mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-12-15 06:01:37 +08:00
Code Issues Packages Projects Releases Wiki Activity
7a9e93dda5
openssl/crypto
History
Bernd Edlinger 557825acd6 Fix a crash in asn1_item_embed_new 
This happens usually if an template object is created
and there is an out of memory error before the ASN1_OP_NEW_POST
method is called, but asn1_item_embed_free calls now the
ASN1_OP_FREE_POST which may crash because the object is not
properly initialized.  Apparently that is only an issue with
the ASN1_OP_FREE_POST handling of crypot/x509/x_crl.c, which
ought to be tolerant to incomplete initialized objects.

The error can be reproduced with the reproducible error injection patch:

$ ERROR_INJECT=1652890550 ../util/shlib_wrap.sh ./asn1-test ./corpora/asn1/0ff17293911f54d1538b9896563a4048d67d9ee4
    #0 0x7faae9dbeeba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87
    #1 0x408dc4 in my_malloc fuzz/test-corpus.c:114
    #2 0x7faae99f2430 in CRYPTO_zalloc crypto/mem.c:230
    #3 0x7faae97f09e5 in ASN1_STRING_type_new crypto/asn1/asn1_lib.c:341
    #4 0x7faae98118f7 in asn1_primitive_new crypto/asn1/tasn_new.c:318
    #5 0x7faae9812401 in asn1_item_embed_new crypto/asn1/tasn_new.c:78
    #6 0x7faae9812401 in asn1_template_new crypto/asn1/tasn_new.c:240
    #7 0x7faae9812315 in asn1_item_embed_new crypto/asn1/tasn_new.c:137
    #8 0x7faae9812315 in asn1_template_new crypto/asn1/tasn_new.c:240
    #9 0x7faae9812a54 in asn1_item_embed_new crypto/asn1/tasn_new.c:137
    #10 0x7faae9812a54 in ASN1_item_ex_new crypto/asn1/tasn_new.c:39
    #11 0x7faae980be51 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:325
    #12 0x7faae980c813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611
    #13 0x7faae980d288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
    #14 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
    #15 0x7faae980caf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
    #16 0x7faae980d7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494
    #17 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
    #18 0x7faae980dd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
    #19 0x7faae980de35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
    #20 0x40712c in FuzzerTestOneInput fuzz/asn1.c:301
    #21 0x40893b in testfile fuzz/test-corpus.c:182
    #22 0x406b86 in main fuzz/test-corpus.c:226
    #23 0x7faae8eb1f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1194==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7faae9b0625f bp 0x7fffffe41a00 sp 0x7fffffe41920 T0)
==1194==The signal is caused by a READ memory access.
==1194==Hint: address points to the zero page.
    #0 0x7faae9b0625f in crl_cb crypto/x509/x_crl.c:258
    #1 0x7faae9811255 in asn1_item_embed_free crypto/asn1/tasn_fre.c:113
    #2 0x7faae9812a65 in asn1_item_embed_new crypto/asn1/tasn_new.c:150
    #3 0x7faae9812a65 in ASN1_item_ex_new crypto/asn1/tasn_new.c:39
    #4 0x7faae980be51 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:325
    #5 0x7faae980c813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611
    #6 0x7faae980d288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518
    #7 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
    #8 0x7faae980caf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643
    #9 0x7faae980d7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494
    #10 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382
    #11 0x7faae980dd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124
    #12 0x7faae980de35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114
    #13 0x40712c in FuzzerTestOneInput fuzz/asn1.c:301
    #14 0x40893b in testfile fuzz/test-corpus.c:182
    #15 0x406b86 in main fuzz/test-corpus.c:226
    #16 0x7faae8eb1f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV crypto/x509/x_crl.c:258 in crl_cb
==1194==ABORTING

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18360)
2022-05-23 06:20:48 +02:00
..
aes Add AES implementation in generic riscv64 asm 2022-05-19 16:32:49 +10:00
aria
asn1 Update copyright year 2022-05-03 13:34:51 +01:00
async Update copyright year 2022-05-03 13:34:51 +01:00
bf
bio Fix KTLS with BIO_new_connect 2022-05-17 13:16:03 +02:00
bn bn_nist: fix strict aliasing problem 2022-05-10 19:38:42 +10:00
buffer
camellia Update copyright year 2022-05-03 13:34:51 +01:00
cast
chacha Update copyright year 2022-05-03 13:34:51 +01:00
cmac
cmp Remove duplicated #include headers 2022-05-04 13:46:10 +10:00
cms Remove duplicated #include headers 2022-05-04 13:46:10 +10:00
comp
conf Update copyright year 2022-05-03 13:34:51 +01:00
crmf crmf_lib.c: Make sure Ed signature for POPO is called without digest 2022-05-05 09:52:27 +02:00
ct
des Update copyright year 2022-05-03 13:34:51 +01:00
dh Remove duplicated #include headers 2022-05-04 13:46:10 +10:00
dsa Update copyright year 2022-05-03 13:34:51 +01:00
dso Update copyright year 2022-05-03 13:34:51 +01:00
ec Update copyright year 2022-05-03 13:34:51 +01:00
encode_decode Remove the _fetch_by_number functions 2022-05-06 10:38:55 +10:00
engine Update copyright year 2022-05-03 13:34:51 +01:00
err err: get rid of err_free_strings_int() 2022-05-10 09:47:54 +02:00
ess
evp add support for SHA-3 based PRF to PBES2 2022-05-18 17:08:48 +02:00
ffc Update copyright year 2022-05-03 13:34:51 +01:00
hmac
http Update copyright year 2022-05-03 13:34:51 +01:00
idea
kdf
lhash performance: improve ossl_lh_strcasehash 2022-05-21 21:53:39 +02:00
md2
md4
md5 Update copyright year 2022-05-03 13:34:51 +01:00
mdc2
modes Add clmul-based gmult for riscv64 with Zbb, Zbc 2022-05-19 16:32:49 +10:00
objects objects.txt: Add newly registered OIDs according to CMP Updates, for use in extended CMPv2 2022-05-04 13:23:31 +02:00
ocsp Update copyright year 2022-05-03 13:34:51 +01:00
pem Update copyright year 2022-05-03 13:34:51 +01:00
perlasm Update copyright year 2022-05-03 13:34:51 +01:00
pkcs7 Update copyright year 2022-05-03 13:34:51 +01:00
pkcs12 Update copyright year 2022-05-03 13:34:51 +01:00
poly1305 Update copyright year 2022-05-03 13:34:51 +01:00
property Complete the cleanup of an algorithm in OSSL_METHOD_STORE 2022-05-05 15:06:11 +02:00
rand remove legacy VxWorks workaround 2022-05-09 11:13:37 +02:00
rc2
rc4
rc5
ripemd
rsa Update copyright year 2022-05-03 13:34:51 +01:00
seed
sha Add riscv64 asm_arch to linux64-riscv64 target 2022-05-11 18:02:03 +10:00
siphash Update copyright year 2022-05-03 13:34:51 +01:00
sm2 Remove duplicated #include headers 2022-05-04 13:46:10 +10:00
sm3 Update copyright year 2022-05-03 13:34:51 +01:00
sm4 Update copyright year 2022-05-03 13:34:51 +01:00
srp
stack
store Fix Coverity 1503329 use after free 2022-05-06 18:21:22 +10:00
ts Update copyright year 2022-05-03 13:34:51 +01:00
txt_db
ui Update copyright year 2022-05-03 13:34:51 +01:00
whrlpool
x509 Fix a crash in asn1_item_embed_new 2022-05-23 06:20:48 +02:00
alphacpuid.pl
arm64cpuid.pl Update copyright year 2022-05-03 13:34:51 +01:00
arm_arch.h Apply the AES-GCM unroll8 optimization patch to Neoverse N2 2022-05-23 11:05:51 +10:00
armcap.c Apply the AES-GCM unroll8 optimization patch to Neoverse N2 2022-05-23 11:05:51 +10:00
armv4cpuid.pl
asn1_dsa.c
bsearch.c
build.info Add basic RISC-V cpuid and OPENSSL_riscvcap 2022-05-19 16:32:49 +10:00
c64xpluscpuid.pl
context.c Update copyright year 2022-05-03 13:34:51 +01:00
core_algorithm.c Refactor method construction pre- and post-condition 2022-05-05 15:05:54 +02:00
core_fetch.c Always try to construct methods as new provider might be added 2022-05-12 08:28:12 +02:00
core_namemap.c Drop ossl_namemap_add_name_n() and simplify ossl_namemap_add_names() 2022-05-21 21:49:54 +02:00
cpt_err.c
cpuid.c Update copyright year 2022-05-03 13:34:51 +01:00
cryptlib.c Update copyright year 2022-05-03 13:34:51 +01:00
ctype.c tolower: refine the tolower code to avoid a memory access 2022-05-23 09:51:28 +10:00
cversion.c
der_writer.c
dllmain.c Update copyright year 2022-05-03 13:34:51 +01:00
ebcdic.c
ex_data.c
getenv.c Update copyright year 2022-05-03 13:34:51 +01:00
ia64cpuid.S
info.c Update copyright year 2022-05-03 13:34:51 +01:00
init.c strcasecmp: implement strcasecmp and strncasecmp 2022-05-23 09:51:28 +10:00
initthread.c Update copyright year 2022-05-03 13:34:51 +01:00
LPdir_nyi.c
LPdir_unix.c Update copyright year 2022-05-03 13:34:51 +01:00
LPdir_vms.c
LPdir_win32.c
LPdir_win.c
LPdir_wince.c
mem_clr.c
mem_sec.c Update copyright year 2022-05-03 13:34:51 +01:00
mem.c Update copyright year 2022-05-03 13:34:51 +01:00
mips_arch.h
o_dir.c Update copyright year 2022-05-03 13:34:51 +01:00
o_fopen.c Update copyright year 2022-05-03 13:34:51 +01:00
o_init.c Update copyright year 2022-05-03 13:34:51 +01:00
o_str.c strcasecmp: implement strcasecmp and strncasecmp 2022-05-23 09:51:28 +10:00
o_time.c
packet.c
param_build_set.c Update copyright year 2022-05-03 13:34:51 +01:00
param_build.c Update copyright year 2022-05-03 13:34:51 +01:00
params_dup.c Update copyright year 2022-05-03 13:34:51 +01:00
params_from_text.c
params.c Update copyright year 2022-05-03 13:34:51 +01:00
pariscid.pl
passphrase.c Update copyright year 2022-05-03 13:34:51 +01:00
ppccap.c Update copyright year 2022-05-03 13:34:51 +01:00
ppccpuid.pl Update copyright year 2022-05-03 13:34:51 +01:00
provider_child.c For child libctx / provider, don't count self-references in parent 2022-05-05 15:06:11 +02:00
provider_conf.c Update copyright year 2022-05-03 13:34:51 +01:00
provider_core.c Add method store cache flush and method removal to non-EVP operations 2022-05-05 15:06:12 +02:00
provider_local.h
provider_predefined.c
provider.c
punycode.c
README-sparse_array.md
riscv64cpuid.pl Add basic RISC-V cpuid and OPENSSL_riscvcap 2022-05-19 16:32:49 +10:00
riscvcap.c Add basic RISC-V cpuid and OPENSSL_riscvcap 2022-05-19 16:32:49 +10:00
s390x_arch.h Update copyright year 2022-05-03 13:34:51 +01:00
s390xcap.c
s390xcpuid.pl
self_test_core.c Update copyright year 2022-05-03 13:34:51 +01:00
sparccpuid.S
sparcv9cap.c
sparse_array.c Update copyright year 2022-05-03 13:34:51 +01:00
threads_lib.c
threads_none.c
threads_pthread.c Update copyright year 2022-05-03 13:34:51 +01:00
threads_win.c
trace.c Update copyright year 2022-05-03 13:34:51 +01:00
uid.c
vms_rms.h
x86_64cpuid.pl
x86cpuid.pl