From patchwork Fri Apr 13 21:26:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 318 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id u0OdB4kb4FpWSAAAIUCqbw for ; Wed, 25 Apr 2018 02:09:13 -0400 Received: from proxy17.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net (Dovecot) with LMTP id 4xxWB4kb4FonHQAAfY0hYg ; Wed, 25 Apr 2018 02:09:13 -0400 Received: from smtp36.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.ord1d.rsapps.net with LMTP id AKMjB4kb4FprRAAAWC7mWg ; Wed, 25 Apr 2018 02:09:13 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp36.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=greenie.muc.de X-Suspicious-Flag: YES X-Classification-ID: 2c5f13a8-484f-11e8-a23d-525400c11307-1-1 Received: from [216.105.38.7] ([216.105.38.7:59982] helo=lists.sourceforge.net) by smtp36.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 19/13-02313-88B10EA5; Wed, 25 Apr 2018 02:09:12 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1fBDb9-0000JS-F8; Wed, 25 Apr 2018 06:08:11 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1fBDb7-0000J5-7l for openvpn-devel@lists.sourceforge.net; Wed, 25 Apr 2018 06:08:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Resent-To:Resent-Message-ID:Resent-Date:Resent-From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Sender:Resent-Cc:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=tezbMtdGVUzJRkVWSrXSQAo7iNCao/d9QCwNOssKp2w=; b=GQdcHTijnMcB7p/wfIZBrjCnQ0 oeGWdkqM5qNWx8g8io27TYEUZLebSL1tWxeI+gpP57fd+5ityQsv2kdH4gPKXW5HvNTXBzkx+grfj Yfn5k0n/9Ik7QutSoKPA8+EMKz80gb7zS7L871JfG0xHuHTBITzeiQyCOAM3CE/cOX34=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Resent-To: Resent-Message-ID:Resent-Date:Resent-From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Sender:Resent-Cc:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=tezbMtdGVUzJRkVWSrXSQAo7iNCao/d9QCwNOssKp2w=; b=aii+Fw32AAB6PFhILsaquYslUZ L9XvaC4QBBlUCKI3UIVD5Wtq2Su6GbLq0nKh/tGzFzpUq5noLZl78pOdna03Eag+o4Db2jOsTbJ46 rjOMxGrqk3fx1wtxW8w5oxt0ade+rbsSIrzJ0jMKiSKjmlw6hQPiEHDm0IcR/ro+6MJU=; Received: from chekov.greenie.muc.de ([193.149.48.178]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1fBDb4-008Oj8-TZ for openvpn-devel@lists.sourceforge.net; Wed, 25 Apr 2018 06:08:09 +0000 Received: from chekov.greenie.muc.de (localhost [127.0.0.1]) by chekov.greenie.muc.de (8.15.2/8.15.2) with ESMTPS id w3P67xkY063787 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 25 Apr 2018 08:07:59 +0200 (CEST) (envelope-from gert@chekov.greenie.muc.de) Received: (from gert@localhost) by chekov.greenie.muc.de (8.15.2/8.15.2/Submit) id w3P67xSP063786 for openvpn-devel@lists.sourceforge.net; Wed, 25 Apr 2018 08:07:59 +0200 (CEST) (envelope-from gert) Resent-From: Gert Doering Resent-Date: Wed, 25 Apr 2018 08:07:59 +0200 Resent-Message-ID: <20180425060759.GM69387@greenie.muc.de> Resent-To: openvpn-devel@lists.sourceforge.net X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on chekov.greenie.muc.de X-Spam-Level: X-Spam-Status: No, score=-100.0 required=7.0 tests=BAYES_40, USER_IN_WHITELIST autolearn=no autolearn_force=no version=3.4.1 Received: from delta2.greenie.net (root@delta2.greenie.net [IPv6:2001:608:0:1007:a00:20ff:fefe:4bd2]) by chekov.greenie.muc.de (8.15.2/8.15.2) with ESMTPS id w3E7fW18052144 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 14 Apr 2018 09:41:32 +0200 (CEST) (envelope-from gert@blue.greenie.muc.de) Received: from gate.forward.smtp.ord1d.emailsrvr.com (gate.forward.smtp.ord1d.emailsrvr.com [161.47.34.7]) by delta2.greenie.net (8.15.2/8.12.11) with ESMTPS id w3E7fU33037638 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 14 Apr 2018 09:41:31 +0200 (CEST) Received: from [193.149.48.174] ([193.149.48.174:57366] helo=blue.greenie.muc.de) by smtp21.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 76/45-24503-12DA1DA5; Sat, 14 Apr 2018 03:26:26 -0400 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.14.9/8.14.9) with ESMTP id w3E7QM2l025120; Sat, 14 Apr 2018 09:26:22 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.14.9/8.14.9/Submit) id w3E7QM9G025119; Sat, 14 Apr 2018 09:26:22 +0200 From: Gert Doering To: security@openvpn.net Date: Sat, 14 Apr 2018 09:26:17 +0200 Message-Id: <20180414072617.25075-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.16.1 In-Reply-To: References: X-Greylist: Delayed for 00:15:03 by milter-greylist-4.6.2 (delta2.greenie.net [194.97.144.211]); Sat, 14 Apr 2018 09:41:31 +0200 (CEST) X-Virus-Status: Clean X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. X-Headers-End: 1fBDb4-008Oj8-TZ Subject: [Openvpn-devel] [PATCH v2] Fix potential double-free() in Interactive Service (CVE-2018-9336) X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: jbaines@tenable.com MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net Sender: "Openvpn-devel" X-getmail-retrieved-from-mailbox: Inbox Malformed input data on the service pipe towards the OpenVPN interactive service (normally used by the OpenVPN GUI to request openvpn instances from the service) can result in a double free() in the error handling code. This usually only leads to a process crash (DoS by an unprivileged local account) but since it could possibly lead to memory corruption if happening while multiple other threads are active at the same time, CVE-2018-9336 has been assigned to acknowledge this risk. Fix by ensuring that sud->directory is set to NULL in GetStartUpData() for all error cases (thus not being free()ed in FreeStartupData()). Rewrite control flow to use explicit error label for error exit. Discovered and reported by Jacob Baines . CVE: 2018-9336 Signed-off-by: Gert Doering Signed-off-by: Gert Doering <gert@greenie.muc.de>
--- v2: reword commit message, no code changes --- src/openvpnserv/interactive.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index fbc32f90..861f5e70 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -453,7 +453,6 @@ static BOOL GetStartupData(HANDLE pipe, STARTUP_DATA *sud) { size_t size, len; - BOOL ret = FALSE; WCHAR *data = NULL; DWORD bytes, read; @@ -462,7 +461,7 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud) { MsgToEventLog(M_SYSERR, TEXT("PeekNamedPipeAsync failed")); ReturnLastError(pipe, L"PeekNamedPipeAsync"); - goto out; + goto err; } size = bytes / sizeof(*data); @@ -470,7 +469,7 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud) { MsgToEventLog(M_SYSERR, TEXT("malformed startup data: 1 byte received")); ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event); - goto out; + goto err; } data = malloc(bytes); @@ -478,7 +477,7 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud) { MsgToEventLog(M_SYSERR, TEXT("malloc failed")); ReturnLastError(pipe, L"malloc"); - goto out; + goto err; } read = ReadPipeAsync(pipe, data, bytes, 1, &exit_event); @@ -486,14 +485,14 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud) { MsgToEventLog(M_SYSERR, TEXT("ReadPipeAsync failed")); ReturnLastError(pipe, L"ReadPipeAsync"); - goto out; + goto err; } if (data[size - 1] != 0) { MsgToEventLog(M_ERR, TEXT("Startup data is not NULL terminated")); ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event); - goto out; + goto err; } sud->directory = data; @@ -503,7 +502,7 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud) { MsgToEventLog(M_ERR, TEXT("Startup data ends at working directory")); ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event); - goto out; + goto err; } sud->options = sud->directory + len; @@ -513,16 +512,16 @@ GetStartupData(HANDLE pipe, STARTUP_DATA *sud) { MsgToEventLog(M_ERR, TEXT("Startup data ends at command line options")); ReturnError(pipe, ERROR_STARTUP_DATA, L"GetStartupData", 1, &exit_event); - goto out; + goto err; } sud->std_input = sud->options + len; - data = NULL; /* don't free data */ - ret = TRUE; + return TRUE; -out: +err: + sud->directory = NULL; /* caller must not free() */ free(data); - return ret; + return FALSE; }