[openssl-dev] [openssl.org #3812] asn1parse -genconf may cause access to uninitialized variable

Hanno Boeck via RT rt at openssl.org
Sat Apr 18 16:05:49 UTC 2015 

When calling asn1parse -genconf with a nonexistent file this will cause
an access to an uninitialized variable.

Test:
valgrind -q openssl asn1parse -genconf nonexistingfile

The reason is this code in asn1pars.c:
 conferr:

    if (errline > 0)
        BIO_printf(bio, "Error on line %ld of config file '%s'\n",
                   errline, genconf);
    else
        BIO_printf(bio, "Error loading config file '%s'\n", genconf);

It assumes that if errline wasn't set it's zero. While on most systems
it's true that uninitialized variables are zero, this is not something
that should be relied upon.

Pre-initializing the variable with zero fixes this. See patch (for
current git code) and valgrind output attached. Please apply.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssl-fix-asn1parse-uninitialized-variable.diff
Type: text/x-patch
Size: 353 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150418/9e5d6867/attachment.bin>
-------------- next part --------------
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
==30382== Conditional jump or move depends on uninitialised value(s)
==30382==    at 0x4073C5: do_generate (asn1pars.c:439)
==30382==    by 0x4073C5: asn1parse_main (asn1pars.c:273)
==30382==    by 0x405320: do_cmd (openssl.c:470)
==30382==    by 0x404FEA: main (openssl.c:366)
==30382== 
==30382== Conditional jump or move depends on uninitialised value(s)
==30382==    at 0x528598: fmtint (b_print.c:479)
==30382==    by 0x52A157: _dopr (b_print.c:374)
==30382==    by 0x52A157: BIO_vprintf (b_print.c:774)
==30382==    by 0x52AE63: BIO_printf (b_print.c:754)
==30382==    by 0x4073DC: do_generate (asn1pars.c:440)
==30382==    by 0x4073DC: asn1parse_main (asn1pars.c:273)
==30382==    by 0x405320: do_cmd (openssl.c:470)
==30382==    by 0x404FEA: main (openssl.c:366)
==30382== 
==30382== Use of uninitialised value of size 8
==30382==    at 0x52860C: fmtint (b_print.c:496)
==30382==    by 0x52A157: _dopr (b_print.c:374)
==30382==    by 0x52A157: BIO_vprintf (b_print.c:774)
==30382==    by 0x52AE63: BIO_printf (b_print.c:754)
==30382==    by 0x4073DC: do_generate (asn1pars.c:440)
==30382==    by 0x4073DC: asn1parse_main (asn1pars.c:273)
==30382==    by 0x405320: do_cmd (openssl.c:470)
==30382==    by 0x404FEA: main (openssl.c:366)
==30382== 
==30382== Conditional jump or move depends on uninitialised value(s)
==30382==    at 0x528622: fmtint (b_print.c:499)
==30382==    by 0x52A157: _dopr (b_print.c:374)
==30382==    by 0x52A157: BIO_vprintf (b_print.c:774)
==30382==    by 0x52AE63: BIO_printf (b_print.c:754)
==30382==    by 0x4073DC: do_generate (asn1pars.c:440)
==30382==    by 0x4073DC: asn1parse_main (asn1pars.c:273)
==30382==    by 0x405320: do_cmd (openssl.c:470)
==30382==    by 0x404FEA: main (openssl.c:366)
==30382== 
Error on line 69349704 of config file 'nonexistentfile'
67417424:error:02001002:system library:fopen:No such file or directory:bss_file.c:168:fopen('nonexistentfile','rb')
67417424:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:171:
67417424:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:195:

More information about the openssl-dev mailing list