rpms / openssl

Clone
Source Code
GIT

Blame SOURCES/openssl-1.1.1-cve-2022-4450-PEM-bio.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   dc0b1fe60973dcd3d9dfa9bc8f7ad32fbba5e72a
  2.   SOURCES
  3.   openssl-1.1.1-cve-2022-4450-PEM-bio.patch
Blob History Raw
dc0b1f 
From bbcf509bd046b34cca19c766bbddc31683d0858b Mon Sep 17 00:00:00 2001
dc0b1f 
From: Matt Caswell <matt@openssl.org>
dc0b1f 
Date: Tue, 13 Dec 2022 14:54:55 +0000
dc0b1f 
Subject: [PATCH 2/6] Avoid dangling ptrs in header and data params for
dc0b1f 
 PEM_read_bio_ex
dc0b1f
dc0b1f 
In the event of a failure in PEM_read_bio_ex() we free the buffers we
dc0b1f 
allocated for the header and data buffers. However we were not clearing
dc0b1f 
the ptrs stored in *header and *data. Since, on success, the caller is
dc0b1f 
responsible for freeing these ptrs this can potentially lead to a double
dc0b1f 
free if the caller frees them even on failure.
dc0b1f
dc0b1f 
Thanks to Dawei Wang for reporting this issue.
dc0b1f
dc0b1f 
Based on a proposed patch by Kurt Roeckx.
dc0b1f
dc0b1f 
CVE-2022-4450
dc0b1f
dc0b1f 
Reviewed-by: Paul Dale <pauli@openssl.org>
dc0b1f 
Reviewed-by: Hugo Landau <hlandau@openssl.org>
dc0b1f 
---
dc0b1f 
 crypto/pem/pem_lib.c | 2 ++
dc0b1f 
 1 file changed, 2 insertions(+)
dc0b1f
dc0b1f 
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
dc0b1f 
index d416d939ea..328c30cdbb 100644
dc0b1f 
--- a/crypto/pem/pem_lib.c
dc0b1f 
+++ b/crypto/pem/pem_lib.c
dc0b1f 
@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
dc0b1f 
     *data = pem_malloc(len, flags);
dc0b1f 
     if (*header == NULL || *data == NULL) {
dc0b1f 
         pem_free(*header, flags, 0);
dc0b1f 
+        *header = NULL;
dc0b1f 
         pem_free(*data, flags, 0);
dc0b1f 
+        *data = NULL;
dc0b1f 
         goto end;
dc0b1f 
     }
dc0b1f 
     BIO_read(headerB, *header, headerlen);
dc0b1f 
--
dc0b1f 
2.39.1
dc0b1f
dc0b1f 
From 2bd611267868a008afa576846ba71566bd0d4d15 Mon Sep 17 00:00:00 2001
dc0b1f 
From: Matt Caswell <matt@openssl.org>
dc0b1f 
Date: Tue, 13 Dec 2022 15:02:26 +0000
dc0b1f 
Subject: [PATCH 3/6] Add a test for CVE-2022-4450
dc0b1f
dc0b1f 
Call PEM_read_bio_ex() and expect a failure. There should be no dangling
dc0b1f 
ptrs and therefore there should be no double free if we free the ptrs on
dc0b1f 
error.
dc0b1f
dc0b1f 
Reviewed-by: Paul Dale <pauli@openssl.org>
dc0b1f 
Reviewed-by: Hugo Landau <hlandau@openssl.org>
dc0b1f 
---
dc0b1f 
 test/pemtest.c | 30 ++++++++++++++++++++++++++++++
dc0b1f 
 1 file changed, 30 insertions(+)
dc0b1f
dc0b1f 
diff --git a/test/pemtest.c b/test/pemtest.c
dc0b1f 
index 3203d976be..edeb0a1205 100644
dc0b1f 
--- a/test/pemtest.c
dc0b1f 
+++ b/test/pemtest.c
dc0b1f 
@@ -83,9 +83,39 @@ static int test_invalid(void)
dc0b1f 
     return 1;
dc0b1f 
 }
dc0b1f
dc0b1f 
+static int test_empty_payload(void)
dc0b1f 
+{
dc0b1f 
+    BIO *b;
dc0b1f 
+    static char *emptypay =
dc0b1f 
+        "-----BEGIN CERTIFICATE-----\n"
dc0b1f 
+        "-\n" /* Base64 EOF character */
dc0b1f 
+        "-----END CERTIFICATE-----";
dc0b1f 
+    char *name = NULL, *header = NULL;
dc0b1f 
+    unsigned char *data = NULL;
dc0b1f 
+    long len;
dc0b1f 
+    int ret = 0;
dc0b1f 
+
dc0b1f 
+    b = BIO_new_mem_buf(emptypay, strlen(emptypay));
dc0b1f 
+    if (!TEST_ptr(b))
dc0b1f 
+        return 0;
dc0b1f 
+
dc0b1f 
+    /* Expected to fail because the payload is empty */
dc0b1f 
+    if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
dc0b1f 
+        goto err;
dc0b1f 
+
dc0b1f 
+    ret = 1;
dc0b1f 
+ err:
dc0b1f 
+    OPENSSL_free(name);
dc0b1f 
+    OPENSSL_free(header);
dc0b1f 
+    OPENSSL_free(data);
dc0b1f 
+    BIO_free(b);
dc0b1f 
+    return ret;
dc0b1f 
+}
dc0b1f 
+
dc0b1f 
 int setup_tests(void)
dc0b1f 
 {
dc0b1f 
     ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
dc0b1f 
     ADD_TEST(test_invalid);
dc0b1f 
+    ADD_TEST(test_empty_payload);
dc0b1f 
     return 1;
dc0b1f 
 }
dc0b1f 
--
dc0b1f 
2.39.1
dc0b1f

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation