[openssl-dev] [openssl.org #4155] In function int_thread_del_item, when hash == int_thread_hash, one is passed to free and the other is used in a comparison
Kurt Roeckx via RT
rt at openssl.org
Mon Nov 30 20:12:58 UTC 2015
On Tue, Nov 24, 2015 at 11:06:44AM +0000, Pascal Cuoq via RT wrote:
> This issue is similar in nature to 4151 (http://www.mail-archive.com/openssl-dev@openssl.org/msg40950.html ): it is about a dangling pointer being used, but not used for dereferencing, so it's not a memory error. The dangling pointer is used in a comparison.
>
> The function int_thread_del_item can reach the point were it calls "lh_ERR_STATE_free(int_thread_hash);" with hash == int_thread_hash. That attached patch prints a message like "hash == int_thread_hash == 0xb2a6d0" when this happens. Just after the call to lh_ERR_STATE_free, both hash and int_thread_hash contain dangling pointers. The variable int_thread_hash is immediately set to NULL.
>
> The problem that I am reporting is that just afterwards, &hash is passed to the function int_thread_release:
>
> https://github.com/openssl/openssl/blob/079a1a9014b89661f0a612a5a9724ad9c77f21a3/crypto/err/err.c#L412
>
> In that function, the argument "hash" points to the local variable "hash" of int_thread_del_item (which contains a dangling pointer).
> Thus the comparison "*hash == NULL" involves a dangling pointer:
I thinkt he following untested patch should fix that:
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -403,8 +403,10 @@ static void int_thread_del_item(const
ERR_STATE *d)
if (int_thread_hash_references == 1
&& int_thread_hash
&& lh_ERR_STATE_num_items(int_thread_hash) == 0) {
+ int_thread_hash_references = 0;
lh_ERR_STATE_free(int_thread_hash);
int_thread_hash = NULL;
+ hash = NULL;
}
}
CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
Kurt
More information about the openssl-dev
mailing list