Bug#923333: libp11-openssl1.1: Double free issue

Kurt Kanzenbach Tue, 26 Feb 2019 08:12:26 -0800

Source: libp11-openssl1.1
Version: 0.4.4-4
Severity: important
Tags: patch
Control: forwarded -1 https://github.com/OpenSC/libp11/issues/185


Dear Maintainer,

using the pkcs11 back end results in a double-free:

 kurt@kurt tmp % openssl dgst -sha256 -engine pkcs11 -keyform engine -sign 
"pkcs11:<key>" blub > blub.sig
 engine "pkcs11" set.
 No private keys found.
 PKCS#11 token PIN:
 *** Error in `openssl': double free or corruption (fasttop): 
0x0000558e9ed49230 ***
 ======= Backtrace: =========
 /lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f3ac5f40bfb]
 /lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7f3ac5f46fc6]
 /lib/x86_64-linux-gnu/libc.so.6(+0x7780e)[0x7f3ac5f4780e]
 /usr/lib/softhsm/libsofthsm2.so(+0x709e8)[0x7f3ac56149e8]
 /usr/lib/softhsm/libsofthsm2.so(+0x70657)[0x7f3ac5614657]
 /usr/lib/softhsm/libsofthsm2.so(+0x2e967)[0x7f3ac55d2967]
 /usr/lib/softhsm/libsofthsm2.so(C_CloseSession+0x14)[0x7f3ac55b8234]
 /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so(+0x1f3dd)[0x7f3ac5a793dd]
 /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so(+0x39fe0)[0x7f3ac5a93fe0]
 
/usr/lib/x86_64-linux-gnu/libffi.so.6(ffi_closure_unix64_inner+0x1cf)[0x7f3ac5856e2f]
 /usr/lib/x86_64-linux-gnu/libffi.so.6(ffi_closure_unix64+0x46)[0x7f3ac58571a0]
 /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so(+0x2302d)[0x7f3ac5a7d02d]
 /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so(+0x23190)[0x7f3ac5a7d190]
 /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so(+0x3a000)[0x7f3ac5a94000]
 
/usr/lib/x86_64-linux-gnu/libffi.so.6(ffi_closure_unix64_inner+0x1cf)[0x7f3ac5856e2f]
 /usr/lib/x86_64-linux-gnu/libffi.so.6(ffi_closure_unix64+0x46)[0x7f3ac58571a0]
 /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so(+0xb2d5)[0x7f3ac5cca2d5]
 /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so(+0xb737)[0x7f3ac5cca737]
 /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so(+0x5cbe)[0x7f3ac5cc4cbe]
 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1(+0x14c13f)[0x7f3ac67dc13f]
 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1(+0x14dea2)[0x7f3ac67ddea2]
 
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1(OPENSSL_LH_doall+0x41)[0x7f3ac67fd971]
 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1(+0x14e22d)[0x7f3ac67de22d]
 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1(+0x14c356)[0x7f3ac67dc356]
 
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1(OPENSSL_sk_pop_free+0x31)[0x7f3ac6851ca1]
 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1(+0x14c6ac)[0x7f3ac67dc6ac]
 
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1(OPENSSL_cleanup+0x11e)[0x7f3ac67fb9de]
 /lib/x86_64-linux-gnu/libc.so.6(+0x35940)[0x7f3ac5f05940]
 /lib/x86_64-linux-gnu/libc.so.6(+0x3599a)[0x7f3ac5f0599a]
 openssl(+0x2ee64)[0x558e9cab1e64]
 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f3ac5ef02e1]
 openssl(+0x2f09a)[0x558e9cab209a]
 ======= Memory map: ========
 [...]

This is already fixed upstream:

 
https://github.com/OpenSC/libp11/commit/da725ab727342083478150a203a3c80c4551feb4

The function EVP_PKEY_set1_engine() is available in Stretch's OpenSSL 1.1.

-- System Information:
Debian Release: 9.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

From da725ab727342083478150a203a3c80c4551feb4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <michal.trojn...@stunnel.org>
Date: Sat, 4 Nov 2017 09:25:10 +0100
Subject: [PATCH] Invoke EVP_PKEY_set1_engine() if OpenSSL has it

This approach was suggested by @mouse07410 in #185.
---
 src/eng_front.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/eng_front.c b/src/eng_front.c
index 9633fe061c75..45f15a1b1f2e 100644
--- a/src/eng_front.c
+++ b/src/eng_front.c
@@ -195,11 +195,19 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id,
 		UI_METHOD *ui_method, void *callback_data)
 {
 	ENGINE_CTX *ctx;
+	EVP_PKEY *pkey;
 
 	ctx = get_ctx(engine);
 	if (ctx == NULL)
 		return 0;
-	return ctx_load_privkey(ctx, s_key_id, ui_method, callback_data);
+	pkey = ctx_load_privkey(ctx, s_key_id, ui_method, callback_data);
+#ifdef EVP_F_EVP_PKEY_SET1_ENGINE
+	/* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x,
+	 * but otherwise setting pkey->engine breaks OpenSSL 1.0.2 */
+	if (pkey)
+		EVP_PKEY_set1_engine(pkey, engine);
+#endif /* EVP_F_EVP_PKEY_SET1_ENGINE */
+	return pkey;
 }
 
 static int engine_ctrl(ENGINE *engine, int cmd, long i, void *p, void (*f) ())
-- 
2.11.0

signature.asc
Description: PGP signature

Bug#923333: libp11-openssl1.1: Double free issue

Reply via email to