Potential use after free in callers of X509v3_asid_add_id_or_range() #22700

botovq · 2023-11-11T11:59:47Z

The RFC 3779 code is undocumented, not very well designed and thus rather dangerous public OpenSSL API. It's full of traps and bugs. It should at least be warned against if not documented. Fortunately, almost no one uses it, but there is now an attempt at exposing bindings to Rust: sfackler/rust-openssl#2053 .

The only internal caller v2i_ASIdentifiers() of X509v3_asid_ad_id_or_range() allocates and passes one or two ASN1_INTEGERs and frees them on failure.

Towards the end of X509v3_asid_ad_id_or_range(), ownership of min and max is transferred to aor:

openssl/crypto/x509/v3_asid.c

Lines 218 to 221 in 9e75a0b

    
           ASN1_INTEGER_free(aor->u.range->min); 
        
           aor->u.range->min = min; 
        
           ASN1_INTEGER_free(aor->u.range->max); 
        
           aor->u.range->max = max;

Subsequently, aor is pushed onto a part of asid. If the push fails, aor is freed and min and max with it.

openssl/crypto/x509/v3_asid.c

Lines 223 to 229 in 9e75a0b

    
              if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor))) 
        
                  goto err; 
        
              return 1; 
        
           err: 
        
              ASIdOrRange_free(aor); 
        
              return 0;

Here's the fix I landed earlier today: openbsd/src@9b790dc .

The text was updated successfully, but these errors were encountered:

bernd-edlinger · 2023-11-14T02:58:50Z

how about this for a simple fix?

diff --git a/crypto/x509/v3_asid.c b/crypto/x509/v3_asid.c
index d1c3dd5d9f..30a62399bf 100644
--- a/crypto/x509/v3_asid.c
+++ b/crypto/x509/v3_asid.c
@@ -208,6 +208,8 @@ int X509v3_asid_add_id_or_range(ASIdentifiers *asid,
     }
     if ((aor = ASIdOrRange_new()) == NULL)
         return 0;
+    if (!sk_ASIdOrRange_reserve((*choice)->u.asIdsOrRanges, 1))
+        goto err;
     if (max == NULL) {
         aor->type = ASIdOrRange_id;
         aor->u.id = min;

maybe with a comment at the sk_ASIdOrRange_push below, that it cannot fail
due to the reservation?

botovq · 2023-11-14T05:08:19Z

On Mon, Nov 13, 2023 at 06:59:01PM -0800, Bernd Edlinger wrote: how about this for a simple fix?

Sure, that will fix part of the many bugs here, but you won't be able to backport this to 1.1 (if you care to do so).

bernd-edlinger · 2023-11-14T10:55:11Z

I will certainly back port that to my 1.1.1 feature branch:
https://github.com/bernd-edlinger/openssl/tree/openssl-111-features
I have lots of similar fixes in the queue.

botovq · 2023-11-14T11:30:26Z

the point is that this api can still leave asid in an incoherent state. you should not have an empty stack there, for example. incrementally populating asid is a bad idea to begin with.

…

On Tue, Nov 14, 2023, at 10:55 AM, Bernd Edlinger wrote: I will certainly back port that to my 1.1.1 feature branch: https://github.com/bernd-edlinger/openssl/tree/openssl-111-features I have lots of similar fixes in the queue. — Reply to this email directly, view it on GitHub <#22700 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACVVQA7IIXFEI5I3WLUBDA3YENEZVAVCNFSM6AAAAAA7HGRBCGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBZHE4DCNJUGE>. You are receiving this because you authored the thread.Message ID: ***@***.***>

And clean up partially created choice objects, which have still the default type = -1 from ASIdentifierChoice_new(). Fixes openssl#22700

And clean up partially created choice objects, which have still the default type = -1 from ASIdentifierChoice_new(). Fixes #22700 Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #22745) (cherry picked from commit 49e9436)

And clean up partially created choice objects, which have still the default type = -1 from ASIdentifierChoice_new(). Fixes openssl#22700 Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#22745) (cherry picked from commit 49e9436)

And clean up partially created choice objects, which have still the default type = -1 from ASIdentifierChoice_new(). Fixes openssl#22700 Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#22745)

botovq added the issue: bug report The issue was opened to report a bug label Nov 11, 2023

botovq changed the title ~~Potential use after free in callers of X509v3_addr_add_id_or_range()~~ Potential use after free in callers of X509v3_asid_add_id_or_range() Nov 11, 2023

t8m added branch: master Merge to master branch triaged: bug The issue/pr is/fixes a bug branch: 3.0 Merge to openssl-3.0 branch branch: 3.1 Merge to openssl-3.1 branch: 3.2 Merge to openssl-3.2 and removed issue: bug report The issue was opened to report a bug labels Nov 13, 2023

bernd-edlinger mentioned this issue Nov 15, 2023

Fix a possible use after free in X509v3_asid_add_id_or_range #22745

Closed

openssl-machine closed this as completed in 49e9436 Dec 1, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Potential use after free in callers of X509v3_asid_add_id_or_range() #22700

Potential use after free in callers of X509v3_asid_add_id_or_range() #22700

botovq commented Nov 11, 2023 •

edited

bernd-edlinger commented Nov 14, 2023 •

edited

botovq commented Nov 14, 2023 via email

bernd-edlinger commented Nov 14, 2023

botovq commented Nov 14, 2023 via email

Potential use after free in callers of X509v3_asid_add_id_or_range() #22700

Potential use after free in callers of X509v3_asid_add_id_or_range() #22700

Comments

botovq commented Nov 11, 2023 • edited

bernd-edlinger commented Nov 14, 2023 • edited

botovq commented Nov 14, 2023 via email

bernd-edlinger commented Nov 14, 2023

botovq commented Nov 14, 2023 via email

botovq commented Nov 11, 2023 •

edited

bernd-edlinger commented Nov 14, 2023 •

edited