Add a regress for the recent BIO_new_NDEF() write after free

This is a simple reproducer for a write after free that avoids all the mess with CMS, PKCS7 and SMIME. This now mostly allows ASAN to check that the memory handling in this marvellous function is correct.
author: tb <> 2023-03-31 06:07:44 +0000
committer: tb <> 2023-03-31 06:07:44 +0000
commit: 25a20dbee47e2778717afc53f5d438b40d543256 (patch)
tree: a362baf173cc7fea2ae5dd049cc308a5d976eed7 /src
parent: 96e4788cde61058167082e95712348212c565bf9 (diff)
download: openbsd-25a20dbee47e2778717afc53f5d438b40d543256.tar.gz
openbsd-25a20dbee47e2778717afc53f5d438b40d543256.tar.bz2
openbsd-25a20dbee47e2778717afc53f5d438b40d543256.zip
1 files changed, 59 insertions, 2 deletions
diff --git a/src/regress/lib/libcrypto/bio/bio_asn1.c b/src/regress/lib/libcrypto/bio/bio_asn1.c
index 9ee2bb5341..ac7f48ced8 100644
--- a/src/regress/lib/libcrypto/bio/bio_asn1.c
+++ b/src/regress/lib/libcrypto/bio/bio_asn1.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bio_asn1.c,v 1.1 2023/03/26 19:14:11 tb Exp $ */
+/*      $OpenBSD: bio_asn1.c,v 1.2 2023/03/31 06:07:44 tb Exp $ */
 /*
 * Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
@@ -21,9 +21,65 @@
 #include <stdlib.h>
 #include <openssl/asn1.h>
+#include <openssl/asn1t.h>
 #include <openssl/bio.h>
-#include <openssl/pkcs7.h>
+#include <openssl/evp.h>
 #include <openssl/objects.h>
+#include <openssl/pkcs7.h>
+/*
+ * Minimal reproducer for the BIO_new_NDEF() write after free fixed in
+ * bio_ndef.c r1.13.
+ */
+static int
+waf_cb(int op, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
+{
+        return 0;
+}
+static const ASN1_AUX WAF_aux = {
+        .asn1_cb = waf_cb,
+};
+static const ASN1_ITEM WAF_it = {
+        .funcs = &WAF_aux,
+};
+static int
+test_bio_new_ndef_waf(void)
+{
+        BIO *out = NULL;
+        int failed = 1;
+        if ((out = BIO_new(BIO_s_mem())) == NULL)
+                goto err;
+        /*
+         * BIO_new_NDEF() pushes out onto asn_bio. The waf_cb() call fails.
+         * Prior to bio_ndef.c r1.13, asn_bio was freed and out->prev_bio
+         * still pointed to it.
+         */
+        if (BIO_new_NDEF(out, NULL, &WAF_it) != NULL) {
+                fprintf(stderr, "%s: BIO_new_NDEF succeeded\n", __func__);
+                goto err;
+        }
+        /*
+         * If out->prev_bio != NULL, this writes to out->prev_bio->next_bio.
+         * After bio_ndef.c r1.13, out is an isolated BIO, so this is a noop.
+         */
+        BIO_pop(out);
+        failed = 0;
+ err:
+        BIO_free(out);
+        return failed;
+}
 /*
 * test_prefix_leak() leaks before asn/bio_asn1.c r1.19.
@@ -167,6 +223,7 @@ main(void)
 {
        int failed = 0;
+        failed |= test_bio_new_ndef_waf();
        failed |= test_prefix_leak();
        failed |= test_infinite_loop();
author	tb <>	2023-03-31 06:07:44 +0000
committer	tb <>	2023-03-31 06:07:44 +0000
commit	25a20dbee47e2778717afc53f5d438b40d543256 (patch)
tree	a362baf173cc7fea2ae5dd049cc308a5d976eed7 /src
parent	96e4788cde61058167082e95712348212c565bf9 (diff)
download	openbsd-25a20dbee47e2778717afc53f5d438b40d543256.tar.gz openbsd-25a20dbee47e2778717afc53f5d438b40d543256.tar.bz2 openbsd-25a20dbee47e2778717afc53f5d438b40d543256.zip

diff --git a/src/regress/lib/libcrypto/bio/bio_asn1.c b/src/regress/lib/libcrypto/bio/bio_asn1.c index 9ee2bb5341..ac7f48ced8 100644 --- a/src/regress/lib/libcrypto/bio/bio_asn1.c +++ b/src/regress/lib/libcrypto/bio/bio_asn1.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bio_asn1.c,v 1.1 2023/03/26 19:14:11 tb Exp $ */	1	/* $OpenBSD: bio_asn1.c,v 1.2 2023/03/31 06:07:44 tb Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2023 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
@@ -21,9 +21,65 @@
21	#include <stdlib.h>	21	#include <stdlib.h>
22		22
23	#include <openssl/asn1.h>	23	#include <openssl/asn1.h>
		24	#include <openssl/asn1t.h>
24	#include <openssl/bio.h>	25	#include <openssl/bio.h>
25	#include <openssl/pkcs7.h>	26	#include <openssl/evp.h>
26	#include <openssl/objects.h>	27	#include <openssl/objects.h>
		28	#include <openssl/pkcs7.h>
		29
		30	/*
		31	* Minimal reproducer for the BIO_new_NDEF() write after free fixed in
		32	* bio_ndef.c r1.13.
		33	*/
		34
		35	static int
		36	waf_cb(int op, ASN1_VALUE *pval, const ASN1_ITEM it, void *exarg)
		37	{
		38	return 0;
		39	}
		40
		41	static const ASN1_AUX WAF_aux = {
		42	.asn1_cb = waf_cb,
		43	};
		44
		45	static const ASN1_ITEM WAF_it = {
		46	.funcs = &WAF_aux,
		47	};
		48
		49	static int
		50	test_bio_new_ndef_waf(void)
		51	{
		52	BIO *out = NULL;
		53	int failed = 1;
		54
		55	if ((out = BIO_new(BIO_s_mem())) == NULL)
		56	goto err;
		57
		58	/*
		59	* BIO_new_NDEF() pushes out onto asn_bio. The waf_cb() call fails.
		60	* Prior to bio_ndef.c r1.13, asn_bio was freed and out->prev_bio
		61	* still pointed to it.
		62	*/
		63
		64	if (BIO_new_NDEF(out, NULL, &WAF_it) != NULL) {
		65	fprintf(stderr, "%s: BIO_new_NDEF succeeded\n", __func__);
		66	goto err;
		67	}
		68
		69	/*
		70	* If out->prev_bio != NULL, this writes to out->prev_bio->next_bio.
		71	* After bio_ndef.c r1.13, out is an isolated BIO, so this is a noop.
		72	*/
		73
		74	BIO_pop(out);
		75
		76	failed = 0;
		77
		78	err:
		79	BIO_free(out);
		80
		81	return failed;
		82	}
27		83
28	/*	84	/*
29	* test_prefix_leak() leaks before asn/bio_asn1.c r1.19.	85	* test_prefix_leak() leaks before asn/bio_asn1.c r1.19.
@@ -167,6 +223,7 @@ main(void)
167	{	223	{
168	int failed = 0;	224	int failed = 0;
169		225
		226	failed \|= test_bio_new_ndef_waf();
170	failed \|= test_prefix_leak();	227	failed \|= test_prefix_leak();
171	failed \|= test_infinite_loop();	228	failed \|= test_infinite_loop();
172		229