From patchwork Thu Jun 1 09:57:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3242 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:7b9a:b0:c3:1364:a2a2 with SMTP id j26csp303395dyk; Thu, 1 Jun 2023 02:58:19 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ76xOolvPl33QIKNLIeycLPQtrwuHIMM45bbLE4IWyvRihCEuOZmkn48mPEiXWaR+1LxV5D X-Received: by 2002:a6b:c80e:0:b0:76c:5b24:dfca with SMTP id y14-20020a6bc80e000000b0076c5b24dfcamr1568979iof.2.1685613499181; Thu, 01 Jun 2023 02:58:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685613499; cv=none; d=google.com; s=arc-20160816; b=uRI7hMIetc1ypuI6ssemEboawEL3t1TfLBWHEMup+WEA7z7eCjHkq4xDdTnGrna2tb kyl6Wr7fJdlKptYyxNjJ7UIlDnZvVH75gi8wB6NJPOielFrmjOY6hQU0N/bvPmQwgfU0 ac+68XvsxB6tFto+OxdFG17WK8KqHVYaGA4kJwScQ9LzbJWyVNgtw1NHP72Si9qrqUA8 jlfuXDdY73kFHPcQaEouxVWnFnTSKwbG/0ZsnVjfqs2LkqjX/IkjTN4D2cJ+WB+mPqud KmJrl/CJ5uolGU4uZTVURnXHUqjhC7hwlv170cxKh1Yo0QXSI6dZtwud0NX/VKgS+vSD mydQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=quDJmHklMOFqBMAKQ4pk6FYeXX/FYoM51JrrHsX1Qt4=; b=dXowylsngSxQc18B1demhOnOH7IQI38cQWYyhnwqINkVQEVj1MKIRYQwCEK3FKfNG9 vw6Cc0Z3vR1p9DAKPLDV+ApgOKbvn8HROaQdUt29TQSdlKGgrzmqZj+Th6IUgx8X0+b/ s7lizNhkRsqeqyBatuluG1u4BERbLs+zEnw8VZNMRMGWrGRfyZKCTRdF33TIfEfFkyle afBh5SVrHdqILUIJ+pCZM55INQdAekx8HxpXR91ILykqaPcUovEdhDTWIRhykHvyFrza dCurYTKUGe6NvSogM3uthxEgqADRSu0xj8n0WdkZ15C0i+2nEscECN3zbttc1qCfs6qz id/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Lt9mJ0c3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=i4WLgJRC; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id l5-20020a056638144500b0041d445a64a1si2919309jad.166.2023.06.01.02.58.18 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Jun 2023 02:58:19 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Lt9mJ0c3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=i4WLgJRC; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1q4f3r-000576-AS; Thu, 01 Jun 2023 09:57:39 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1q4f3p-000570-G1 for openvpn-devel@lists.sourceforge.net; Thu, 01 Jun 2023 09:57:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=HgSTiqdmt80WvzR27W50Ro49En5pFiptsVIKLrIC3mI=; b=Lt9mJ0c3coNNDt8KYeu6rJDXoE FVo00yJc1LlrIkL22cR5z+UQo3f04GeBtHg0P6BtLNQq8Wr8rq6fOiUpmrNzskpxizBczMjnr7IuV qfTJHznbW8/XeVA+Krb+SVTrrfUi6mshdMtFX358t5AtSsXQYVvAh2Yk0Z62x3y9uvXU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=HgSTiqdmt80WvzR27W50Ro49En5pFiptsVIKLrIC3mI=; b=i 4WLgJRC/e0okkJFrcVWj7/tV1f4f0TBB98+TNSVxB3ebYOMzsvco3aoeL0NVLMhP1/PVsSUcIPYCM VVDPqqz0O6EdkbfPS+D1KfjBnPGpPi2n/5iqPs8qgl1jXc3QFCKtiplIHJ3vz4cV0/4+oT2mWixpQ 8dts31hGMvOu0RvM=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1q4f3n-0003qV-D0 for openvpn-devel@lists.sourceforge.net; Thu, 01 Jun 2023 09:57:37 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1q4f3Z-000I7m-1O for openvpn-devel@lists.sourceforge.net; Thu, 01 Jun 2023 11:57:21 +0200 Received: (nullmailer pid 4065882 invoked by uid 10006); Thu, 01 Jun 2023 09:57:21 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 1 Jun 2023 11:57:21 +0200 Message-Id: <20230601095721.4065834-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: In many scenerios the context will still have a reference to the cipher, so this use-after-free does not explode but it is still wrong. Change-Id: I59002d6613eaef36d5a47b20b56073e399cfa1df Signed-off-by: Arne Schwabe --- src/openvpn/crypto_openssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1q4f3n-0003qV-D0 Subject: [Openvpn-devel] [PATCH] Fix use-after-free with EVP_CIPHER_free X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1767493860389040616?= X-GMAIL-MSGID: =?utf-8?q?1767493860389040616?= In many scenerios the context will still have a reference to the cipher, so this use-after-free does not explode but it is still wrong. Change-Id: I59002d6613eaef36d5a47b20b56073e399cfa1df Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/crypto_openssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index c2ac80b74..8fe56fc78 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -839,11 +839,12 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, crypto_msg(M_FATAL, "EVP cipher init #2"); } - EVP_CIPHER_free(kt); /* make sure we used a big enough key */ ASSERT(EVP_CIPHER_CTX_key_length(ctx) <= EVP_CIPHER_key_length(kt)); + EVP_CIPHER_free(kt); } + int cipher_ctx_iv_length(const EVP_CIPHER_CTX *ctx) {