[openssl/openssl] 34d5cb: x509: Fix possible use-after-free when OOM

Clemens Lang noreply at github.com
Mon May 29 12:57:05 UTC 2023


  Branch: refs/heads/openssl-3.1
  Home:   https://github.com/openssl/openssl
  Commit: 34d5cbc76972ed55d6faa357d1a28efc5d49aa2d
      https://github.com/openssl/openssl/commit/34d5cbc76972ed55d6faa357d1a28efc5d49aa2d
  Author: Clemens Lang <cllang at redhat.com>
  Date:   2023-05-29 (Mon, 29 May 2023)

  Changed paths:
    M crypto/x509/pcy_node.c

  Log Message:
  -----------
  x509: Fix possible use-after-free when OOM

ossl_policy_level_add_node() first adds the new node to the level->nodes
stack, and then attempts to add extra data if extra_data is true. If
memory allocation or adding the extra data to tree->extra_data fails,
the allocated node (that has already been added to the level->nodes
stack) is freed using ossl_policy_node_free(), which leads to
a potential use after free.

Additionally, the tree's node count and the parent's child count would
not be updated, despite the new node being added.

Fix this by either performing the function's purpose completely, or not
at all by reverting the changes on error.

Signed-off-by: Clemens Lang <cllang at redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21040)

(cherry picked from commit de53817ec386ea9e943d8f33716945dd9dbe1f31)


  Commit: a14ed48e84093cb64fa33d360204b49f7738e16d
      https://github.com/openssl/openssl/commit/a14ed48e84093cb64fa33d360204b49f7738e16d
  Author: Clemens Lang <cllang at redhat.com>
  Date:   2023-05-29 (Mon, 29 May 2023)

  Changed paths:
    M crypto/x509/pcy_tree.c

  Log Message:
  -----------
  x509: Handle ossl_policy_level_add_node errors

The invocation of ossl_policy_level_add_node in tree_calculate_user_set
did not have any error handling. Add it to prevent a memory leak for the
allocated extra policy data.

Also add error handling to sk_X509_POLICY_NODE_push to ensure that if
a new node was allocated, but could not be added to the stack, it is
freed correctly.

Fix error handling if tree->user_policies cannot be allocated by
returning 0, indicating failure, rather than 1.

Signed-off-by: Clemens Lang <cllang at redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21040)

(cherry picked from commit 95a8aa6dc0e283b1560dd3258d2e9115c02659b1)


Compare: https://github.com/openssl/openssl/compare/3afa24652085...a14ed48e8409


More information about the openssl-commits mailing list