From patchwork Wed Nov 8 12:49:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3420 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:50e4:b0:f2:62eb:61c1 with SMTP id r4csp379069dyd; Thu, 9 Nov 2023 03:26:19 -0800 (PST) X-Google-Smtp-Source: AGHT+IEwLWVmje4+r0SKguGmSmnGah4y11X8JRNIHrkwpFuiIHrvAKfp/q5cTlTh5iib+1Hr5+gk X-Received: by 2002:a05:6808:159b:b0:3b5:6432:e0fa with SMTP id t27-20020a056808159b00b003b56432e0famr5792281oiw.4.1699529178972; Thu, 09 Nov 2023 03:26:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1699529178; cv=none; d=google.com; s=arc-20160816; b=g/NOt4E+c6vRUeX9Fh9CD+4LVIkyJnTezuhbImCEgxJ3MY48iJAlenHoHUaiacDh0G aUFDFOdqfhYLcVE1TXiFDfuNpm1fkrjxIzmDJ+rYgi3Tzjk4T1lDYiHhjyqdSUgKFCN+ zhjyfSoX/cXVA768geF1YNjqAuMFfAf2fpkw1FGgobHsGnXik6SqvVkbtQMOH6ykoz1S mxJq17b1vuTIe5wC8f4nTjwprEdT0xwrN8z+mZzH91VhTFGXQqXgeoVuAWEHItpShm5A SKGKrUVJB0BCYXL6SZFbhG9sQnDqOf/+nSlVs8MGj/FyrYgeH4FyDcFGp5wy5B9E05hq YYcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :resent-to:resent-message-id:resent-date:resent-from:dkim-signature :dkim-signature; bh=4OjaaMTkI2J/5LfryDhUsIJAsHQ/+1/o3z+Fch30c4M=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=WRnCxbMxKpmxyHUwu620e7Jop+d5ES1n8XQu9OsPHI1uS8eMZvnbQlBk7tAYDISfLZ ceG8JdekW//jvMmIxBfrYRku8xQWjxDj7oNDo79WsaxUF2zexThU7iavTy2Ve5PANTq0 wnC1i2GIa+N6IGXL5uASFglahYxJLPx3ZUtyjURxMpmJ2/URn1MOoJqhj9Lh/GIkx1Mv Lx6fhxcpcYYl3+810CHVvxXklbkz5FH9VzjrQnEzrAIWGZP2HWnTBjzH2hIj0KzJHLN8 NrPgSerQcQ13kaLiPH3QGNRfZDwZFbENjDv6/6NAFIo92vSwkmZryamrxUtvelE9Nz+I 3i4w== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=B9WJGNrx; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VqB2Lq3s; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id g9-20020a656cc9000000b005b9b68add9asi8081224pgw.255.2023.11.09.03.26.18 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Nov 2023 03:26:18 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=B9WJGNrx; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VqB2Lq3s; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1r13AA-0002fL-Rr; Thu, 09 Nov 2023 11:25:30 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1r13AA-0002fE-0z for openvpn-devel@lists.sourceforge.net; Thu, 09 Nov 2023 11:25:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Resent-To:Resent-Message-ID: Resent-Date:Resent-From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Sender:Resent-Cc:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=9QzL6zAhnALW/NEACToXjlUOOiSfKH7u2qbAjzuAR2A=; b=B9WJGNrxHFKD2YJEQ0n7Pg8qtg U3qlxc1M/IAs5W7ZWchGB4ISxBuytfoc9g5TCunZUSfiX41V1UNjzq71KXNhUHZohjBfFnkU5gxgy 5rAgWgfQ1Mcje3deJrM3gNVRrQ8KUZM72Vrxaf8Z05padzfc9a07bukuFp3/BT1z9fwg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Resent-To:Resent-Message-ID:Resent-Date:Resent-From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Sender: Resent-Cc:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=9QzL6zAhnALW/NEACToXjlUOOiSfKH7u2qbAjzuAR2A=; b=V qB2Lq3sdMYru0ReDrfcrP3Pr2vgqlkjMnSsZbfxCaNPfAOVWDv/PiewnYLrxc9TS66e8L+QmQxXoy Rq5x7W2nKz3S3BHKiV5vwa+GzO1m8GX5U6NOYy9ybGbDfSY33XN2/lGovub6nsYlRZjbAmmk8y0Nm AiFkvM/hPJYFsYt4=; Received: from chekov.greenie.muc.de ([193.149.48.178]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1r13A8-0006K8-L9 for openvpn-devel@lists.sourceforge.net; Thu, 09 Nov 2023 11:25:29 +0000 Received: from chekov.greenie.muc.de (localhost [127.0.0.1]) by chekov.greenie.muc.de (8.17.1/8.17.1) with ESMTPS id 3A9BPLhJ020160 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Thu, 9 Nov 2023 12:25:21 +0100 (CET) (envelope-from gert@chekov.greenie.muc.de) Received: (from gert@localhost) by chekov.greenie.muc.de (8.17.1/8.17.1/Submit) id 3A9BPLfP020159 for openvpn-devel@lists.sourceforge.net; Thu, 9 Nov 2023 12:25:21 +0100 (CET) (envelope-from gert) Resent-From: Gert Doering Resent-Date: Thu, 9 Nov 2023 12:25:21 +0100 Resent-Message-ID: Resent-To: openvpn-devel@lists.sourceforge.net X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on chekov.greenie.muc.de X-Spam-Level: X-Spam-Status: No, score=-100.5 required=7.0 tests=BAYES_05, USER_IN_WELCOMELIST autolearn=no autolearn_force=no version=4.0.0 Received: from vmail1.greenie.net (root@vmail1.greenie.net [IPv6:2001:608:1:995a:20c:29ff:feb8:10eb]) by chekov.greenie.muc.de (8.17.1/8.17.1) with ESMTPS id 3A8CnmFh076845 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Wed, 8 Nov 2023 13:49:48 +0100 (CET) (envelope-from gert@chekov.greenie.muc.de) Received: from chekov.greenie.muc.de (chekov.greenie.muc.de [IPv6:2001:608:4:0:0:0:ce:c0f]) by vmail1.greenie.net (8.17.2/8.16.1) with ESMTPS id 3A8Cnmtx058525 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL) for ; Wed, 8 Nov 2023 13:49:48 +0100 (CET) Received: from chekov.greenie.muc.de (localhost [127.0.0.1]) by chekov.greenie.muc.de (8.17.1/8.17.1) with ESMTPS id 3A8CnmXP076835 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Wed, 8 Nov 2023 13:49:48 +0100 (CET) (envelope-from gert@chekov.greenie.muc.de) Received: (from gert@localhost) by chekov.greenie.muc.de (8.17.1/8.17.1/Submit) id 3A8Cnmxx076834 for gert@greenie.muc.de; Wed, 8 Nov 2023 13:49:48 +0100 (CET) (envelope-from gert) From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 8 Nov 2023 13:49:47 +0100 Message-ID: <20231108124947.76816-3-gert@greenie.muc.de> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231108124947.76816-1-gert@greenie.muc.de> References: <20231108124947.76816-1-gert@greenie.muc.de> MIME-Version: 1.0 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.4 (vmail1.greenie.net [IPv6:2001:608:1:995a:20c:29ff:feb8:10eb]); Wed, 08 Nov 2023 13:49:48 +0100 (CET) X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe When I refactored the tls_state_change method in 9a7b95fda5 I accidentally changed a break into a return true while it should return a false. The code here is extremely fragile in the sense that it assumes that settings a keystate to S_ERROR cannot have any outgoing buffer or we will have a use after free. The previous break and now restore [...] Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1r13A8-0006K8-L9 Subject: [Openvpn-devel] [PATCH 3/3] Fix using to_link buffer after freed X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net Sender: "Openvpn-devel" X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1782085508348367419?= X-GMAIL-MSGID: =?utf-8?q?1782085508348367419?= From: Arne Schwabe When I refactored the tls_state_change method in 9a7b95fda5 I accidentally changed a break into a return true while it should return a false. The code here is extremely fragile in the sense that it assumes that settings a keystate to S_ERROR cannot have any outgoing buffer or we will have a use after free. The previous break and now restored return false ensure this by skipping any further tls_process_state loops that might set to ks->S_ERROR and ensure that the to_link is sent out and cleared before having more loops in tls_state_change. CVE: 2023-46850 This affects everyone, even with tls-auth/tls-crypt enabled. Change-Id: I2a0f1c665d992da8e24a421ff0ddcb40f7945ea8 Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index e15f951d6..cee4afe19 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2903,7 +2903,13 @@ tls_process_state(struct tls_multi *multi, CONTROL_SEND_ACK_MAX, true); *to_link = b; dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP"); - return true; + + /* This changed the state of the outgoing buffer. In order to avoid + * running this function again/further and invalidating the key_state + * buffer and accessing the buffer that is now in to_link after it being + * freed for a potential error, we shortcircuit exiting of the outer + * process here. */ + return false; } /* Write incoming ciphertext to TLS object */