mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-03-07 19:38:33 +08:00
Code Issues Packages Projects Releases Wiki Activity
dc0ef292f7
openssl/ssl
History
Bernd Edlinger dc0ef292f7 Fix a crash in ssl_security_cert_chain 
Prior to the crash there is an out of memory error
in X509_verify_cert which makes the chain NULL or
empty.  The error is ignored by ssl_add_cert_chain,
and ssl_security_cert_chain crashes due to the
unchecked null pointer.

This is reproducible with my error injection patch.

The test vector has been validated on the 1.1.1 branch
but the issue is of course identical in all branches.

$ ERROR_INJECT=1652848273 ../util/shlib_wrap.sh ./server-test ./corpora/server/47c8e933c4ec66fa3c309422283dfe0f31aafae8# ./corpora/server/47c8e933c4ec66fa3c309422283dfe0f31aafae8
    #0 0x7f3a8f766eba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87
    #1 0x403ba4 in my_malloc fuzz/test-corpus.c:114
    #2 0x7f3a8f39a430 in CRYPTO_zalloc crypto/mem.c:230
    #3 0x7f3a8f46bd3b in sk_reserve crypto/stack/stack.c:180
    #4 0x7f3a8f46bd3b in OPENSSL_sk_insert crypto/stack/stack.c:242
    #5 0x7f3a8f4a4fd8 in sk_X509_push include/openssl/x509.h:99
    #6 0x7f3a8f4a4fd8 in X509_verify_cert crypto/x509/x509_vfy.c:286
    #7 0x7f3a8fed726e in ssl_add_cert_chain ssl/statem/statem_lib.c:959
    #8 0x7f3a8fed726e in ssl3_output_cert_chain ssl/statem/statem_lib.c:1015
    #9 0x7f3a8fee1c50 in tls_construct_server_certificate ssl/statem/statem_srvr.c:3812
    #10 0x7f3a8feb8b0a in write_state_machine ssl/statem/statem.c:843
    #11 0x7f3a8feb8b0a in state_machine ssl/statem/statem.c:443
    #12 0x7f3a8fe84b3f in SSL_do_handshake ssl/ssl_lib.c:3718
    #13 0x403202 in FuzzerTestOneInput fuzz/server.c:740
    #14 0x40371b in testfile fuzz/test-corpus.c:182
    #15 0x402856 in main fuzz/test-corpus.c:226
    #16 0x7f3a8e859f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #17 0x402936  (/home/ed/OPC/openssl/fuzz/server-test+0x402936)

AddressSanitizer:DEADLYSIGNAL
=================================================================
==8400==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000158 (pc 0x7f3a8f4d822f bp 0x7ffc39b76190 sp 0x7ffc39b760a0 T0)
==8400==The signal is caused by a READ memory access.
==8400==Hint: address points to the zero page.
    #0 0x7f3a8f4d822f in x509v3_cache_extensions crypto/x509v3/v3_purp.c:386
    #1 0x7f3a8f4d9d3a in X509_check_purpose crypto/x509v3/v3_purp.c:84
    #2 0x7f3a8f4da02a in X509_get_extension_flags crypto/x509v3/v3_purp.c:921
    #3 0x7f3a8feff7d2 in ssl_security_cert_sig ssl/t1_lib.c:2518
    #4 0x7f3a8feff7d2 in ssl_security_cert ssl/t1_lib.c:2542
    #5 0x7f3a8feffa03 in ssl_security_cert_chain ssl/t1_lib.c:2562
    #6 0x7f3a8fed728d in ssl_add_cert_chain ssl/statem/statem_lib.c:963
    #7 0x7f3a8fed728d in ssl3_output_cert_chain ssl/statem/statem_lib.c:1015
    #8 0x7f3a8fee1c50 in tls_construct_server_certificate ssl/statem/statem_srvr.c:3812
    #9 0x7f3a8feb8b0a in write_state_machine ssl/statem/statem.c:843
    #10 0x7f3a8feb8b0a in state_machine ssl/statem/statem.c:443
    #11 0x7f3a8fe84b3f in SSL_do_handshake ssl/ssl_lib.c:3718
    #12 0x403202 in FuzzerTestOneInput fuzz/server.c:740
    #13 0x40371b in testfile fuzz/test-corpus.c:182
    #14 0x402856 in main fuzz/test-corpus.c:226
    #15 0x7f3a8e859f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #16 0x402936  (/home/ed/OPC/openssl/fuzz/server-test+0x402936)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV crypto/x509v3/v3_purp.c:386 in x509v3_cache_extensions
==8400==ABORTING

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18376)
2022-05-24 12:02:55 +02:00
..
record Fix leakage when the cacheline is 32-bytes in CBC_MAC_ROTATE_IN_PLACE 2022-05-09 16:40:21 +02:00
statem Remove duplicated #include headers 2022-05-04 13:46:10 +10:00
bio_ssl.c Fix ssl_free() and thus BIO_free() to respect BIO_NOCLOSE 2021-10-04 10:55:39 +02:00
build.info
d1_lib.c Update copyright year 2022-05-03 13:34:51 +01:00
d1_msg.c fix some code with obvious wrong coding style 2021-10-28 13:10:46 +10:00
d1_srtp.c Add more SRTP protection profiles 2022-05-23 10:07:51 +02:00
ktls.c Update copyright year 2022-05-03 13:34:51 +01:00
methods.c
pqueue.c
s3_cbc.c fips module header inclusion fine-tunning 2021-07-06 10:52:27 +10:00
s3_enc.c
s3_lib.c Update copyright year 2022-05-03 13:34:51 +01:00
s3_msg.c
ssl_asn1.c Make the -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION pass tests 2021-08-31 12:20:12 +02:00
ssl_cert_table.h
ssl_cert.c tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above 2022-05-08 16:58:00 +10:00
ssl_ciph.c Don't include any TLSv1.3 ciphersuites that are disabled 2021-11-29 12:17:30 +10:00
ssl_conf.c Update copyright year 2022-05-03 13:34:51 +01:00
ssl_err_legacy.c Update copyright year 2021-06-17 13:24:59 +01:00
ssl_err.c Update copyright year 2022-05-03 13:34:51 +01:00
ssl_init.c err: get rid of err_free_strings_int() 2022-05-10 09:47:54 +02:00
ssl_lib.c Update copyright year 2022-05-03 13:34:51 +01:00
ssl_local.h Update copyright year 2022-05-03 13:34:51 +01:00
ssl_mcnf.c
ssl_rsa_legacy.c
ssl_rsa.c Fix coverity 1504433: unchecked return value 2022-05-19 10:41:52 +10:00
ssl_sess.c Update copyright year 2022-05-03 13:34:51 +01:00
ssl_stat.c Update copyright year 2021-09-07 13:35:43 +02:00
ssl_txt.c Update copyright year 2022-05-03 13:34:51 +01:00
ssl_utst.c
sslerr.h
t1_enc.c Fix check of EVP_CIPHER_CTX_ctrl 2022-05-24 08:57:37 +02:00
t1_lib.c Fix a crash in ssl_security_cert_chain 2022-05-24 12:02:55 +02:00
t1_trce.c Enable brainpool curves for TLS1.3 2021-11-26 06:45:19 +01:00
tls13_enc.c Fix check of EVP_CIPHER_CTX_ctrl 2022-05-24 08:57:37 +02:00
tls_depr.c Replace the AES-128-CBC-HMAC-SHA1 cipher in e_ossltest.c 2021-10-06 15:18:10 +02:00
tls_srp.c