[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Matt Caswell
matt at openssl.org
Mon Sep 26 10:06:12 UTC 2016
The branch OpenSSL_1_1_0-stable has been updated
via a12778be1782bb63055e7641c814d4fce1775e57 (commit)
via 16c34d4f74e16443cfdc99f2a49ebb1ba3c37db3 (commit)
via 87cd6f9253580866b13729d33fdd45205485b675 (commit)
via f8644220a05f75d51bbde627077cdf336e4d4592 (commit)
via acacbfa7565c78d2273c0b2a2e5e803f44afefeb (commit)
via df7681e46825d4a86df5dd73317d88923166a506 (commit)
from 5fe5914d3068128cdc6b08fe72746bb516a30b8a (commit)
- Log -----------------------------------------------------------------
commit a12778be1782bb63055e7641c814d4fce1775e57
Author: Matt Caswell <matt at openssl.org>
Date: Mon Sep 26 10:46:58 2016 +0100
Prepare for 1.1.0c-dev
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 16c34d4f74e16443cfdc99f2a49ebb1ba3c37db3
Author: Matt Caswell <matt at openssl.org>
Date: Mon Sep 26 10:46:03 2016 +0100
Prepare for 1.1.0b release
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 87cd6f9253580866b13729d33fdd45205485b675
Author: Matt Caswell <matt at openssl.org>
Date: Mon Sep 26 09:43:45 2016 +0100
Updates CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit f8644220a05f75d51bbde627077cdf336e4d4592
Author: Robert Swiecki <swiecki at google.com>
Date: Sun Sep 25 16:35:56 2016 +0100
Add to fuzz corpora for CVE-2016-6309
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(cherry picked from commit 44f206aa9dfd4f226f17d9093732dbece5300aa6)
commit acacbfa7565c78d2273c0b2a2e5e803f44afefeb
Author: Matt Caswell <matt at openssl.org>
Date: Fri Sep 23 16:58:11 2016 +0100
Fix Use After Free for large message sizes
The buffer to receive messages is initialised to 16k. If a message is
received that is larger than that then the buffer is "realloc'd". This can
cause the location of the underlying buffer to change. Anything that is
referring to the old location will be referring to free'd data. In the
recent commit c1ef7c97 (master) and 4b390b6c (1.1.0) the point in the code
where the message buffer is grown was changed. However s->init_msg was not
updated to point at the new location.
CVE-2016-6309
Reviewed-by: Emilia Käsper <emilia at openssl.org>
(cherry picked from commit 0d698f6696e114a6e47f8b75ff88ec81f9e30175)
commit df7681e46825d4a86df5dd73317d88923166a506
Author: Matt Caswell <matt at openssl.org>
Date: Fri Sep 23 15:37:13 2016 +0100
Add a test for large messages
Ensure that we send a large message during the test suite.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
(cherry picked from commit 84d5549e692e63a16fa1b11603e4098fc31746e9)
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 19 ++++-
NEWS | 6 +-
README | 2 +-
.../06d05ea3d37abe7554e610be69b743585cb0c6fe} | Bin 820 -> 921 bytes
.../6b008546166c7e1d2ef100eb5ecbac7efe3b3b90 | Bin 0 -> 267 bytes
.../f6b0502e2a8a63e84d7b474fad2b2dc127f12bac | Bin 0 -> 267 bytes
include/openssl/opensslv.h | 6 +-
ssl/statem/statem.c | 20 ++++-
test/sslapitest.c | 84 +++++++++++++++++++++
9 files changed, 128 insertions(+), 9 deletions(-)
copy fuzz/corpora/{x509/3403363173e3b63d0b9f4e3fce6e8a734d946bfc => server/06d05ea3d37abe7554e610be69b743585cb0c6fe} (76%)
create mode 100644 fuzz/corpora/server/6b008546166c7e1d2ef100eb5ecbac7efe3b3b90
create mode 100644 fuzz/corpora/server/f6b0502e2a8a63e84d7b474fad2b2dc127f12bac
diff --git a/CHANGES b/CHANGES
index 76b4974..3781d06 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,10 +2,27 @@
OpenSSL CHANGES
_______________
- Changes between 1.1.0a and 1.1.0b [xx XXX xxxx]
+ Changes between 1.1.0b and 1.1.0c [xx XXX xxxx]
*)
+ Changes between 1.1.0a and 1.1.0b [26 Sep 2016]
+
+ *) Fix Use After Free for large message sizes
+
+ The patch applied to address CVE-2016-6307 resulted in an issue where if a
+ message larger than approx 16k is received then the underlying buffer to
+ store the incoming message is reallocated and moved. Unfortunately a
+ dangling pointer to the old location is left which results in an attempt to
+ write to the previously freed location. This is likely to result in a
+ crash, however it could potentially lead to execution of arbitrary code.
+
+ This issue only affects OpenSSL 1.1.0a.
+
+ This issue was reported to OpenSSL by Robert Święcki.
+ (CVE-2016-6309)
+ [Matt Caswell]
+
Changes between 1.1.0 and 1.1.0a [22 Sep 2016]
*) OCSP Status Request extension unbounded memory growth
diff --git a/NEWS b/NEWS
index 66bade1..81315be 100644
--- a/NEWS
+++ b/NEWS
@@ -5,10 +5,14 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
- Major changes between OpenSSL 1.1.0a and OpenSSL 1.1.0b [under development]
+ Major changes between OpenSSL 1.1.0b and OpenSSL 1.1.0c [under development]
o
+ Major changes between OpenSSL 1.1.0a and OpenSSL 1.1.0b [26 Sep 2016]
+
+ o Fix Use After Free for large message sizes (CVE-2016-6309)
+
Major changes between OpenSSL 1.1.0 and OpenSSL 1.1.0a [22 Sep 2016]
o OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
diff --git a/README b/README
index fdf0f8f..8ca5eb4 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
- OpenSSL 1.1.0b-dev
+ OpenSSL 1.1.0c-dev
Copyright (c) 1998-2016 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/fuzz/corpora/x509/3403363173e3b63d0b9f4e3fce6e8a734d946bfc b/fuzz/corpora/server/06d05ea3d37abe7554e610be69b743585cb0c6fe
similarity index 76%
copy from fuzz/corpora/x509/3403363173e3b63d0b9f4e3fce6e8a734d946bfc
copy to fuzz/corpora/server/06d05ea3d37abe7554e610be69b743585cb0c6fe
index 517c33c..42a535b 100644
Binary files a/fuzz/corpora/x509/3403363173e3b63d0b9f4e3fce6e8a734d946bfc and b/fuzz/corpora/server/06d05ea3d37abe7554e610be69b743585cb0c6fe differ
diff --git a/fuzz/corpora/server/6b008546166c7e1d2ef100eb5ecbac7efe3b3b90 b/fuzz/corpora/server/6b008546166c7e1d2ef100eb5ecbac7efe3b3b90
new file mode 100644
index 0000000..3b3f140
Binary files /dev/null and b/fuzz/corpora/server/6b008546166c7e1d2ef100eb5ecbac7efe3b3b90 differ
diff --git a/fuzz/corpora/server/f6b0502e2a8a63e84d7b474fad2b2dc127f12bac b/fuzz/corpora/server/f6b0502e2a8a63e84d7b474fad2b2dc127f12bac
new file mode 100644
index 0000000..abc8c3c
Binary files /dev/null and b/fuzz/corpora/server/f6b0502e2a8a63e84d7b474fad2b2dc127f12bac differ
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 5cc6881..4792f69 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -39,11 +39,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x10100020L
+# define OPENSSL_VERSION_NUMBER 0x10100030L
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0b-fips-dev xx XXX xxxx"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0c-fips-dev xx XXX xxxx"
# else
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0b-dev xx XXX xxxx"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0c-dev xx XXX xxxx"
# endif
/*-
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
index 5faf6ae..caaf068 100644
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@@ -445,6 +445,21 @@ static void init_read_state_machine(SSL *s)
st->read_state = READ_STATE_HEADER;
}
+static int grow_init_buf(SSL *s, size_t size) {
+
+ size_t msg_offset = (char *)s->init_msg - s->init_buf->data;
+
+ if (!BUF_MEM_grow_clean(s->init_buf, (int)size))
+ return 0;
+
+ if (size < msg_offset)
+ return 0;
+
+ s->init_msg = s->init_buf->data + msg_offset;
+
+ return 1;
+}
+
/*
* This function implements the sub-state machine when the message flow is in
* MSG_FLOW_READING. The valid sub-states and transitions are:
@@ -545,9 +560,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
/* dtls_get_message already did this */
if (!SSL_IS_DTLS(s)
&& s->s3->tmp.message_size > 0
- && !BUF_MEM_grow_clean(s->init_buf,
- (int)s->s3->tmp.message_size
- + SSL3_HM_HEADER_LENGTH)) {
+ && !grow_init_buf(s, s->s3->tmp.message_size
+ + SSL3_HM_HEADER_LENGTH)) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_BUF_LIB);
return SUB_STATE_ERROR;
diff --git a/test/sslapitest.c b/test/sslapitest.c
index a2b18df..acb2087 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -28,6 +28,88 @@ static int ocsp_client_called = 0;
static int cdummyarg = 1;
static X509 *ocspcert = NULL;
+#define NUM_EXTRA_CERTS 40
+
+static int execute_test_large_message(const SSL_METHOD *smeth,
+ const SSL_METHOD *cmeth)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ int i;
+ BIO *certbio = BIO_new_file(cert, "r");
+ X509 *chaincert = NULL;
+ int certlen;
+
+ if (certbio == NULL) {
+ printf("Can't load the certficate file\n");
+ goto end;
+ }
+ chaincert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
+
+ if (!create_ssl_ctx_pair(smeth, cmeth, &sctx,
+ &cctx, cert, privkey)) {
+ printf("Unable to create SSL_CTX pair\n");
+ goto end;
+ }
+ BIO_free(certbio);
+ certbio = NULL;
+
+ /*
+ * We assume the supplied certificate is big enough so that if we add
+ * NUM_EXTRA_CERTS it will make the overall message large enough. The
+ * default buffer size is requested to be 16k, but due to the way BUF_MEM
+ * works, it ends up allocing a little over 21k (16 * 4/3). So, in this test
+ * we need to have a message larger than that.
+ */
+ certlen = i2d_X509(chaincert, NULL);
+ OPENSSL_assert((certlen * NUM_EXTRA_CERTS)
+ > ((SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3));
+ for (i = 0; i < NUM_EXTRA_CERTS; i++) {
+ if (!X509_up_ref(chaincert)) {
+ printf("Unable to up ref cert\n");
+ goto end;
+ }
+ if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
+ printf("Unable to add extra chain cert %d\n", i);
+ X509_free(chaincert);
+ goto end;
+ }
+ }
+
+ if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
+ printf("Unable to create SSL objects\n");
+ goto end;
+ }
+
+ if (!create_ssl_connection(serverssl, clientssl)) {
+ printf("Unable to create SSL connection\n");
+ goto end;
+ }
+
+ testresult = 1;
+
+ end:
+ X509_free(chaincert);
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+
+ return testresult;
+}
+
+static int test_large_message_tls(void)
+{
+ return execute_test_large_message(TLS_server_method(), TLS_client_method());
+}
+
+static int test_large_message_dtls(void)
+{
+ return execute_test_large_message(DTLS_server_method(),
+ DTLS_client_method());
+}
+
static int ocsp_server_cb(SSL *s, void *arg)
{
int *argi = (int *)arg;
@@ -774,6 +856,8 @@ int main(int argc, char *argv[])
CRYPTO_set_mem_debug(1);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+ ADD_TEST(test_large_message_tls);
+ ADD_TEST(test_large_message_dtls);
ADD_TEST(test_tlsext_status_type);
ADD_TEST(test_session_with_only_int_cache);
ADD_TEST(test_session_with_only_ext_cache);
More information about the openssl-commits
mailing list