[openssl-dev] [openssl.org #3847] [PATCH] Fix the heap corruption in libeay32!OBJ_add_object

Gunnar Kudrjavets via RT rt at openssl.org
Wed May 13 08:14:46 UTC 2015 

Hello,

Original 'sizeof(ADDED_OBJ)' was replaced with 'sizeof(*ao)'. However,
they return different sizes. Therefore as the result heap gets corrupted
and at some point later debug version of malloc() detects the corruption.

Issue reproduces with either enabling CRT debug heap or Application
Verifier's full-page heap.

Thank you,
Gunnar Kudrjavets


-------------- next part --------------
>From 888ffbfda8f6949b06c792390c245c03e800fc05 Mon Sep 17 00:00:00 2001
From: Gunnar Kudrjavets <gunnarku at microsoft.com>
Date: Tue, 12 May 2015 15:44:45 -0700
Subject: [PATCH] Fix the heap corruption in libeay32!OBJ_add_object.

Original 'sizeof(ADDED_OBJ)' was replaced with 'sizeof(*ao)'. However,
they return different sizes. Therefore as the result heap gets corrupted
and at some point later debug version of malloc() detects the corruption.

On x86 we can observe that as follows:

sizeof(*ao) == 4
sizeof(*ao[0]) == sizeof(ADDED_OBJ) == 8

Issue reproduces with either enabling CRT debug heap or Application
Verifier's full-page heap.

Basic debugging data from the moment the corruption is first detected:

0:000:x86> |
.  0    id: 283c        create  name: openssl.exe
0:000:x86> kcn
 #
00 MSVCR120D!_heap_alloc_dbg_impl
01 MSVCR120D!_nh_malloc_dbg_impl
02 MSVCR120D!_nh_malloc_dbg
03 MSVCR120D!malloc
04 LIBEAY32!default_malloc_ex
05 LIBEAY32!CRYPTO_malloc
06 LIBEAY32!lh_insert
07 LIBEAY32!OBJ_add_object
08 LIBEAY32!OBJ_create
09 openssl!add_oid_section
0a openssl!req_main
0b openssl!do_cmd
0c openssl!main
0d openssl!__tmainCRTStartup
0e openssl!mainCRTStartup
0f KERNEL32!BaseThreadInitThunk
10 ntdll_77d60000!__RtlUserThreadStart
11 ntdll_77d60000!_RtlUserThreadStart
---
 crypto/objects/obj_dat.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
index 991a1b7..3df7ff2 100644
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c
@@ -255,16 +255,16 @@ int OBJ_add_object(const ASN1_OBJECT *obj)
             return (0);
     if ((o = OBJ_dup(obj)) == NULL)
         goto err;
-    if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao))) == NULL)
+    if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
         goto err2;
     if ((o->length != 0) && (obj->data != NULL))
-        if ((ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao))) == NULL)
+        if ((ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
             goto err2;
     if (o->sn != NULL)
-        if ((ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao))) == NULL)
+        if ((ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
             goto err2;
     if (o->ln != NULL)
-        if ((ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(*ao))) == NULL)
+        if ((ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
             goto err2;
 
     for (i = ADDED_DATA; i <= ADDED_NID; i++) {
-- 
1.9.5.msysgit.1

More information about the openssl-dev mailing list