Fixed Double free after calling PEM_read_bio_ex

Resolves: CVE-2022-4450
2023-02-08 11:43:11 +01:00 · 2023-02-08 11:43:11 +01:00 · 529db6cf12
commit 529db6cf12
parent c5b0dc92d3
2 changed files with 109 additions and 0 deletions
--- a/0103-CVE-2022-4450-pem-read-bio.patch
+++ b/0103-CVE-2022-4450-pem-read-bio.patch
@ -0,0 +1,106 @@
 From 63bcf189be73a9cc1264059bed6f57974be74a83 Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Tue, 13 Dec 2022 14:54:55 +0000
 Subject: [PATCH 04/18] Avoid dangling ptrs in header and data params for
 PEM_read_bio_ex
 In the event of a failure in PEM_read_bio_ex() we free the buffers we
 allocated for the header and data buffers. However we were not clearing
 the ptrs stored in *header and *data. Since, on success, the caller is
 responsible for freeing these ptrs this can potentially lead to a double
 free if the caller frees them even on failure.
 Thanks to Dawei Wang for reporting this issue.
 Based on a proposed patch by Kurt Roeckx.
 CVE-2022-4450
 Reviewed-by: Paul Dale <pauli@openssl.org>
 Reviewed-by: Hugo Landau <hlandau@openssl.org>
 ---
 crypto/pem/pem_lib.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
 index f9ff80162a..85c47fb627 100644
 --- a/crypto/pem/pem_lib.c
 +++ b/crypto/pem/pem_lib.c
@@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
 out_free:
     pem_free(*header, flags, 0);
 +    *header = NULL;
     pem_free(*data, flags, 0);
 +    *data = NULL;
 end:
     EVP_ENCODE_CTX_free(ctx);
     pem_free(name, flags, 0);
 -- 
 2.39.1
 From cbafa34b5a057794c5c08cd4657038e1f643c1ac Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Tue, 13 Dec 2022 15:02:26 +0000
 Subject: [PATCH 05/18] Add a test for CVE-2022-4450
 Call PEM_read_bio_ex() and expect a failure. There should be no dangling
 ptrs and therefore there should be no double free if we free the ptrs on
 error.
 Reviewed-by: Paul Dale <pauli@openssl.org>
 Reviewed-by: Hugo Landau <hlandau@openssl.org>
 ---
 test/pemtest.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 diff --git a/test/pemtest.c b/test/pemtest.c
 index a8d2d49bb5..a5d28cb256 100644
 --- a/test/pemtest.c
 +++ b/test/pemtest.c
@@ -96,6 +96,35 @@ static int test_cert_key_cert(void)
     return 1;
 }
 +static int test_empty_payload(void)
 +{
 +    BIO *b;
 +    static char *emptypay =
 +        "-----BEGIN CERTIFICATE-----\n"
 +        "-\n" /* Base64 EOF character */
 +        "-----END CERTIFICATE-----";
 +    char *name = NULL, *header = NULL;
 +    unsigned char *data = NULL;
 +    long len;
 +    int ret = 0;
 +
 +    b = BIO_new_mem_buf(emptypay, strlen(emptypay));
 +    if (!TEST_ptr(b))
 +        return 0;
 +
 +    /* Expected to fail because the payload is empty */
 +    if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
 +        goto err;
 +
 +    ret = 1;
 + err:
 +    OPENSSL_free(name);
 +    OPENSSL_free(header);
 +    OPENSSL_free(data);
 +    BIO_free(b);
 +    return ret;
 +}
 +
 int setup_tests(void)
 {
     if (!TEST_ptr(pemfile = test_get_argument(0)))
@@ -103,5 +132,6 @@ int setup_tests(void)
     ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
     ADD_TEST(test_invalid);
     ADD_TEST(test_cert_key_cert);
 +    ADD_TEST(test_empty_payload);
     return 1;
 }
 -- 
 2.39.1
--- a/openssl.spec
+++ b/openssl.spec
@ -158,6 +158,7 @@ Patch92: 0092-provider-improvements.patch
 # OpenSSL 3.0.8 CVEs
 Patch101: 0101-CVE-2022-4203-nc-match.patch
 Patch102: 0102-CVE-2022-4304-RSA-time-oracle.patch
 Patch103: 0103-CVE-2022-4450-pem-read-bio.patch
 License: ASL 2.0
 URL: http://www.openssl.org/
@ -493,6 +494,8 @@ install -m644 %{SOURCE9} \
  Resolves: CVE-2022-4203
 - Fixed Timing Oracle in RSA Decryption
  Resolves: CVE-2022-4304
 - Fixed Double free after calling PEM_read_bio_ex
  Resolves: CVE-2022-4450
 * Wed Jan 11 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-4
 - Disallow SHAKE in RSA-OAEP decryption in FIPS mode