[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Wed May 13 08:26:08 UTC 2015 

The branch master has been updated
       via  56d88027f026afd97ddf4e501f98437ca9819bfb (commit)
      from  6b43bbf09c6f31f2b6c66a5e8ef3b668036fbfeb (commit)


- Log -----------------------------------------------------------------
commit 56d88027f026afd97ddf4e501f98437ca9819bfb
Author: Gunnar Kudrjavets <gunnarku at microsoft.com>
Date:   Tue May 12 15:44:45 2015 -0700

    Fix the heap corruption in libeay32!OBJ_add_object.
    
    Original 'sizeof(ADDED_OBJ)' was replaced with 'sizeof(*ao)'. However,
    they return different sizes. Therefore as the result heap gets corrupted
    and at some point later debug version of malloc() detects the corruption.
    
    On x86 we can observe that as follows:
    
    sizeof(*ao) == 4
    sizeof(*ao[0]) == sizeof(ADDED_OBJ) == 8
    
    Issue reproduces with either enabling CRT debug heap or Application
    Verifier's full-page heap.
    
    Basic debugging data from the moment the corruption is first detected:
    
    0:000:x86> |
    .  0    id: 283c        create  name: openssl.exe
    0:000:x86> kcn
     #
    00 MSVCR120D!_heap_alloc_dbg_impl
    01 MSVCR120D!_nh_malloc_dbg_impl
    02 MSVCR120D!_nh_malloc_dbg
    03 MSVCR120D!malloc
    04 LIBEAY32!default_malloc_ex
    05 LIBEAY32!CRYPTO_malloc
    06 LIBEAY32!lh_insert
    07 LIBEAY32!OBJ_add_object
    08 LIBEAY32!OBJ_create
    09 openssl!add_oid_section
    0a openssl!req_main
    0b openssl!do_cmd
    0c openssl!main
    0d openssl!__tmainCRTStartup
    0e openssl!mainCRTStartup
    0f KERNEL32!BaseThreadInitThunk
    10 ntdll_77d60000!__RtlUserThreadStart
    11 ntdll_77d60000!_RtlUserThreadStart
    
    Signed-off-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/objects/obj_dat.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
index 991a1b7..3df7ff2 100644
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c
@@ -255,16 +255,16 @@ int OBJ_add_object(const ASN1_OBJECT *obj)
             return (0);
     if ((o = OBJ_dup(obj)) == NULL)
         goto err;
-    if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao))) == NULL)
+    if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
         goto err2;
     if ((o->length != 0) && (obj->data != NULL))
-        if ((ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao))) == NULL)
+        if ((ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
             goto err2;
     if (o->sn != NULL)
-        if ((ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao))) == NULL)
+        if ((ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
             goto err2;
     if (o->ln != NULL)
-        if ((ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(*ao))) == NULL)
+        if ((ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
             goto err2;
 
     for (i = ADDED_DATA; i <= ADDED_NID; i++) {

More information about the openssl-commits mailing list