Hello all,
Found a handful of issues w.r.t to malloc failures handling in openssl code. 
Please note that all of these happen when the malloc has failed and returned 
NULL.

========================================================================================
Issue 1)
 We could have failed to allocate the ctx->cipher_data in EVP_CipherInit_ex

        ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size);
        if (!ctx->cipher_data) {
            EVPerr(EVP_F_EVP_CIPHERINIT_EX, ERR_R_MALLOC_FAILURE);
            return 0;
        }

We do subsequently return error from EVP_CipherInit_ex. However during shutdown 
because of this error we are not checking for the NULL cipher_data causing cores
with the below bt.
The bt is as below.
(gdb) bt
0 0x0000000001486ed0 in rc4_hmac_md5_ctrl (ctx=0x7692e020, type=<optimized 
out>, arg=13,
ptr=0x7fba15ffe9a0) at 
../../../../../../src/crypto/openssl/crypto/evp/e_rc4_hmac_md5.c:274
1 0x00000000014ae3c4 in EVP_CIPHER_CTX_ctrl (ctx=0x7692e020, type=369093024, 
arg=2,
ptr=0x7fba15ffe9a0) at 
../../../../../../src/crypto/openssl/crypto/evp/evp_enc.c:606

2 0x00000000013a4e85 in tls1_enc (s=0x7ddbba10, send=1)
at ../../../../../../src/crypto/openssl/ssl/t1_enc.c:828
3 0x00000000013954e3 in do_ssl3_write (s=0x7ddbba10, type=21, buf=0x7e477148 
"\001", len=2,
create_empty_fragment=0) at 
../../../../../../src/crypto/openssl/ssl/s3_pkt.c:951
4 0x000000000139566d in ssl3_dispatch_alert (s=0x7692e020)
at ../../../../../../src/crypto/openssl/ssl/s3_pkt.c:1704
5 0x0000000001394e73 in ssl3_send_alert (s=0x7ddbba10, level=1, desc=0)
at ../../../../../../src/crypto/openssl/ssl/s3_pkt.c:1690
6 0x0000000001398378 in ssl3_shutdown (s=0x7692e020)
at ../../../../../../src/crypto/openssl/ssl/s3_lib.c:4205
7 0x0000000001391755 in SSL_shutdown (s=0x7ddbba10)

========================================================================================
Issue 2
In file pmeth_gn.c  function EVP_PKEY_keygen, openssl code tries to allocate 
EVP_PKEY using EVP_PKEY_new and immediately follows with a dereference of the 
same in the below path without checking if the allocation was successful or not.

(gdb) bt
    at ../../../../../../src/crypto/openssl/crypto/evp/p_lib.c:258
    at ../../../../../../src/crypto/openssl/crypto/hmac/hm_pmeth.c:140
    at ../../../../../../src/crypto/openssl/crypto/evp/pmeth_gn.c:150
    key=0x7779ff14 "\[L \\351\\302\\202M\\"\\326 
\\b\\361\\275\\267\\n\\300\\205I\\277\\023\\344\\346D\\341+K5\\331d\\327(\\177\\"\\237\\027\\065\\273TT\\346\\335\\246\\343\\242\\256",
 keylen=48) at ../../../../../../src/crypto/openssl/crypto/evp/pmeth_gn.c:209
    seed5=<optimized out>, seed4_len=<optimized out>, seed4=<optimized out>, 
seed3_len=<optimized out>,
    seed3=<optimized out>, seed2_len=<optimized out>, seed2=<optimized out>, 
seed1_len=<optimized out>,
    seed1=<optimized out>, sec_len=<optimized out>, sec=<optimized out>, 
md=<optimized out>)
    at ../../../../../../src/crypto/openssl/ssl/t1_enc.c:177
======================================================================================
Issue 3:

In file s3_enc.c in function ssl3_digest_cached_records, EVP_DigestInit_ex is 
called to initialize the EVP digest. Internally to EVP_DigestInit_ex 
ctx->md_data is allocated and if it fails an error is returned. However in 
ssl3_digest_cached_records the return value is not checked, causing a null 
dereference with the below backtrace.
    at ../../../../../../src/crypto/openssl/crypto/evp/m_sha1.c:127
    at ../../../../../../src/crypto/openssl/crypto/evp/digest.c:251
    at ../../../../../../src/crypto/openssl/ssl/s3_enc.c:660
=======================================================================================
Issue 4:
 In file ssl_lib.c, in function ssl_replace_hash, an EVP_MD_CTX is created 
using EVP_MD_CTX_create. However, the return value of this allocation is not 
checked and a dereference is made just below in EVP_DigestInit_ex causing a 
core.
=======================================================================================
Issue 5:
In tl_enc.c, in function  tls1_enc in the case of
/\* Explicit IV length, block ciphers and TLS version 1.1 or later \*/
openssl tries to dereference cipher after getting the value of cipher from 
s->enc_write_ctx. However cipher can be null. This can happen because we 
returned NULL in Issue 4) above and s->enc_write_ctx->cipher might not have 
been set. Typically
s->enc_write_ctx->cipher would have been set in the below path but because of 
Issue 4 above we did not set s->enc_write_ctx->cipher.
    key=0x7789d9e0 "Y\\376\\b\\362w\\332)\\246\\203z3\\366F\\255\\030 
\\302\\202\\037\\313om\\342\\317\\304+\\016\\347\\314\\071\\334\\016\`\\301ji\\325\\342\\272r\\202\\025\\312@s\\241\\271q\\346@/A\\310Os\\223iFm\\356\\257\\314\\241\\331\\355%\\370t\\325\\026R\\306x\\344\\001/\\030\\063\\224/\\250\\205\\067\*\\\\\\241\\277\\250\\\\
 \\216h\\226\\251\\350\\351",
    iv=0x7789da20 
"\\355%\\370t\\325\\026R\\306x\\344\\001/\\030\\063\\224/\\250\\205\\067\*\\\\\\241\\277\\250\\\\
 \\216h\\226\\251\\350\\351",
    enc=1) at ../../../../../../src/crypto/openssl/crypto/evp/evp_enc.c:176
    at ../../../../../../src/crypto/openssl/ssl/t1_enc.c:576
========================================================================================
Issue 6:
Similar issue as above exists in s3_pkt.c function do_ssl3_write in the case
/\* Explicit IV length, block ciphers and TLS version 1.1 or later \*/ where 
again s->enc_write_ctx->cipher can be NULL.
=======================================================================================
Issue 7:
In file t1_enc.c, in function tls1_mac, openssl after calling  
EVP_DigestSignFinal has an assert on the return value to be greater than 0. 
However, EVP_DigestSignFinal internally allocates memory and if this memory 
allocation fails, an error is returned. Hence this assert is overaggressive for 
low memory cases. So Pls see if instead of coring, the error can be handled 
gracefully.
========================================================================================
Issue 8:
In file t1_enc.c, in function tls1_setup_key_block, memory is allocated twice 
for the keyblock through p1 and p2. If p1 succeeds but p2 fails, p1 is freed 
but the freed pointer p1 is left dangling inside  s->s3->tmp.key_block which is 
later attempted to be freed while freeing s->s3 resulting in a double free.
The fix would be to set the s->s3->tmp.key_block to NULL

========================================================================================


_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to