[openssl-dev] [openssl.org #3903] Infer run on openssl-1.0.2a

Jules Villard via RT rt at openssl.org
Thu Jun 11 22:44:24 UTC 2015 

Hello,

The following 13 potential null-pointer dereference bugs were found by
running Facebook's Infer static analyzer on openssl-1.0.2a. You can
reproduce these reports by downloading Infer and running it like so:

  https://fbinfer.org/docs/getting-started.html
  cd openssl-1.0.2a
  ./config && make clean
  infer -- make
  inferTraceBugs

The last command allows you to see more information about each report,
in particular symbolic traces that lead to the bug.

- apps/srp.c at line 149: NULL_DEREFERENCE
    pointer pp last assigned on line 148 could be null and is dereferenced at line 149, column 43

  apps/srp.c at line 166: NULL_DEREFERENCE
    pointer pp last assigned on line 164 could be null and is dereferenced at line 166, column 13

  The functions print_entry and print_user don't check that
  db->data->data is not NULL, hence sk_OPENSSL_PSTRING_value could
  return NULL.

  Additional note: the test is slightly different in both cases:
  "verbose > 0" for print_user vs "indx >= 0 && verbose" for
  print_entry.

- apps/x509.c at line 1108: NULL_DEREFERENCE
    pointer upkey last assigned on line 1107 could be null and is dereferenced by call to EVP_PKEY_copy_parameters() at line 1108, column 5

  Calling x509_certify() with xca == NULL or xca->cert_info == NULL
  makes X509_get_pubkey() return NULL, which triggers a NULL
  dereference in EVP_PKEY_copy_parameters().

  Additional note: the return value of X509_get_pubkey() is checked
  for NULL elsewhere in the codebase, eg, in apps/ca.c:1597.

- apps/x509.c at line 1220: NULL_DEREFERENCE
    pointer pktmp last assigned on line 1219 could be null and is dereferenced by call to EVP_PKEY_copy_parameters() at line 1220, column 5

  Similar to the previous one.

- crypto/mem_dbg.c at line 647: NULL_DEREFERENCE
    pointer lcl last assigned on line 644 could be null and is dereferenced at line 647, column 22

  localtime(3) can return NULL in case of error.

- crypto/objects/o_names.c at line 105: NULL_DEREFERENCE
    pointer name_funcs last assigned on line 103 could be null and is dereferenced at line 105, column 9

  crypto/objects/o_names.c at line 107: NULL_DEREFERENCE
    pointer name_funcs last assigned on line 103 could be null and is dereferenced at line 107, column 9

  crypto/objects/o_names.c at line 109: NULL_DEREFERENCE
    pointer name_funcs last assigned on line 103 could be null and is dereferenced at line 109, column 9

  If the names_type_num < 0 or if name_type_num >=
  name_funcs_stack->num, then name_funcs is assigned to NULL on
  line 103. These ones may be false positives, as it looks like that
  this can never be the case in that file.

- crypto/pkcs7/pk7_doit.c at line 1149: NULL_DEREFERENCE
    pointer ri last assigned on line 1148 could be null and is dereferenced at line 1149, column 12

  If PKCS7_get_issuer_and_serial() is called with idx < 0 then the
  execution gets to the last call to sk_PKCS7_RECIP_INFO_value(),
  which returns NULL.

- crypto/x509/x509_cmp.c at line 410: NULL_DEREFERENCE
    pointer x last assigned on line 405 could be null and is dereferenced at line 410, column 55

  If X509_chain_check_suiteb() is called with chain == NULL, then the
  call to sk_X509_value() on line 410 will assign NULL to x. Line 410
  is X509_get_version(x), which dereferences x without checking for
  NULL.

- crypto/x509/x509_req.c at line 125: NULL_DEREFERENCE
    pointer xk last assigned on line 124 could be null and is dereferenced by call to EVP_PKEY_cmp() at line 125, column 13

  If X509_REQ_check_private_key() is called with x == NULL, then xk
  will get NULL on line 124.

- crypto/x509/x509_req.c at line 204: NULL_DEREFERENCE
    pointer attr last assigned on line 203 could be null and is dereferenced at line 204, column 13

  In X509_REQ_get_extensions(), the call to X509_REQ_get_attr_by_NID()
  may return -2 as an error code, but the caller checks for -1
  instead. This results in an NPE a few lines down, as the -2 is
  passed to X509_REQ_get_attr(), which sees that idx is invalid and
  returns NULL. Then attr == NULL is dereferenced by attr->single in
  the condition of the if statement on the next line.

- crypto/x509/x509_lu.c at line 311: NULL_DEREFERENCE
    pointer lu last assigned on line 310 could be null and is dereferenced by call to X509_LOOKUP_by_subject() at line 311, column 17

  If vs->ctx->get_cert_methods is NULL then sk_X509_LOOKUP_num()
  returns -1 in the condition of the for loop. Then, if
  vs->current_method < -1 we still enter the body of the loop. Then lu
  gets assigned to NULL by sk_X509_LOOKUP_value.


Best regards,
Jules Villard
Facebook Static Analysis Tools Team

_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

More information about the openssl-dev mailing list