Skip to content

Heap use after free in ENGINE_remove #16735

New issue
New issue
Closed
Closed
Heap use after free in ENGINE_remove#16735
Labels
branch: 3.0Applies to openssl-3.0 branchbranch: masterApplies to master branchtriaged: bugThe issue/pr is/fixes a bug
@bernd-edlinger

Description

@bernd-edlinger
bernd-edlinger
opened on Oct 3, 2021

when I compile the test case from #7950 with address sanitizer there is a heap use after free:
#7950 (comment)

I think this is a different issue than #16724 since it happens with every engine
not only dasync, and also here the test case is okay in 1.1.1 but broken in master.

#include <openssl/engine.h>
#include <openssl/evp.h>

int main()
{
  ENGINE *e;
  const EVP_CIPHER * cipher;
  EVP_CIPHER_CTX *ctx;

  OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_DYNAMIC, NULL);
  e = ENGINE_by_id("dasync");
  if (e == NULL)
    return 1;
  ENGINE_init(e);
  cipher = ENGINE_get_cipher(e, NID_aes_128_cbc_hmac_sha1);
  ctx = EVP_CIPHER_CTX_new();
  if (cipher != NULL && ctx != NULL)
    {
       int rv = EVP_EncryptInit_ex(ctx, cipher, e, NULL, NULL);
       printf("EncryptInit=%d\n", rv);
    }
  EVP_CIPHER_CTX_free(ctx);
  ENGINE_finish(e);
  ENGINE_remove(e);
  ENGINE_free(e);
  return 0;
}
s ./a.out 
EncryptInit=1
=================================================================
==6080==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000000404 at pc 0x7f07868a55ed bp 0x7fffd03f61d0 sp 0x7fffd03f61c8
READ of size 4 at 0x611000000404 thread T0
    #0 0x7f07868a55ec in EVP_PKEY_meth_free crypto/evp/pmeth_lib.c:445
    #1 0x7f078783d7e4 in destroy_pkey engines/e_dasync.c:315
    #2 0x7f078783d7e4 in dasync_destroy engines/e_dasync.c:382
    #3 0x7f078680d5bd in engine_free_util crypto/engine/eng_lib.c:92
    #4 0x4012e9 in main /home/ed/OPC/openssl/test.c:25
    #5 0x7f0786071f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #6 0x401168  (/home/ed/OPC/openssl/a.out+0x401168)

0x611000000404 is located 4 bytes inside of 256-byte region [0x611000000400,0x611000000500)
freed by thread T0 here:
    #0 0x7f0786eaa2b7 in __interceptor_free ../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cpp:111
    #1 0x7f0786813bb4 in engine_pkey_meths_free crypto/engine/tb_pkmeth.c:113
    #2 0x7f078680d591 in engine_free_util crypto/engine/eng_lib.c:85
    #3 0x4012e9 in main /home/ed/OPC/openssl/test.c:25
    #4 0x7f0786071f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

previously allocated by thread T0 here:
    #0 0x7f0786eaa577 in __interceptor_malloc ../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cpp:129
    #1 0x7f07868d8881 in CRYPTO_zalloc crypto/mem.c:191
    #2 0x7f07868a5978 in EVP_PKEY_meth_new crypto/evp/pmeth_lib.c:130
    #3 0x7f078783df32 in bind_dasync engines/e_dasync.c:214
    #4 0x7f078783ea32 in bind_helper engines/e_dasync.c:325
    #5 0x7f078783ea32 in bind_engine engines/e_dasync.c:331
    #6 0x7f078680bc98 in dynamic_load crypto/engine/eng_dyn.c:487
    #7 0x7f078680bc98 in dynamic_ctrl crypto/engine/eng_dyn.c:344
    #8 0x7f078680aafa in ENGINE_ctrl_cmd_string crypto/engine/eng_ctrl.c:324
    #9 0x7f078680ee51 in ENGINE_by_id crypto/engine/eng_list.c:337
    #10 0x401236 in main /home/ed/OPC/openssl/test.c:11
    #11 0x7f0786071f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-use-after-free crypto/evp/pmeth_lib.c:445 in EVP_PKEY_meth_free
Shadow bytes around the buggy address:
  0x0c227fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff8050: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8070: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c227fff8080:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff8090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff80a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fff80b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff80c0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x0c227fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6080==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    branch: 3.0Applies to openssl-3.0 branchbranch: masterApplies to master branchtriaged: bugThe issue/pr is/fixes a bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions