isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone

Blame SOURCES/openssl-1.1.1-cve-2022-4450-PEM-bio.patch

2502e2
From bbcf509bd046b34cca19c766bbddc31683d0858b Mon Sep 17 00:00:00 2001
2502e2
From: Matt Caswell <matt@openssl.org>
2502e2
Date: Tue, 13 Dec 2022 14:54:55 +0000
2502e2
Subject: [PATCH 2/6] Avoid dangling ptrs in header and data params for
2502e2
 PEM_read_bio_ex
2502e2
2502e2
In the event of a failure in PEM_read_bio_ex() we free the buffers we
2502e2
allocated for the header and data buffers. However we were not clearing
2502e2
the ptrs stored in *header and *data. Since, on success, the caller is
2502e2
responsible for freeing these ptrs this can potentially lead to a double
2502e2
free if the caller frees them even on failure.
2502e2
2502e2
Thanks to Dawei Wang for reporting this issue.
2502e2
2502e2
Based on a proposed patch by Kurt Roeckx.
2502e2
2502e2
CVE-2022-4450
2502e2
2502e2
Reviewed-by: Paul Dale <pauli@openssl.org>
2502e2
Reviewed-by: Hugo Landau <hlandau@openssl.org>
2502e2
---
2502e2
 crypto/pem/pem_lib.c | 2 ++
2502e2
 1 file changed, 2 insertions(+)
2502e2
2502e2
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
2502e2
index d416d939ea..328c30cdbb 100644
2502e2
--- a/crypto/pem/pem_lib.c
2502e2
+++ b/crypto/pem/pem_lib.c
2502e2
@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
2502e2
     *data = pem_malloc(len, flags);
2502e2
     if (*header == NULL || *data == NULL) {
2502e2
         pem_free(*header, flags, 0);
2502e2
+        *header = NULL;
2502e2
         pem_free(*data, flags, 0);
2502e2
+        *data = NULL;
2502e2
         goto end;
2502e2
     }
2502e2
     BIO_read(headerB, *header, headerlen);
2502e2
-- 
2502e2
2.39.1
2502e2
2502e2
From 2bd611267868a008afa576846ba71566bd0d4d15 Mon Sep 17 00:00:00 2001
2502e2
From: Matt Caswell <matt@openssl.org>
2502e2
Date: Tue, 13 Dec 2022 15:02:26 +0000
2502e2
Subject: [PATCH 3/6] Add a test for CVE-2022-4450
2502e2
2502e2
Call PEM_read_bio_ex() and expect a failure. There should be no dangling
2502e2
ptrs and therefore there should be no double free if we free the ptrs on
2502e2
error.
2502e2
2502e2
Reviewed-by: Paul Dale <pauli@openssl.org>
2502e2
Reviewed-by: Hugo Landau <hlandau@openssl.org>
2502e2
---
2502e2
 test/pemtest.c | 30 ++++++++++++++++++++++++++++++
2502e2
 1 file changed, 30 insertions(+)
2502e2
2502e2
diff --git a/test/pemtest.c b/test/pemtest.c
2502e2
index 3203d976be..edeb0a1205 100644
2502e2
--- a/test/pemtest.c
2502e2
+++ b/test/pemtest.c
2502e2
@@ -83,9 +83,39 @@ static int test_invalid(void)
2502e2
     return 1;
2502e2
 }
2502e2
 
2502e2
+static int test_empty_payload(void)
2502e2
+{
2502e2
+    BIO *b;
2502e2
+    static char *emptypay =
2502e2
+        "-----BEGIN CERTIFICATE-----\n"
2502e2
+        "-\n" /* Base64 EOF character */
2502e2
+        "-----END CERTIFICATE-----";
2502e2
+    char *name = NULL, *header = NULL;
2502e2
+    unsigned char *data = NULL;
2502e2
+    long len;
2502e2
+    int ret = 0;
2502e2
+
2502e2
+    b = BIO_new_mem_buf(emptypay, strlen(emptypay));
2502e2
+    if (!TEST_ptr(b))
2502e2
+        return 0;
2502e2
+
2502e2
+    /* Expected to fail because the payload is empty */
2502e2
+    if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
2502e2
+        goto err;
2502e2
+
2502e2
+    ret = 1;
2502e2
+ err:
2502e2
+    OPENSSL_free(name);
2502e2
+    OPENSSL_free(header);
2502e2
+    OPENSSL_free(data);
2502e2
+    BIO_free(b);
2502e2
+    return ret;
2502e2
+}
2502e2
+
2502e2
 int setup_tests(void)
2502e2
 {
2502e2
     ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
2502e2
     ADD_TEST(test_invalid);
2502e2
+    ADD_TEST(test_empty_payload);
2502e2
     return 1;
2502e2
 }
2502e2
-- 
2502e2
2.39.1
2502e2