[openssl-dev] [openssl.org #4105] null pointer dereference in BN_lshift when coming from dsa_builtin_paramgen

[Pascal Cuoq via RT]

BN_POOL_get() can return NULL when OPENSSL_malloc() fails:
https://github.com/openssl/openssl/blob/984d6c6052169bcae8010de33f7796e455536d61/crypto/bn/bn_ctx.c#L365-L366

This causes BN_CTX_get() to return NULL:
https://github.com/openssl/openssl/blob/984d6c6052169bcae8010de33f7796e455536d61/crypto/bn/bn_ctx.c#L287

In the function dsa_builtin_paramgen, the value returned by BN_CTX_get is not tested before calling BN_lshift which is then called with first argument NULL:

https://github.com/openssl/openssl/blob/310115448188415e270bb0bef958c7c130939838/crypto/dsa/dsa_gen.c#L162

This causes a null pointer dereference in BN_lshift(), but it seems the correct fix would be to check the value of test after calling BN_CTX_get() at line 160:

https://github.com/openssl/openssl/blob/310115448188415e270bb0bef958c7c130939838/crypto/dsa/dsa_gen.c#L160
____________________________

It seems that another instance of the same problem in the file dsa_gen.c exists and is more subtle:

r0 may be NULL.

However BN_bin2bn() accepts NULL as third argument, in which case it tries to allocate a new BN. r0 remains NULL throughout this call:

https://github.com/openssl/openssl/blob/310115448188415e270bb0bef958c7c130939838/crypto/dsa/dsa_gen.c#L247

IF THE CALL TO BN_bin2bn at line 247 SUCCEEDS, then r0 (still NULL) is passed to BN_lshift at line 249:

https://github.com/openssl/openssl/blob/310115448188415e270bb0bef958c7c130939838/crypto/dsa/dsa_gen.c#L249

Extrapolating, it looks like it would be a good idea to guard all the calls to BN_CTX_get at lines 153-160:

https://github.com/openssl/openssl/blob/310115448188415e270bb0bef958c7c130939838/crypto/dsa/dsa_gen.c#L153-L160






_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod