Fix a crash in asn1_item_embed_new

bernd-edlinger · bernd-edlinger · commit 557825acd622 · 2022-05-23T06:20:48.000+02:00
This happens usually if an template object is created and there is an out of memory error before the ASN1_OP_NEW_POST method is called, but asn1_item_embed_free calls now the ASN1_OP_FREE_POST which may crash because the object is not properly initialized. Apparently that is only an issue with the ASN1_OP_FREE_POST handling of crypot/x509/x_crl.c, which ought to be tolerant to incomplete initialized objects. The error can be reproduced with the reproducible error injection patch: $ ERROR_INJECT=1652890550 ../util/shlib_wrap.sh ./asn1-test ./corpora/asn1/0ff17293911f54d1538b9896563a4048d67d9ee4 #0 0x7faae9dbeeba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87 rogii-com#1 0x408dc4 in my_malloc fuzz/test-corpus.c:114 rogii-com#2 0x7faae99f2430 in CRYPTO_zalloc crypto/mem.c:230 rogii-com#3 0x7faae97f09e5 in ASN1_STRING_type_new crypto/asn1/asn1_lib.c:341 rogii-com#4 0x7faae98118f7 in asn1_primitive_new crypto/asn1/tasn_new.c:318 rogii-com#5 0x7faae9812401 in asn1_item_embed_new crypto/asn1/tasn_new.c:78 openssl#6 0x7faae9812401 in asn1_template_new crypto/asn1/tasn_new.c:240 openssl#7 0x7faae9812315 in asn1_item_embed_new crypto/asn1/tasn_new.c:137 openssl#8 0x7faae9812315 in asn1_template_new crypto/asn1/tasn_new.c:240 openssl#9 0x7faae9812a54 in asn1_item_embed_new crypto/asn1/tasn_new.c:137 openssl#10 0x7faae9812a54 in ASN1_item_ex_new crypto/asn1/tasn_new.c:39 openssl#11 0x7faae980be51 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:325 openssl#12 0x7faae980c813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611 openssl#13 0x7faae980d288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 openssl#14 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 openssl#15 0x7faae980caf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643 openssl#16 0x7faae980d7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494 openssl#17 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 openssl#18 0x7faae980dd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124 openssl#19 0x7faae980de35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114 openssl#20 0x40712c in FuzzerTestOneInput fuzz/asn1.c:301 openssl#21 0x40893b in testfile fuzz/test-corpus.c:182 openssl#22 0x406b86 in main fuzz/test-corpus.c:226 openssl#23 0x7faae8eb1f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) AddressSanitizer:DEADLYSIGNAL ================================================================= ==1194==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7faae9b0625f bp 0x7fffffe41a00 sp 0x7fffffe41920 T0) ==1194==The signal is caused by a READ memory access. ==1194==Hint: address points to the zero page. #0 0x7faae9b0625f in crl_cb crypto/x509/x_crl.c:258 rogii-com#1 0x7faae9811255 in asn1_item_embed_free crypto/asn1/tasn_fre.c:113 rogii-com#2 0x7faae9812a65 in asn1_item_embed_new crypto/asn1/tasn_new.c:150 rogii-com#3 0x7faae9812a65 in ASN1_item_ex_new crypto/asn1/tasn_new.c:39 rogii-com#4 0x7faae980be51 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:325 rogii-com#5 0x7faae980c813 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:611 openssl#6 0x7faae980d288 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:518 openssl#7 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 openssl#8 0x7faae980caf5 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:643 openssl#9 0x7faae980d7d3 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:494 openssl#10 0x7faae980b9ce in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:382 openssl#11 0x7faae980dd1f in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:124 openssl#12 0x7faae980de35 in ASN1_item_d2i crypto/asn1/tasn_dec.c:114 openssl#13 0x40712c in FuzzerTestOneInput fuzz/asn1.c:301 openssl#14 0x40893b in testfile fuzz/test-corpus.c:182 openssl#15 0x406b86 in main fuzz/test-corpus.c:226 openssl#16 0x7faae8eb1f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV crypto/x509/x_crl.c:258 in crl_cb ==1194==ABORTING Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#18360)
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
@@ -255,7 +255,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
         break;
 
     case ASN1_OP_FREE_POST:
-        if (crl->meth->crl_free) {
+        if (crl->meth != NULL && crl->meth->crl_free != NULL) {
             if (!crl->meth->crl_free(crl))
                 return 0;
         }

Original file line number	Diff line number	Diff line change
`@@ -255,7 +255,7 @@ static int crl_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it,`
`255`	`255`	`break;`
`256`	`256`
`257`	`257`	`case ASN1_OP_FREE_POST:`
`258`		`- if (crl->meth->crl_free) {`
	`258`	`+ if (crl->meth != NULL && crl->meth->crl_free != NULL) {`
`259`	`259`	`if (!crl->meth->crl_free(crl))`
`260`	`260`	`return 0;`
`261`	`261`	`}`