102 lines
3.3 KiB
Diff
102 lines
3.3 KiB
Diff
commit 847b1cd5fcf2a9098871f5832a50845670c3885e
|
|
Author: Matt Caswell <matt@openssl.org>
|
|
Date: Wed Dec 14 16:18:14 2022 +0000
|
|
|
|
Fix a UAF resulting from a bug in BIO_new_NDEF
|
|
|
|
If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
|
|
be part of an invalid BIO chain. This causes a "use after free" when the
|
|
BIO is eventually freed.
|
|
|
|
Based on an original patch by Viktor Dukhovni.
|
|
|
|
Thanks to Octavio Galland for reporting this issue.
|
|
|
|
diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
|
|
index 760e4846a4..e0deaecf19 100644
|
|
--- a/crypto/asn1/bio_ndef.c
|
|
+++ b/crypto/asn1/bio_ndef.c
|
|
@@ -49,6 +49,12 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
|
|
static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
|
|
void *parg);
|
|
|
|
+/*
|
|
+ * On success, the returned BIO owns the input BIO as part of its BIO chain.
|
|
+ * On failure, NULL is returned and the input BIO is owned by the caller.
|
|
+ *
|
|
+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
|
|
+ */
|
|
BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
|
{
|
|
NDEF_SUPPORT *ndef_aux = NULL;
|
|
@@ -60,45 +66,50 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
|
|
ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
|
|
return NULL;
|
|
}
|
|
- ndef_aux = OPENSSL_zalloc(sizeof(*ndef_aux));
|
|
asn_bio = BIO_new(BIO_f_asn1());
|
|
- if (ndef_aux == NULL || asn_bio == NULL)
|
|
- goto err;
|
|
-
|
|
- /* ASN1 bio needs to be next to output BIO */
|
|
- out = BIO_push(asn_bio, out);
|
|
- if (out == NULL)
|
|
- goto err;
|
|
+ if (asn_bio == NULL)
|
|
+ return NULL;
|
|
|
|
BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
|
|
BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
|
|
|
|
+ /* ASN1 bio needs to be next to output BIO */
|
|
+ if (BIO_push(asn_bio, out) == NULL) {
|
|
+ BIO_free(asn_bio);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
/*
|
|
- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
|
|
- * needs.
|
|
+ * Now let the callback prepend any digest, cipher, etc., that the BIO's
|
|
+ * ASN1 structure needs.
|
|
*/
|
|
-
|
|
- sarg.out = out;
|
|
+ sarg.out = asn_bio;
|
|
sarg.ndef_bio = NULL;
|
|
sarg.boundary = NULL;
|
|
|
|
- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
|
|
- goto err;
|
|
+ /*
|
|
+ * On error, restore input BIO to head of its BIO chain.
|
|
+ *
|
|
+ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
|
|
+ * middle of some partially built, but not returned BIO chain.
|
|
+ */
|
|
+ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0
|
|
+ || (ndef_aux = OPENSSL_zalloc(sizeof(*ndef_aux))) == NULL) {
|
|
+ /* Assumed head of BIO chain with "out" as immediate successor */
|
|
+ (void)BIO_pop(asn_bio);
|
|
+ BIO_free(asn_bio);
|
|
+ return NULL;
|
|
+ }
|
|
|
|
ndef_aux->val = val;
|
|
ndef_aux->it = it;
|
|
ndef_aux->ndef_bio = sarg.ndef_bio;
|
|
ndef_aux->boundary = sarg.boundary;
|
|
- ndef_aux->out = out;
|
|
+ ndef_aux->out = asn_bio;
|
|
|
|
BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
|
|
|
|
return sarg.ndef_bio;
|
|
-
|
|
- err:
|
|
- BIO_free(asn_bio);
|
|
- OPENSSL_free(ndef_aux);
|
|
- return NULL;
|
|
}
|
|
|
|
static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg)
|