From: Xufeng Zhang <xufeng.zhang@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH] openssl: avoid NULL pointer dereference in three places
Date: Tue, 4 Jun 2013 14:18:40 +0800 [thread overview]
Message-ID: <51AD86C0.7050102@windriver.com> (raw)
In-Reply-To: <1370326530-23464-1-git-send-email-xufeng.zhang@windriver.com>
On 06/04/2013 02:15 PM, Xufeng Zhang wrote:
> There are three potential NULL pointer dereference in
> EVP_DigestInit_ex(), dh_pub_encode() and dsa_pub_encode()
> functions.
> Fix them by adding proper null pointer check.
>
> [YOCTO #4600]
> [ CQID: WIND00373257 ]
>
> Signed-off-by: Xufeng Zhang<xufeng.zhang@windriver.com>
> ---
> ...-pointer-dereference-in-EVP_DigestInit_ex.patch | 16 +++++++++
> ...NULL-pointer-dereference-in-dh_pub_encode.patch | 34 ++++++++++++++++++++
> meta/recipes-connectivity/openssl/openssl.inc | 2 +-
> .../recipes-connectivity/openssl/openssl_1.0.1e.bb | 2 +
> 4 files changed, 53 insertions(+), 1 deletions(-)
> create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch
>
> diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> new file mode 100644
> index 0000000..69924a4
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> @@ -0,0 +1,16 @@
> +openssl: avoid NULL pointer dereference in EVP_DigestInit_ex()
> +
> +We should avoid accessing the type pointer if it's NULL,
> +this could happen if ctx->digest is not NULL.
> +---
> +--- a/crypto/evp/digest.c
> ++++ b/crypto/evp/digest.c
> +@@ -199,7 +199,7 @@
> + return 0;
> + }
> + #endif
> +- if (ctx->digest != type)
> ++ if (type&& (ctx->digest != type))
> + {
> + if (ctx->digest&& ctx->digest->ctx_size)
> + OPENSSL_free(ctx->md_data);
> diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch
> new file mode 100644
> index 0000000..642b0ea
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch
> @@ -0,0 +1,34 @@
> +openssl: avoid NULL pointer dereference in dh_pub_encode()/dsa_pub_encode()
> +
> +We should avoid accessing the pointer if ASN1_STRING_new()
> +allocates memory failed.
> +---
> +--- a/crypto/dh/dh_ameth.c
> ++++ b/crypto/dh/dh_ameth.c
> +@@ -139,6 +139,12 @@
> + dh=pkey->pkey.dh;
> +
> + str = ASN1_STRING_new();
> ++ if (!str)
> ++ {
> ++ DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
> ++ goto err;
> ++ }
> ++
> + str->length = i2d_DHparams(dh,&str->data);
> + if (str->length<= 0)
> + {
> +--- a/crypto/dsa/dsa_ameth.c
> ++++ b/crypto/dsa/dsa_ameth.c
> +@@ -148,6 +148,11 @@
> + {
> + ASN1_STRING *str;
> + str = ASN1_STRING_new();
> ++ if (!str)
> ++ {
> ++ DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
> ++ goto err;
> ++ }
> + str->length = i2d_DSAparams(dsa,&str->data);
> + if (str->length<= 0)
> + {
> diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
> index f5b2432..c753a27 100644
> --- a/meta/recipes-connectivity/openssl/openssl.inc
> +++ b/meta/recipes-connectivity/openssl/openssl.inc
> @@ -5,7 +5,7 @@ BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
> SECTION = "libs/network"
>
> # Big Jump for OpenSSL 1.0 support with meta-oe
> -INC_PR = "r15"
> +INC_PR = "r16"
>
> # "openssl | SSLeay" dual license
> LICENSE = "openssl"
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> index 61de3a6..afd5576 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> @@ -31,6 +31,8 @@ SRC_URI += "file://configure-targets.patch \
> file://openssl_fix_for_x32.patch \
> file://openssl-fix-doc.patch \
> file://find.pl \
> + file://openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch \
> + file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \
>
Looks like I have broken the alignment here, I'll change them when I
send V2 patch.
Thanks,
Xufeng
> "
>
> SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"
>
next prev parent reply other threads:[~2013-06-04 6:05 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-04 6:15 [PATCH] openssl: avoid NULL pointer dereference in three places Xufeng Zhang
2013-06-04 6:18 ` Xufeng Zhang [this message]
2013-08-20 1:59 ` Xufeng Zhang
2013-08-20 4:13 ` Saul Wold
2013-08-20 5:07 ` Xufeng Zhang
2013-08-20 19:16 ` Saul Wold
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51AD86C0.7050102@windriver.com \
--to=xufeng.zhang@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox