[openssl-dev] Heap corruption in asn1_item_ex_combine_new()

Julien Kauffmann julien.kauffmann at freelan.org
Tue Mar 31 12:36:37 UTC 2015 

Hi,

I've been hunting down a heap corruption bug in OpenSSL for the past few 
days and I found the guilty instruction. At this point, I know what 
causes the problem but I am unsure how to solve it nicely.

Here is the minimal sample I used to reproduce the issue on the latest 
1.0.2a (happens on every run, on all platforms in 64 bits):

int main()
{
     ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); 
ENGINE_load_builtin_engines();

     EC_GROUP* group = EC_GROUP_new_by_curve_name(NID_sect571k1);
     EC_GROUP_set_point_conversion_form(group, 
POINT_CONVERSION_UNCOMPRESSED);

     EC_KEY* eckey = EC_KEY_new();
     EC_KEY_set_group(eckey, group);
     EC_KEY_generate_key(eckey);

     BIO* out = BIO_new(BIO_s_file());
     BIO_set_fp(out, stdout, BIO_NOCLOSE);

     PEM_write_bio_ECPrivateKey(out, eckey, NULL, NULL, 0, NULL, NULL);
}

Basically what happens is that, somewhere inside the call to 
PEM_write_bio_ECPrivateKey(), an ASN1 sequence of 3 elements is 
allocated. The corresponding code is as follow (in 
crypto/asn1/tasn_new.c:181):

if (!combine) {
     *pval = OPENSSL_malloc(it->size);
     if (!*pval)
         goto memerr;
     memset(*pval, 0, it->size);
     asn1_do_lock(pval, 0, it);
     asn1_enc_init(pval, it);
}
for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
     pseqval = asn1_get_field_ptr(pval, tt);
     if (!ASN1_template_new(pseqval, tt))
         goto memerr;
}

In the sample I gave, at some point OPENSSL_malloc allocates 12 bytes 
for a 3-elements ASN1 SEQUENCE. The for-loop then initializes every 
element: ASN1_template_new() calls in turn asn1_item_ex_combine_new() 
which, at line 103, does:

if (!combine)
     *pval = NULL;

The problem is that pval at this point points to an element of the 
SEQUENCE that is only 4 bytes long. On 64 bits systems this causes the 
next 4 bytes to be set to 0x00000000. For the first two elements of the 
sequence, this gets recovered by the next element being initialized. 
However for the last element, this affectation happens to write 4 bytes 
past the allocated memory, corrupting the heap.

I'm not sure what is the best place to fix this. Do you have any hints ?

Julien Kauffmann.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150331/2cd75b80/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4276 bytes
Desc: Signature cryptographique S/MIME
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150331/2cd75b80/attachment-0001.bin>

More information about the openssl-dev mailing list