From patchwork Wed Nov 8 12:49:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3419 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:50e4:b0:f2:62eb:61c1 with SMTP id r4csp379019dyd; Thu, 9 Nov 2023 03:26:13 -0800 (PST) X-Google-Smtp-Source: AGHT+IHKJXEDZpLEGSEnqIoZOPhlBGvIaAgZDXdctcYD228RtlTK3v5r/ytdCJmrEiMwpfpqZeOs X-Received: by 2002:a05:6808:308b:b0:3b2:efd3:e78c with SMTP id bl11-20020a056808308b00b003b2efd3e78cmr5371232oib.1.1699529173478; Thu, 09 Nov 2023 03:26:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1699529173; cv=none; d=google.com; s=arc-20160816; b=vYGh1jPoagCy4M8oHy3yXvZkz2NCfB02oxWLZ9hg9gOP3xc7yrV93eQHTlWnt/87Kh AL1T7L8kcLl+4MAS9I8LImVNAZav1veD0dqj6V7YkJw+GHw4U5xEMVjG3bYhtx9AdnYC 0oe+1bGDYe5eOyMBMDgvkhoJ+vOdCjrWiGmTpjGcxzW72Qi4mjWLKdo4Ro6jBlkDnDHD O77tCeMC8W+IUjEXQxkizAV+OccIpum+muZRl6ldpRL1stgaY2JfNvSNHv06ZnjfpHO5 zgtavecKCgGyKzD3DW90apQOgPEUVic7f6CB/x2JeIcbJj28SpzhWQ/ogVMLJ4ZWQyM7 gbdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :resent-to:resent-message-id:resent-date:resent-from:dkim-signature :dkim-signature; bh=NLlFaqg8SVKbjK79omqw9BAFfwv86zlNu+tPxWdBqgo=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=LEfyc+iIkXN0yu6lvwvAqzzWXJKArHGpymyyFbmmkLqOzEsG79mz5Feaj+kjyQyZoH Ma0MR2r8ojgVkEchKEyudgeFjsrbYt9OMD4Q42jNA3cpQgk/j5cSNINxGJ6fnHnUGwWY f4R19ivIldKbvziVOAwtJmbZ4NRvbETBrT1jcPaigD98au2RgbQcJHU+unyFw6UhKIgE 2AW57gIJyQr/MnJrJbOAdjUBqHUZZwr+OAgmBNduKcHXuyB7JXK1uDJNu1t1XT+eb0aL g2VxKBJVvIS4hhjz4LodVJKdt8QV+8CCvtZaOXrWqwH4H0U35sPvYDYcjQAI1Y7ukre9 90xw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=fT5qIUJI; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Fl67Xk7w; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id n185-20020a6340c2000000b005b92db1e113si6722769pga.702.2023.11.09.03.26.13 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Nov 2023 03:26:13 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=fT5qIUJI; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Fl67Xk7w; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1r13A0-0000bI-39; Thu, 09 Nov 2023 11:25:19 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1r139x-0000bB-RA for openvpn-devel@lists.sourceforge.net; Thu, 09 Nov 2023 11:25:16 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Resent-To:Resent-Message-ID: Resent-Date:Resent-From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Sender:Resent-Cc:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=5/92R4FjzQCXNXFRh1exDEiWhkTyPSfNgHBbNwTjPIk=; b=fT5qIUJIgfPwcFply4hkEwa7Z3 wLQ+uj2TvZcTxtqxJlZx+XXoUcKsYSryXbskbIQWHxib78VcoRIYC8oARuHFD4uO7TbcKHCPbo+5E yDtRU3sT00cOtSPjZSg+fBxhlBTME+RrfLuxdjeOcTlUcgpHYvVRiMlXsH0n6KJnQSfs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Resent-To:Resent-Message-ID:Resent-Date:Resent-From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Sender: Resent-Cc:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=5/92R4FjzQCXNXFRh1exDEiWhkTyPSfNgHBbNwTjPIk=; b=F l67Xk7wFw0b4UMcWn/7kNMwAaU8P/Ix3YKeiL/H4WAZwBQfnH85avatTHxnAg0+MM6ugA547xdIC8 jqwvw24v8PmZLmaGRPvGp8ROJm5uoNfYMS09HOhgUK5hIUvcMRGWxMGsR9JZmmfHQjQXiFLrLdKO7 /io+px4RETc+EgVA=; Received: from chekov.greenie.muc.de ([193.149.48.178]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1r139u-000Spp-NJ for openvpn-devel@lists.sourceforge.net; Thu, 09 Nov 2023 11:25:16 +0000 Received: from chekov.greenie.muc.de (localhost [127.0.0.1]) by chekov.greenie.muc.de (8.17.1/8.17.1) with ESMTPS id 3A9BP7A2020123 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Thu, 9 Nov 2023 12:25:07 +0100 (CET) (envelope-from gert@chekov.greenie.muc.de) Received: (from gert@localhost) by chekov.greenie.muc.de (8.17.1/8.17.1/Submit) id 3A9BP7so020122 for openvpn-devel@lists.sourceforge.net; Thu, 9 Nov 2023 12:25:07 +0100 (CET) (envelope-from gert) Resent-From: Gert Doering Resent-Date: Thu, 9 Nov 2023 12:25:07 +0100 Resent-Message-ID: Resent-To: openvpn-devel@lists.sourceforge.net X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on chekov.greenie.muc.de X-Spam-Level: X-Spam-Status: No, score=-101.9 required=7.0 tests=BAYES_00, USER_IN_WELCOMELIST autolearn=no autolearn_force=no version=4.0.0 Received: from vmail1.greenie.net (root@vmail1.greenie.net [IPv6:2001:608:1:995a:20c:29ff:feb8:10eb]) by chekov.greenie.muc.de (8.17.1/8.17.1) with ESMTPS id 3A8CnmNo076839 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Wed, 8 Nov 2023 13:49:48 +0100 (CET) (envelope-from gert@chekov.greenie.muc.de) Received: from chekov.greenie.muc.de (chekov.greenie.muc.de [IPv6:2001:608:4:0:0:0:ce:c0f]) by vmail1.greenie.net (8.17.2/8.16.1) with ESMTPS id 3A8Cnml6058522 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL) for ; Wed, 8 Nov 2023 13:49:48 +0100 (CET) Received: from chekov.greenie.muc.de (localhost [127.0.0.1]) by chekov.greenie.muc.de (8.17.1/8.17.1) with ESMTPS id 3A8CnluQ076831 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Wed, 8 Nov 2023 13:49:48 +0100 (CET) (envelope-from gert@chekov.greenie.muc.de) Received: (from gert@localhost) by chekov.greenie.muc.de (8.17.1/8.17.1/Submit) id 3A8CnlUW076830 for gert@greenie.muc.de; Wed, 8 Nov 2023 13:49:47 +0100 (CET) (envelope-from gert) From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 8 Nov 2023 13:49:46 +0100 Message-ID: <20231108124947.76816-2-gert@greenie.muc.de> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231108124947.76816-1-gert@greenie.muc.de> References: <20231108124947.76816-1-gert@greenie.muc.de> MIME-Version: 1.0 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.4 (vmail1.greenie.net [IPv6:2001:608:1:995a:20c:29ff:feb8:10eb]); Wed, 08 Nov 2023 13:49:48 +0100 (CET) X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe This is a find cases where the session already has planned to send out a packet but encounters some other errors that invalidate the session, setting it to S_ERROR and leaving the buffer behind. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: work.data] 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1r139u-000Spp-NJ Subject: [Openvpn-devel] [PATCH 2/3] Double check that we do not use a freed buffer when freeing a session X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net Sender: "Openvpn-devel" X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1782085502628416774?= X-GMAIL-MSGID: =?utf-8?q?1782085502628416774?= From: Arne Schwabe This is a find cases where the session already has planned to send out a packet but encounters some other errors that invalidate the session, setting it to S_ERROR and leaving the buffer behind. This will detect and clear that to_link buffer in that case. Change-Id: I5ffb41bed1c9237946b13d787eb4c4013e0bec68 Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 5e6205cc2..e15f951d6 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3155,6 +3155,53 @@ tls_process(struct tls_multi *multi, return false; } + +/** + * This is a safe guard function to double check that a buffer from a session is + * not used in a session to avoid a use after free. + * + * @param to_link + * @param session + */ +static void +check_session_buf_not_used(struct buffer *to_link, struct tls_session *session) +{ + uint8_t *dataptr = to_link->data; + if (!dataptr) + { + return; + } + + /* Checks buffers in tls_wrap */ + if (session->tls_wrap.work.data == dataptr) + { + msg(M_INFO, "Warning buffer of freed TLS session is " + "still in use (tls_wrap.work.data)"); + goto used; + } + + for (int i = 0; i < KS_SIZE; i++) + { + struct key_state *ks = &session->key[i]; + for (int j = 0; j < ks->send_reliable->size; j++) + { + if (ks->send_reliable->array[i].buf.data == dataptr) + { + msg(M_INFO, "Warning buffer of freed TLS session is still in" + " use (session->key[%d].send_reliable->array[%d])", + i, j); + + goto used; + } + } + } + return; + +used: + to_link->len = 0; + to_link->data = 0; + /* for debugging, you can add an ASSERT(0); here to trigger an abort */ +} /* * Called by the top-level event loop. * @@ -3253,6 +3300,7 @@ tls_multi_process(struct tls_multi *multi, } else { + check_session_buf_not_used(to_link, session); reset_session(multi, session); } }