Blame SOURCES/0103-CVE-2022-4450-pem-read-bio.patch

3da501
From 63bcf189be73a9cc1264059bed6f57974be74a83 Mon Sep 17 00:00:00 2001
3da501
From: Matt Caswell <matt@openssl.org>
3da501
Date: Tue, 13 Dec 2022 14:54:55 +0000
3da501
Subject: [PATCH 04/18] Avoid dangling ptrs in header and data params for
3da501
 PEM_read_bio_ex
3da501
3da501
In the event of a failure in PEM_read_bio_ex() we free the buffers we
3da501
allocated for the header and data buffers. However we were not clearing
3da501
the ptrs stored in *header and *data. Since, on success, the caller is
3da501
responsible for freeing these ptrs this can potentially lead to a double
3da501
free if the caller frees them even on failure.
3da501
3da501
Thanks to Dawei Wang for reporting this issue.
3da501
3da501
Based on a proposed patch by Kurt Roeckx.
3da501
3da501
CVE-2022-4450
3da501
3da501
Reviewed-by: Paul Dale <pauli@openssl.org>
3da501
Reviewed-by: Hugo Landau <hlandau@openssl.org>
3da501
---
3da501
 crypto/pem/pem_lib.c | 2 ++
3da501
 1 file changed, 2 insertions(+)
3da501
3da501
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
3da501
index f9ff80162a..85c47fb627 100644
3da501
--- a/crypto/pem/pem_lib.c
3da501
+++ b/crypto/pem/pem_lib.c
3da501
@@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
d8c783
 
d8c783
 out_free:
d8c783
     pem_free(*header, flags, 0);
d8c783
+    *header = NULL;
d8c783
     pem_free(*data, flags, 0);
d8c783
+    *data = NULL;
d8c783
 end:
d8c783
     EVP_ENCODE_CTX_free(ctx);
d8c783
     pem_free(name, flags, 0);
3da501
-- 
3da501
2.39.1
3da501
3da501
From cbafa34b5a057794c5c08cd4657038e1f643c1ac Mon Sep 17 00:00:00 2001
3da501
From: Matt Caswell <matt@openssl.org>
3da501
Date: Tue, 13 Dec 2022 15:02:26 +0000
3da501
Subject: [PATCH 05/18] Add a test for CVE-2022-4450
3da501
3da501
Call PEM_read_bio_ex() and expect a failure. There should be no dangling
3da501
ptrs and therefore there should be no double free if we free the ptrs on
3da501
error.
3da501
3da501
Reviewed-by: Paul Dale <pauli@openssl.org>
3da501
Reviewed-by: Hugo Landau <hlandau@openssl.org>
3da501
---
3da501
 test/pemtest.c | 30 ++++++++++++++++++++++++++++++
3da501
 1 file changed, 30 insertions(+)
3da501
3da501
diff --git a/test/pemtest.c b/test/pemtest.c
3da501
index a8d2d49bb5..a5d28cb256 100644
3da501
--- a/test/pemtest.c
3da501
+++ b/test/pemtest.c
3da501
@@ -96,6 +96,35 @@ static int test_cert_key_cert(void)
3da501
     return 1;
3da501
 }
3da501
 
3da501
+static int test_empty_payload(void)
3da501
+{
3da501
+    BIO *b;
3da501
+    static char *emptypay =
3da501
+        "-----BEGIN CERTIFICATE-----\n"
3da501
+        "-\n" /* Base64 EOF character */
3da501
+        "-----END CERTIFICATE-----";
3da501
+    char *name = NULL, *header = NULL;
3da501
+    unsigned char *data = NULL;
3da501
+    long len;
3da501
+    int ret = 0;
3da501
+
3da501
+    b = BIO_new_mem_buf(emptypay, strlen(emptypay));
3da501
+    if (!TEST_ptr(b))
3da501
+        return 0;
3da501
+
3da501
+    /* Expected to fail because the payload is empty */
3da501
+    if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
3da501
+        goto err;
3da501
+
3da501
+    ret = 1;
3da501
+ err:
3da501
+    OPENSSL_free(name);
3da501
+    OPENSSL_free(header);
3da501
+    OPENSSL_free(data);
3da501
+    BIO_free(b);
3da501
+    return ret;
3da501
+}
3da501
+
3da501
 int setup_tests(void)
3da501
 {
3da501
     if (!TEST_ptr(pemfile = test_get_argument(0)))
3da501
@@ -103,5 +132,6 @@ int setup_tests(void)
3da501
     ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
3da501
     ADD_TEST(test_invalid);
3da501
     ADD_TEST(test_cert_key_cert);
3da501
+    ADD_TEST(test_empty_payload);
3da501
     return 1;
3da501
 }
3da501
-- 
3da501
2.39.1
3da501