[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Rich Salz rsalz at openssl.org
Tue Feb 21 14:45:21 UTC 2017 

The branch OpenSSL_1_1_0-stable has been updated
       via  88bf0d36048569e0dd5e6193c4ec21d2a9da5aba (commit)
      from  fd1ea63f9fcababfc4d4ea38ad5dd49a76fa6023 (commit)


- Log -----------------------------------------------------------------
commit 88bf0d36048569e0dd5e6193c4ec21d2a9da5aba
Author: Pauli <paul.dale at oracle.com>
Date:   Fri Feb 17 10:39:20 2017 +1000

    Ensure minsize >= sizeof(SH_LIST)
    
    The sh_add_to_list function will overwrite subsequent slots in the free list
    for small allocations.  This causes a segmentation fault if the writes goes
    off the end of the secure memory.  I've not investigated if this problem
    can overwrite memory without the segmentation fault, but it seems likely.
    
    This fix limits the minsize to the sizeof of the SH_LIST structure (which
    also has a side effect of properly aligning the pointers).
    
    The alternative would be to return an error if minsize is too small.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2657)
    
    (cherry picked from commit 70e14ffbaf6a67dab56c24cae01f1248cf3f1e77)

-----------------------------------------------------------------------

Summary of changes:
 crypto/mem_sec.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c
index 0c79b43..4a3f2a8 100644
--- a/crypto/mem_sec.c
+++ b/crypto/mem_sec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2017 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -352,6 +352,9 @@ static int sh_init(size_t size, int minsize)
     if (minsize <= 0 || (minsize & (minsize - 1)) != 0)
         goto err;
 
+    while (minsize < (int)sizeof(SH_LIST))
+        minsize *= 2;
+
     sh.arena_size = size;
     sh.minsize = minsize;
     sh.bittable_size = (sh.arena_size / sh.minsize) * 2;

More information about the openssl-commits mailing list