[openssl-dev] [openssl.org #4582] BUG - Application crashing in OpenSSL code while creating x509 certificate object

NarayanaGowda, Shivasharan via RT rt at openssl.org
Wed Jun 22 14:03:24 UTC 2016 

Hi OpenSSL,

We have an issue where in our application crashes on windows system in OpenSSL code.

Windows version: Microsoft Windows Server 2008 R2 Standard
OpenSSL version: OpenSSL 9.8zf

Note: We have not modified any code in 9.8zf version.

Our application bundles OpenSSL binaries as DLLs and uses them to perform TLS and SSL operations. We are seeing issue while creating x509 certificate object from a public key string. Here is piece of code that can assist you:

******************************
X509 *pubKey = NULL;
    if (publicKey.empty())
        return pubKey;

    BIO *bp = BIO_new(BIO_s_mem());
    BIO_write(bp, publicKey.data(), (int)publicKey.size());

      pubKey = X509_new();
      if(NULL != pubKey)
      {
            char * buf = new char[256];
            // Convert the PEM data into a  certificate object
            if(!PEM_read_bio_X509(bp, &pubKey, 0, NULL))
            {

....
******************************

The function PEM_read_bio_X509() is what is reported in the crash dump as the entry point to OpenSSL from our application. Crash dump is as below:

NULL_CLASS_PTR_READ
---------------------------------------------
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0441f934 72e7c9ea 72e9f232 00000006 02bc5d58 libeay32!OBJ_obj2nid+0x1c
0441f938 72e9f232 00000006 02bc5d58 00000001 libeay32!OBJ_obj2nid+0xa
0441f9bc 72e92ada 72e91bb7 02bfbe78 0441fa1c libeay32!X509_NAME_oneline+0x112
0441f9c0 72e91bb7 02bfbe78 0441fa1c 00000084 libeay32!ASN1_item_ex_d2i+0x7ba
0441f9dc 72e8c090 02b53a68 00000000 00000000 libeay32!asn1_ex_c2i+0x627
0441f9f4 72e92a2a 00000005 0441fb20 72eecd10 libeay32!X509_CINF_free+0x60
0441fa34 72e92e2b 00000100 0441fab0 00000000 libeay32!ASN1_item_ex_d2i+0x70a
0441fa80 72e8c149 0441fb20 0441fab0 000001c6 libeay32!ASN1_item_d2i+0x4b
0441fa94 72e9da35 0441fb20 0441fab0 000001c6 libeay32!d2i_X509+0x19
0441fab4 72e9d7b3 72e8c130 72eeff08 02c8e980 libeay32!PEM_ASN1_read_bio+0x65
0441fad0 73ec5cd0 02c8e980 0441fb20 00000000 libeay32!PEM_read_bio_X509+0x23
00000000 00000000 00000000 00000000 00000000 sockets!XXXXXXX::stringToPublic+0xe0
-----------------------------------------------

Our Inferences:
Our code works in most deployments and this crash is reported only by one user. We analyzed and observed that the user setup had more socket reads and writes during which crash occurring (Using resource monitoring tool). As it occurs seldom and intermittently, we wanted to know the cause and would request help from you. Our hunch is it could be similar to below fix mentioned in 9.8zh change log:

Changes between 0.9.8zf and 0.9.8zg [11 Jun 2015]
.........
*) PKCS7 crash with missing EnvelopedContent

     The PKCS#7 parsing code does not handle missing inner EncryptedContent
     correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
     with missing content and trigger a NULL pointer dereference on parsing.

     Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
     structures from untrusted sources are affected. OpenSSL clients and
     servers are not affected.
........

Any help from you is well appreciated. Let me know if you need more details like core dump, etc.

Thanks in advance.

Regards,
Sharan

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4582
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list