f) | p11-glue#2 0x11184e1a8 in get_slot_mechanisms session.c:107 | p11-glue#3 0x11184c3ba in p11prov_init_slots session.c:226 | p11-glue#4 0x111843fed in p11prov_module_init provider.c:1035 | p11-glue#5 0x1118417a9 in OSSL_provider_init provider.c:1102 | p11-glue#6 0x11080ee97 in provider_activate+0x117 (libcrypto.3.dylib:x86_64+0x12be97) | p11-glue#7 0x11080eced in ossl_provider_activate+0x42 (libcrypto.3.dylib:x86_64+0x12bced) | p11-glue#8 0x11080db4a in provider_conf_init+0x2a2 (libcrypto.3.dylib:x86_64+0x12ab4a) | p11-glue#9 0x11075ae36 in CONF_modules_load+0x37b (libcrypto.3.dylib:x86_64+0x77e36) | p11-glue#10 0x11075b0c9 in CONF_modules_load_file_ex+0x78 (libcrypto.3.dylib:x86_64+0x780c9) | p11-glue#11 0x11075b899 in ossl_config_int+0x36 (libcrypto.3.dylib:x86_64+0x78899) | p11-glue#12 0x110806ac9 in ossl_init_config_ossl_+0xa (libcrypto.3.dylib:x86_64+0x123ac9) | p11-glue#13 0x7ff818b4acc4 in __pthread_once_handler+0x40 (libsystem_pthread.dylib:x86_64+0x2cc4) | p11-glue#14 0x7ff818b61725 in _os_once_callout+0x11 (libsystem_platform.dylib:x86_64+0x1725) | p11-glue#15 0x7ff818b4ac72 in pthread_once+0x49 (libsystem_pthread.dylib:x86_64+0x2c72) | p11-glue#16 0x11081126c in CRYPTO_THREAD_run_once+0x8 (libcrypto.3.dylib:x86_64+0x12e26c) | p11-glue#17 0x11080691d in OPENSSL_init_crypto+0x446 (libcrypto.3.dylib:x86_64+0x12391d) | p11-glue#18 0x10f6032dc in OPENSSL_init_ssl+0x79 (libssl.3.dylib:x86_64+0x102dc) | p11-glue#19 0x10f3c6287 in main+0x62 (openssl:x86_64+0x100024287) | p11-glue#20 0x115f5252d in start+0x1cd (dyld:x86_64+0x552d) | | SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1f18c) in wrap_memcpy+0x16c | Shadow bytes around the buggy address: | 0x1c2c00000120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | 0x1c2c00000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | =>0x1c2c00000170: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa | 0x1c2c00000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | 0x1c2c00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c000001a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c000001b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c000001c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | Shadow byte legend (one shadow byte represents 8 application bytes): | Addressable: 00 | Partially addressable: 01 02 03 04 05 06 07 | Heap left redzone: fa | Freed heap region: fd | Stack left redzone: f1 | Stack mid redzone: f2 | Stack right redzone: f3 | Stack after return: f5 | Stack use after scope: f8 | Global redzone: f9 | Global init order: f6 | Poisoned by user: f7 | Container overflow: fc | Array cookie: ac | Intra object redzone: bb | ASan internal: fe | Left alloca redzone: ca | Right alloca redzone: cb | ==27174==ABORTING | Abort trap: 6 Signed-off-by: Clemens Lang <cllang@redhat.com> Modified-by: Daiki Ueno <dueno@redhat.com>

Reads after the end of the array happen when removing elements as well as if the last element was removed. Note that the new if is required because memmove() expects a size_t as length, so we must ensure that it can not be negative. The full AddressSanitizer report is: | ================================================================= | ==27174==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000000bb0 at pc 0x00010f8b618d bp 0x7ff7b0b5c3c0 sp 0x7ff7b0b5bb80 | READ of size 560 at 0x616000000bb0 thread T0 | #0 0x10f8b618c in wrap_memcpy+0x16c (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1f18c) | #1 0x111a9bac5 in rpc_C_GetMechanismList+0x18c (p11-kit-client.so:x86_64+0x18ac5) | #2 0x111823534 in p11prov_GetMechanismList interface.gen.c:138 | #3 0x11184e404 in get_slot_mechanisms session.c:113 | #4 0x11184c3ba in p11prov_init_slots session.c:226 | #5 0x111843fed in p11prov_module_init provider.c:1035 | #6 0x1118417a9 in OSSL_provider_init provider.c:1102 | #7 0x11080ee97 in provider_activate+0x117 (libcrypto.3.dylib:x86_64+0x12be97) | #8 0x11080eced in ossl_provider_activate+0x42 (libcrypto.3.dylib:x86_64+0x12bced) | #9 0x11080db4a in provider_conf_init+0x2a2 (libcrypto.3.dylib:x86_64+0x12ab4a) | #10 0x11075ae36 in CONF_modules_load+0x37b (libcrypto.3.dylib:x86_64+0x77e36) | #11 0x11075b0c9 in CONF_modules_load_file_ex+0x78 (libcrypto.3.dylib:x86_64+0x780c9) | #12 0x11075b899 in ossl_config_int+0x36 (libcrypto.3.dylib:x86_64+0x78899) | #13 0x110806ac9 in ossl_init_config_ossl_+0xa (libcrypto.3.dylib:x86_64+0x123ac9) | #14 0x7ff818b4acc4 in __pthread_once_handler+0x40 (libsystem_pthread.dylib:x86_64+0x2cc4) | #15 0x7ff818b61725 in _os_once_callout+0x11 (libsystem_platform.dylib:x86_64+0x1725) | #16 0x7ff818b4ac72 in pthread_once+0x49 (libsystem_pthread.dylib:x86_64+0x2c72) | #17 0x11081126c in CRYPTO_THREAD_run_once+0x8 (libcrypto.3.dylib:x86_64+0x12e26c) | #18 0x11080691d in OPENSSL_init_crypto+0x446 (libcrypto.3.dylib:x86_64+0x12391d) | #19 0x10f6032dc in OPENSSL_init_ssl+0x79 (libssl.3.dylib:x86_64+0x102dc) | #20 0x10f3c6287 in main+0x62 (openssl:x86_64+0x100024287) | #21 0x115f5252d in start+0x1cd (dyld:x86_64+0x552d) | | 0x616000000bb0 is located 0 bytes to the right of 560-byte region [0x616000000980,0x616000000bb0) | allocated by thread T0 here: | #0 0x10f8e1ed0 in wrap_malloc+0xa0 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4aed0) | #1 0x111f1432f in CRYPTO_malloc+0x8f (libcrypto.3.dylib:x86_64+0x16332f) | #2 0x11184e1a8 in get_slot_mechanisms session.c:107 | #3 0x11184c3ba in p11prov_init_slots session.c:226 | #4 0x111843fed in p11prov_module_init provider.c:1035 | #5 0x1118417a9 in OSSL_provider_init provider.c:1102 | #6 0x11080ee97 in provider_activate+0x117 (libcrypto.3.dylib:x86_64+0x12be97) | #7 0x11080eced in ossl_provider_activate+0x42 (libcrypto.3.dylib:x86_64+0x12bced) | #8 0x11080db4a in provider_conf_init+0x2a2 (libcrypto.3.dylib:x86_64+0x12ab4a) | #9 0x11075ae36 in CONF_modules_load+0x37b (libcrypto.3.dylib:x86_64+0x77e36) | #10 0x11075b0c9 in CONF_modules_load_file_ex+0x78 (libcrypto.3.dylib:x86_64+0x780c9) | #11 0x11075b899 in ossl_config_int+0x36 (libcrypto.3.dylib:x86_64+0x78899) | #12 0x110806ac9 in ossl_init_config_ossl_+0xa (libcrypto.3.dylib:x86_64+0x123ac9) | #13 0x7ff818b4acc4 in __pthread_once_handler+0x40 (libsystem_pthread.dylib:x86_64+0x2cc4) | #14 0x7ff818b61725 in _os_once_callout+0x11 (libsystem_platform.dylib:x86_64+0x1725) | #15 0x7ff818b4ac72 in pthread_once+0x49 (libsystem_pthread.dylib:x86_64+0x2c72) | #16 0x11081126c in CRYPTO_THREAD_run_once+0x8 (libcrypto.3.dylib:x86_64+0x12e26c) | #17 0x11080691d in OPENSSL_init_crypto+0x446 (libcrypto.3.dylib:x86_64+0x12391d) | #18 0x10f6032dc in OPENSSL_init_ssl+0x79 (libssl.3.dylib:x86_64+0x102dc) | #19 0x10f3c6287 in main+0x62 (openssl:x86_64+0x100024287) | #20 0x115f5252d in start+0x1cd (dyld:x86_64+0x552d) | | SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1f18c) in wrap_memcpy+0x16c | Shadow bytes around the buggy address: | 0x1c2c00000120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | 0x1c2c00000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | =>0x1c2c00000170: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa | 0x1c2c00000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa | 0x1c2c00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c000001a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c000001b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 0x1c2c000001c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | Shadow byte legend (one shadow byte represents 8 application bytes): | Addressable: 00 | Partially addressable: 01 02 03 04 05 06 07 | Heap left redzone: fa | Freed heap region: fd | Stack left redzone: f1 | Stack mid redzone: f2 | Stack right redzone: f3 | Stack after return: f5 | Stack use after scope: f8 | Global redzone: f9 | Global init order: f6 | Poisoned by user: f7 | Container overflow: fc | Array cookie: ac | Intra object redzone: bb | ASan internal: fe | Left alloca redzone: ca | Right alloca redzone: cb | ==27174==ABORTING | Abort trap: 6 Signed-off-by: Clemens Lang <cllang@redhat.com> Modified-by: Daiki Ueno <dueno@redhat.com>

ueno added 2 commits October 31, 2016 11:57

uri: Fix buffer overflow in memcmp()

9732b24

The commit 63644dc introduced several memcmp() calls without checking the length of the first argument. https://bugs.freedesktop.org/show_bug.cgi?id=97245

uri: Port to PKCS#11 GNU calling convention

87463ec

https://bugs.freedesktop.org/show_bug.cgi?id=97245

ueno merged commit 07cadc6 into p11-glue:master Oct 31, 2016

ueno deleted the wip/dueno/uri-fixes branch October 31, 2016 15:43

ueno added the bug label Nov 25, 2016

ueno added this to the 0.23.3 milestone Nov 25, 2016

lkundrak mentioned this pull request Jan 16, 2017

common: use recursive pthread mutex for library lock #36

Merged

maya-rv added a commit to maya-rv/p11-kit that referenced this pull request Sep 7, 2018

p11-glue#5, use travis_wait for longer timeout

197e2aa

nora-pxh mentioned this pull request Dec 27, 2021

stack overflow in p11_rpc_buffer_get_attribute #403

Open

neverpanic mentioned this pull request Feb 1, 2023

rpc: Fix two off-by-one errors identified by asan #454

Closed

ueno mentioned this pull request Feb 28, 2023

rpc: Fix two off-by-one errors identified by asan #456

Merged

ZoltanFridrich mentioned this pull request Jun 23, 2023

Memory leak inside p11_kit_remote_serve_tokens #522

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix additional URI attributes handling #5

Fix additional URI attributes handling #5

ueno commented Oct 31, 2016

Fix additional URI attributes handling #5

Fix additional URI attributes handling #5

Conversation

ueno commented Oct 31, 2016