Skip to content

Heap buffer overflow in print_raw_cipherlist (apps/s_cb.c) #2189

New issue
New issue
Closed
Closed
Heap buffer overflow in print_raw_cipherlist (apps/s_cb.c)#2189
@bernd-edlinger

Description

@bernd-edlinger
bernd-edlinger
opened on Jan 7, 2017

I built using recent gcc and OpenSSL-1_1_0-stable
./config -g -fsanitize=address -fno-omit-frame-pointer
make
make test V=1 2>&1 | tee test.log

in test.log I got

depth=0 C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Client cipher list: 0x0000=================================================================
==25110==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000004f3 at pc 0x2b15e44b2391 bp 0x7ffe30b7cc00 sp 0x7ffe30b7cbf8
READ of size 1 at 0x6020000004f3 thread T0
DONE
    #0 0x2b15e44b2390 in ssl3_get_cipher_by_char ssl/s3_lib.c:3550
    #1 0x4757c7 in print_raw_cipherlist apps/s_cb.c:975
    #2 0x4757c7 in print_ssl_summary apps/s_cb.c:1073
    #3 0x482caf in rev_body apps/s_server.c:3089
    #4 0x48a474 in do_server apps/s_socket.c:179
    #5 0x488547 in s_server_main apps/s_server.c:1934
    #6 0x41ef90 in do_cmd apps/openssl.c:471
    #7 0x4202fc in main apps/openssl.c:177
    #8 0x2b15e5351f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #9 0x4209f6  (/home/ed/OPC/openssl/apps/openssl+0x4209f6)

0x6020000004f3 is located 0 bytes to the right of 3-byte region [0x6020000004f0,0x6020000004f3)
allocated by thread T0 here:
    #0 0x2b15e3585ef0 in __interceptor_malloc ../../../../gcc-trunk/libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x2b15e4a8e687 in CRYPTO_memdup crypto/o_str.c:67
    #2 0x2b15e4507f83 in PACKET_memdup ssl/statem/../packet_locl.h:385
    #3 0x2b15e4507f83 in ssl_bytes_to_cipher_list ssl/statem/statem_srvr.c:3271
    #4 0x2b15e4507f83 in tls_process_client_hello ssl/statem/statem_srvr.c:1175
    #5 0x2b15e44e7133 in read_state_machine ssl/statem/statem.c:589
    #6 0x2b15e44e7133 in state_machine ssl/statem/statem.c:385
    #7 0x2b15e44d4724 in SSL_do_handshake ssl/ssl_lib.c:3025
    #8 0x2b15e4490eca in ssl_ctrl ssl/bio_ssl.c:349
    #9 0x2b15e48f34b8 in buffer_ctrl crypto/bio/bf_buff.c:343
    #10 0x482c7a in rev_body apps/s_server.c:3063
    #11 0x48a474 in do_server apps/s_socket.c:179
    #12 0x488547 in s_server_main apps/s_server.c:1934
    #13 0x41ef90 in do_cmd apps/openssl.c:471
    #14 0x4202fc in main apps/openssl.c:177
    #15 0x2b15e5351f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-buffer-overflow ssl/s3_lib.c:3550 in ssl3_get_cipher_by_char
Shadow bytes around the buggy address:
  0x0c047fff8040: fa fa 00 01 fa fa 00 00 fa fa 03 fa fa fa 00 06
  0x0c047fff8050: fa fa fd fa fa fa fd fd fa fa 00 06 fa fa 00 06
  0x0c047fff8060: fa fa 03 fa fa fa 00 06 fa fa fd fa fa fa fd fd
  0x0c047fff8070: fa fa 00 00 fa fa 00 fa fa fa 03 fa fa fa 05 fa
  0x0c047fff8080: fa fa 00 00 fa fa 00 01 fa fa 00 00 fa fa 00 fa
=>0x0c047fff8090: fa fa fd fd fa fa fd fa fa fa fd fd fa fa[03]fa
  0x0c047fff80a0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff80b0: fa fa 00 fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff80c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff80d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff80e0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25110==ABORTING
engine "ossltest" set.
engine "ossltest" set.
CONNECTION FAILURE
47964245314304:error:1417D0FC:SSL routines:tls_process_client_hello:unknown protocol:ssl/statem/statem_srvr.c:956:
write:errno=0

I don't know how to locate the problematic test case.
Probably near "../test/recipes/70-test_sslextension.t ....."

The cipher list is 3 bytes long, thus rlistlen=3 is not a multiple of num=2
rlist = [0x00 0x00 0x2F]

Although this is a fatal error (with non-zero return code),
make test prints at the end:

All tests successful.
Files=90, Tests=479, 329 wallclock secs ( 2.94 usr  0.50 sys + 186.48 cusr 152.72 csys = 342.64 CPU)
Result: PASS
make[1]: Leaving directory `/home/ed/OPC/openssl'

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions