[openssl-dev] [openssl.org #4155] In function int_thread_del_item, when hash == int_thread_hash, one is passed to free and the other is used in a comparison
Pascal Cuoq via RT
rt at openssl.org
Tue Nov 24 11:06:44 UTC 2015
This issue is similar in nature to 4151 (http://www.mail-archive.com/openssl-dev@openssl.org/msg40950.html ): it is about a dangling pointer being used, but not used for dereferencing, so it's not a memory error. The dangling pointer is used in a comparison.
The function int_thread_del_item can reach the point were it calls “lh_ERR_STATE_free(int_thread_hash);” with hash == int_thread_hash. That attached patch prints a message like “hash == int_thread_hash == 0xb2a6d0” when this happens. Just after the call to lh_ERR_STATE_free, both hash and int_thread_hash contain dangling pointers. The variable int_thread_hash is immediately set to NULL.
The problem that I am reporting is that just afterwards, &hash is passed to the function int_thread_release:
https://github.com/openssl/openssl/blob/079a1a9014b89661f0a612a5a9724ad9c77f21a3/crypto/err/err.c#L412
In that function, the argument “hash” points to the local variable “hash” of int_thread_del_item (which contains a dangling pointer).
Thus the comparison “*hash == NULL” involves a dangling pointer:
https://github.com/openssl/openssl/blob/079a1a9014b89661f0a612a5a9724ad9c77f21a3/crypto/err/err.c#L343
With the attached patch, executing test/enginetest reproduces the problem for me:
$ ./enginetest
enginetest beginning
…
Tests completed happily
hash == int_thread_hash == 0x1a3f6d0
Now using *hash (0x1a3f6d0) in a comparison
-------------- next part --------------
A non-text attachment was scrubbed...
Name: show_pointers.patch
Type: application/octet-stream
Size: 793 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151124/d2544a29/attachment.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151124/d2544a29/attachment.htm>
-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list