Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP4
openssl-1_1
openssl-CVE-2023-0215-1of4.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-CVE-2023-0215-1of4.patch of Package openssl-1_1
commit 847b1cd5fcf2a9098871f5832a50845670c3885e Author: Matt Caswell <matt@openssl.org> Date: Wed Dec 14 16:18:14 2022 +0000 Fix a UAF resulting from a bug in BIO_new_NDEF If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will be part of an invalid BIO chain. This causes a "use after free" when the BIO is eventually freed. Based on an original patch by Viktor Dukhovni. Thanks to Octavio Galland for reporting this issue. diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c index 760e4846a4..e0deaecf19 100644 --- a/crypto/asn1/bio_ndef.c +++ b/crypto/asn1/bio_ndef.c @@ -49,6 +49,12 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg); static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen, void *parg); +/* + * On success, the returned BIO owns the input BIO as part of its BIO chain. + * On failure, NULL is returned and the input BIO is owned by the caller. + * + * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() + */ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) { NDEF_SUPPORT *ndef_aux = NULL; @@ -60,45 +66,50 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED); return NULL; } - ndef_aux = OPENSSL_zalloc(sizeof(*ndef_aux)); asn_bio = BIO_new(BIO_f_asn1()); - if (ndef_aux == NULL || asn_bio == NULL) - goto err; - - /* ASN1 bio needs to be next to output BIO */ - out = BIO_push(asn_bio, out); - if (out == NULL) - goto err; + if (asn_bio == NULL) + return NULL; BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free); BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); + /* ASN1 bio needs to be next to output BIO */ + if (BIO_push(asn_bio, out) == NULL) { + BIO_free(asn_bio); + return NULL; + } + /* - * Now let callback prepends any digest, cipher etc BIOs ASN1 structure - * needs. + * Now let the callback prepend any digest, cipher, etc., that the BIO's + * ASN1 structure needs. */ - - sarg.out = out; + sarg.out = asn_bio; sarg.ndef_bio = NULL; sarg.boundary = NULL; - if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) - goto err; + /* + * On error, restore input BIO to head of its BIO chain. + * + * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the + * middle of some partially built, but not returned BIO chain. + */ + if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0 + || (ndef_aux = OPENSSL_zalloc(sizeof(*ndef_aux))) == NULL) { + /* Assumed head of BIO chain with "out" as immediate successor */ + (void)BIO_pop(asn_bio); + BIO_free(asn_bio); + return NULL; + } ndef_aux->val = val; ndef_aux->it = it; ndef_aux->ndef_bio = sarg.ndef_bio; ndef_aux->boundary = sarg.boundary; - ndef_aux->out = out; + ndef_aux->out = asn_bio; BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux); return sarg.ndef_bio; - - err: - BIO_free(asn_bio); - OPENSSL_free(ndef_aux); - return NULL; } static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor