Patch: fix a crash in the GOST engine

Tue, 16 Feb 2010 04:12:15 -0800 

Hi there!

I'm using the GOST engine to sign files on an ARM platform and I got a
crash with bt pointing to the GOST engine. When gost2001_do_sign()
fails for some reason (missing /dev/urandom in my case) it doesn't set
'newsig' to NULL and hence returns a dangling pointer.
pkey_gost01_cp_sign()
gets misled by it and everything goes downhill from there.

The bt I got:

#0  0x400ccbc0 in BN_num_bits (a=0x0) at bn_lib.c:250
#1  0x403a73f0 in store_bignum (bn=0x0, buf=0x1f120 "", len=32)
    at gost_sign.c:316
#2  0x403a6a94 in pack_sign_cp (s=0x1f4d0, order=32, sig=0x1f120 "",
    siglen=0xbe97fc18) at gost_sign.c:123
#3  0x403a5644 in pkey_gost01_cp_sign (ctx=0x1f470, sig=0x1f120 "",
    siglen=0xbe97fc18,
    tbs=0xbe97fc38 "��?��!Шe��Jm�uzݾ�\211�U�\203Hk3\207�\211\017�",
    tbs_len=32) at gost_pmeth.c:366
#4  0x40157de4 in EVP_PKEY_sign (ctx=0x1f470, sig=0x1f120 "",
    siglen=0xbe97fc18,
    tbs=0xbe97fc38 "��?��!Шe��Jm�uzݾ�\211�U�\203Hk3\207�\211\017�",
                                       -+
    tbslen=32) at pmeth_fn.c:116
#5  0x4014dd90 in EVP_SignFinal (ctx=0xbe980cbc, sigret=0x1f120 "",
    siglen=0xbe980cb8, pkey=0x1f448) at p_sign.c:104
#6  0x000090e4 in sign_file (name=0xbe980f52 "ipsum", e=0x1db00,
    md=0x403b2d50, pkey=0x1f448) at sign.c:122
#7  0x00009548 in main (argc=2, argv=0xbe980e74) at sign.c:223


With the attached patch pkey_gost01_cp_sign() fails properly and I get
a pretty clear error message.

-- 
Dmitry Ivanov
KDE PIM developer (pim.kde.org)
partimage-ng developer (partimage-ng.net)

--- openssl-1.0.0-stable-SNAP-20100215/engines/ccgost/gost2001.c	2008-02-28 16:45:05.000000000 +0300
+++ lpc/openssl/openssl-1.0.0-stable-SNAP-20100215/engines/ccgost/gost2001.c	2010-02-16 14:45:03.000000000 +0300
@@ -136,12 +136,14 @@ DSA_SIG *gost2001_do_sign(const unsigned
 				{
 				GOSTerr(GOST_F_GOST2001_DO_SIGN,GOST_R_RANDOM_NUMBER_GENERATOR_FAILED);
 				DSA_SIG_free(newsig);
+				newsig = NULL;
 				goto err;
 				}	
 			if (!EC_POINT_mul(group,C,k,NULL,NULL,ctx))
 				{
 				GOSTerr(GOST_F_GOST2001_DO_SIGN,ERR_R_EC_LIB);
 				DSA_SIG_free(newsig);
+				newsig = NULL;
 				goto err;
 				}	
 			if (!X) X=BN_CTX_get(ctx);
@@ -149,6 +151,7 @@ DSA_SIG *gost2001_do_sign(const unsigned
 				{
 				GOSTerr(GOST_F_GOST2001_DO_SIGN,ERR_R_EC_LIB);
 				DSA_SIG_free(newsig);
+				newsig = NULL;
 				goto err;
 				}	
 			if (!r) r=BN_CTX_get(ctx);

Reply via email to