Bug #91310 for Net-SSLeay: heap-buffer-overflow with RSA_generate

Tue Dec 10 16:33:29 2013 rurban [...] x-ray.at - Ticket created

Subject:

heap-buffer-overflow with RSA_generate_key with valid callback and userdata

perl5.19.6d-nt-asan (address-sanitizer, DEBUGGING, not threaded) reported the following heap-buffer-overflow # Testing Net::SSLeay 1.55, Perl 5.019006, /usr/local/bin/perl5.19.6d-nt-asan # OpenSSL version: 'OpenSSL 1.0.1e 11 Feb 2013' # OpenSSL platform: 'platform: debian-amd64' t/local/31_rsa_generate_key.t .......... 1/14 ==7114==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x622000019688 at pc 0x7f56b1bde73a bp 0x7fff0f2fb2f0 sp 0x7fff0f2fb2e8 WRITE of size 8 at 0x622000019688 thread T0 #0 0x7f56b1bde739 in ssleay_RSA_generate_key_cb_invoke /home/rurban/.cpan/build/Net-SSLeay-1.55-098c6e/SSLeay.xs:994 #1 0x7f56b15dc7d6 in BN_GENCB_call ??:? #2 0x7f56b15dd1b0 in BN_generate_prime_ex ??:? #3 0x7f56b1605b59 in RSA_generate_key_ex ??:? #4 0x7f56b1608f15 in RSA_generate_key ??:? #5 0x7f56b1c55f3d in XS_Net__SSLeay_RSA_generate_key /home/rurban/.cpan/build/Net-SSLeay-1.55-098c6e/SSLeay.xs:4255 #6 0x7f56b6297919 in Perl_pp_entersub /home/rurban/Perl/src/build-5.19.6d-nt-asan/pp_hot.c:2760 #7 0x7f56b5fcf64b in Perl_runops_debug /home/rurban/Perl/src/build-5.19.6d-nt-asan/dump.c:2270 #8 0x7f56b59dea00 in S_run_body /home/rurban/Perl/src/build-5.19.6d-nt-asan/perl.c:2428 #9 0x7f56b59dab59 in perl_run /home/rurban/Perl/src/build-5.19.6d-nt-asan/perl.c:2349 #10 0x42c2c7 in main /home/rurban/Perl/src/build-5.19.6d-nt-asan/perlmain.c:112 #11 0x7f56b4860994 in __libc_start_main /home/aurel32/eglibc/eglibc-2.17/csu/libc-start.c:276 #12 0x42bc6c in _start ??:? 0x622000019688 is located 0 bytes to the right of 5512-byte region [0x622000018100,0x622000019688) ==7114==AddressSanitizer CHECK failed: /tmp/buildd/llvm-toolchain-3.3-3.3/projects/compiler-rt/lib/asan/asan_allocator2.cc:218 "((id)) != (0)" (0x0, 0x0) #0 0x42301f in _ZN6__asanL15AsanCheckFailedEPKciS1_yy asan_rtl.o:? #1 0x4247f1 in _ZN11__sanitizer11CheckFailedEPKciS1_yy ??:? #2 0x40e5d1 in _ZN6__asan13AsanChunkView13GetAllocStackEPN11__sanitizer10StackTraceE ??:? #3 0x420286 in _ZN6__asan19DescribeHeapAddressEmm ??:? #4 0x4212f2 in __asan_report_error ??:? #5 0x422509 in __asan_report_store8 ??:? #6 0x7f56b1bde739 in ssleay_RSA_generate_key_cb_invoke /home/rurban/.cpan/build/Net-SSLeay-1.55-098c6e/SSLeay.xs:994 #7 0x7f56b15dc7d6 in BN_GENCB_call ??:? #8 0x7f56b15dd1b0 in BN_generate_prime_ex ??:? #9 0x7f56b1605b59 in RSA_generate_key_ex ??:? #10 0x7f56b1608f15 in RSA_generate_key ??:? #11 0x7f56b1c55f3d in XS_Net__SSLeay_RSA_generate_key /home/rurban/.cpan/build/Net-SSLeay-1.55-098c6e/SSLeay.xs:4255 #12 0x7f56b6297919 in Perl_pp_entersub /home/rurban/Perl/src/build-5.19.6d-nt-asan/pp_hot.c:2760 #13 0x7f56b5fcf64b in Perl_runops_debug /home/rurban/Perl/src/build-5.19.6d-nt-asan/dump.c:2270 #14 0x7f56b59dea00 in S_run_body /home/rurban/Perl/src/build-5.19.6d-nt-asan/perl.c:2428 #15 0x7f56b59dab59 in perl_run /home/rurban/Perl/src/build-5.19.6d-nt-asan/perl.c:2349 #16 0x42c2c7 in main /home/rurban/Perl/src/build-5.19.6d-nt-asan/perlmain.c:112 #17 0x7f56b4860994 in __libc_start_main /home/aurel32/eglibc/eglibc-2.17/csu/libc-start.c:276 #18 0x42bc6c in _start ??:? Failed 2/14 subtests on test 13 RSA_generate_key with valid callback and userdata The error is rarely reproducible.

Tue Dec 10 20:57:33 2013 MIKEM [...] cpan.org - Taken

Tue Dec 10 20:59:15 2013 MIKEM [...] cpan.org - Correspondence added

Hi, hmmm can you confirm that on your test machine, /home/rurban/.cpan/build/Net-SSLeay-1.55-098c6e/SSLeay.xs:994 is this line: XPUSHs(sv_2mortal( newSViv(i) )); if not, exactly which line of code is it for you?

Tue Dec 10 20:59:15 2013 The RT System itself - Status changed from 'new' to 'open'

Sun Dec 15 16:57:31 2013 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #91310] heap-buffer-overflow with RSA_generate_key with valid callback and userdata
Date:	Mon, 16 Dec 2013 07:57:18 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hi, did you see my earlier reply to your report? Nothing heard here. Cheers. On Tuesday, December 10, 2013 04:33:30 PM you wrote: Show quoted text

> Tue Dec 10 16:33:29 2013: Request 91310 was acted upon. > Transaction: Ticket created by rurban@x-ray.at > Queue: Net-SSLeay > Subject: heap-buffer-overflow with RSA_generate_key with valid callback > and userdata > Broken in: 1.55 > Severity: (no value) > Owner: Nobody > Requestors: rurban@x-ray.at > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=91310 > > > > perl5.19.6d-nt-asan (address-sanitizer, DEBUGGING, not threaded) reported > the following heap-buffer-overflow > > # Testing Net::SSLeay 1.55, Perl 5.019006, > /usr/local/bin/perl5.19.6d-nt-asan # OpenSSL version: 'OpenSSL 1.0.1e 11 > Feb 2013' > # OpenSSL platform: 'platform: debian-amd64' > > t/local/31_rsa_generate_key.t .......... 1/14 > ==7114==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x622000019688 at pc 0x7f56b1bde73a bp 0x7fff0f2fb2f0 sp 0x7fff0f2fb2e8 > WRITE of size 8 at 0x622000019688 thread T0 > #0 0x7f56b1bde739 in ssleay_RSA_generate_key_cb_invoke > /home/rurban/.cpan/build/Net-SSLeay-1.55-098c6e/SSLeay.xs:994 #1 > 0x7f56b15dc7d6 in BN_GENCB_call ??:? > #2 0x7f56b15dd1b0 in BN_generate_prime_ex ??:? > #3 0x7f56b1605b59 in RSA_generate_key_ex ??:? > #4 0x7f56b1608f15 in RSA_generate_key ??:? > #5 0x7f56b1c55f3d in XS_Net__SSLeay_RSA_generate_key > /home/rurban/.cpan/build/Net-SSLeay-1.55-098c6e/SSLeay.xs:4255 #6 > 0x7f56b6297919 in Perl_pp_entersub > /home/rurban/Perl/src/build-5.19.6d-nt-asan/pp_hot.c:2760 #7 0x7f56b5fcf64b > in Perl_runops_debug > /home/rurban/Perl/src/build-5.19.6d-nt-asan/dump.c:2270 #8 0x7f56b59dea00 > in S_run_body /home/rurban/Perl/src/build-5.19.6d-nt-asan/perl.c:2428 #9 > 0x7f56b59dab59 in perl_run > /home/rurban/Perl/src/build-5.19.6d-nt-asan/perl.c:2349 #10 0x42c2c7 in > main /home/rurban/Perl/src/build-5.19.6d-nt-asan/perlmain.c:112 #11 > 0x7f56b4860994 in __libc_start_main > /home/aurel32/eglibc/eglibc-2.17/csu/libc-start.c:276 #12 0x42bc6c in > _start ??:? > 0x622000019688 is located 0 bytes to the right of 5512-byte region > [0x622000018100,0x622000019688) ==7114==AddressSanitizer CHECK failed: > /tmp/buildd/llvm-toolchain-3.3-3.3/projects/compiler-rt/lib/asan/asan_alloc > ator2.cc:218 "((id)) != (0)" (0x0, 0x0) #0 0x42301f in > _ZN6__asanL15AsanCheckFailedEPKciS1_yy asan_rtl.o:? #1 0x4247f1 in > _ZN11__sanitizer11CheckFailedEPKciS1_yy ??:? > #2 0x40e5d1 in > _ZN6__asan13AsanChunkView13GetAllocStackEPN11__sanitizer10StackTraceE ??:? > #3 0x420286 in _ZN6__asan19DescribeHeapAddressEmm ??:? > #4 0x4212f2 in __asan_report_error ??:? > #5 0x422509 in __asan_report_store8 ??:? > #6 0x7f56b1bde739 in ssleay_RSA_generate_key_cb_invoke > /home/rurban/.cpan/build/Net-SSLeay-1.55-098c6e/SSLeay.xs:994 #7 > 0x7f56b15dc7d6 in BN_GENCB_call ??:? > #8 0x7f56b15dd1b0 in BN_generate_prime_ex ??:? > #9 0x7f56b1605b59 in RSA_generate_key_ex ??:? > #10 0x7f56b1608f15 in RSA_generate_key ??:? > #11 0x7f56b1c55f3d in XS_Net__SSLeay_RSA_generate_key > /home/rurban/.cpan/build/Net-SSLeay-1.55-098c6e/SSLeay.xs:4255 #12 > 0x7f56b6297919 in Perl_pp_entersub > /home/rurban/Perl/src/build-5.19.6d-nt-asan/pp_hot.c:2760 #13 > 0x7f56b5fcf64b in Perl_runops_debug > /home/rurban/Perl/src/build-5.19.6d-nt-asan/dump.c:2270 #14 0x7f56b59dea00 > in S_run_body /home/rurban/Perl/src/build-5.19.6d-nt-asan/perl.c:2428 #15 > 0x7f56b59dab59 in perl_run > /home/rurban/Perl/src/build-5.19.6d-nt-asan/perl.c:2349 #16 0x42c2c7 in > main /home/rurban/Perl/src/build-5.19.6d-nt-asan/perlmain.c:112 #17 > 0x7f56b4860994 in __libc_start_main > /home/aurel32/eglibc/eglibc-2.17/csu/libc-start.c:276 #18 0x42bc6c in > _start ??:? > > Failed 2/14 subtests > > on test 13 > RSA_generate_key with valid callback and userdata > > The error is rarely reproducible.

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474 Fax +61 7 5598-7070

Sun Dec 15 19:16:45 2013 RURBAN [...] cpan.org - Correspondence added

On Tue Dec 10 20:59:15 2013, MIKEM wrote: Show quoted text

> Hi, > hmmm can you confirm that on your test machine, > /home/rurban/.cpan/build/Net-SSLeay-1.55-098c6e/SSLeay.xs:994 > is this line: > > XPUSHs(sv_2mortal( newSViv(i) ));

Yes, it's 1.55 pure. It's obviously a wrong stack pointer. debugging it now... -- Reini Urban

Sat Dec 21 17:42:00 2013 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #91310] heap-buffer-overflow with RSA_generate_key with valid callback and userdata
Date:	Sun, 22 Dec 2013 08:41:49 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Any luck? On Sunday, December 15, 2013 07:16:46 PM Reini Urban via RT wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=91310 > > > On Tue Dec 10 20:59:15 2013, MIKEM wrote:

> > Hi, > > hmmm can you confirm that on your test machine, > > /home/rurban/.cpan/build/Net-SSLeay-1.55-098c6e/SSLeay.xs:994 > > > > is this line: > > XPUSHs(sv_2mortal( newSViv(i) ));

> > Yes, it's 1.55 pure. > It's obviously a wrong stack pointer. debugging it now...

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474 Fax +61 7 5598-7070

Mon Dec 30 12:10:38 2013 rurban [...] x-ray.at - Correspondence added

From:

rurban [...] x-ray.at

On Sat Dec 21 17:42:00 2013, mikem@airspayce.com wrote: Show quoted text

> Any luck?

I could reproduce SEGVs at test 7 and test 13 again with latest blead non-threaded. This is for test 6: $ gdb --args /usr/local/bin/perl5.19.8d-nt@91fc0422 -Mblib t/local/31_rsa_generate_key.t GNU gdb (GDB) 7.6.1 (Debian 7.6.1-1) /usr/local/bin/perl5.19.8d-nt@91fc0422...done. (gdb) r Starting program: /usr/local/bin/perl5.19.8d-nt@91fc0422 -Mblib t/local/31_rsa_generate_key.t 1..14 ok 1 - RSA_generate_key with valid callback ok 2 - RSA_generate_key with invalid callback ok 3 - RSA_generate_key callback is executed in void context ok 4 - userdata will be undef if no userdata was given ok 5 - first argument is defined ok 6 - second argument is defined Program received signal SIGSEGV, Segmentation fault. 0x000000000058f8b2 in Perl_pp_entersub () at pp_hot.c:2689 2689 if (SvPADTMP(*MARK) && !IS_PADGV(*MARK)) (gdb) bt #0 0x000000000058f8b2 in Perl_pp_entersub () at pp_hot.c:2689 #1 0x0000000000458e9e in Perl_call_sv (sv=0xded890, flags=5) at perl.c:2733 #2 0x00007ffff68784db in ssleay_RSA_generate_key_cb_invoke (i=0, n=65, data=0xe37dc0) at SSLeay.xs:1000 #3 0x00007ffff62b1327 in BN_GENCB_call () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #4 0x00007ffff62b1cf1 in BN_generate_prime_ex () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #5 0x00007ffff62da5b7 in RSA_generate_key_ex () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #6 0x00007ffff62ddaf6 in RSA_generate_key () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #7 0x00007ffff68a3d55 in XS_Net__SSLeay_RSA_generate_key (cv=<optimized out>) at SSLeay.xs:4255 #8 0x0000000000590091 in Perl_pp_entersub () at pp_hot.c:2769 #9 0x00000000005312d3 in Perl_runops_debug () at dump.c:2308 #10 0x0000000000457c84 in S_run_body (oldscope=1) at perl.c:2428 #11 0x00000000004572b0 in perl_run (my_perl=0x9f1010) at perl.c:2349 #12 0x000000000041cf32 in main (argc=3, argv=0x7fffffffe678, env=0x7fffffffe698) at perlmain.c:112 wrong mark stack: (gdb) p *MARK $2 = (SV *) 0xfff9ae1400000128 (gdb) p **MARK Cannot access memory at address 0xfff9ae1400000128 (gdb) up #1 0x0000000000458e9e in Perl_call_sv (sv=0xded890, flags=5) at perl.c:2733 2733 CALL_BODY_SUB((OP*)&myop); (gdb) p myop $3 = {op_next = 0x0, op_sibling = 0x0, op_ppaddr = 0x0, op_targ = 0, op_type = 0, op_opt = 0, op_slabbed = 0, op_savefree = 0, op_static = 0, op_folded = 0, op_spare = 0, op_flags = 65 'A', op_private = 0 '\000', op_first = 0x0, op_other = 0x0} (gdb) p Perl_sv_dump(sv) SV = IV(0xded880) at 0xded890 REFCNT = 2 FLAGS = (TEMP,ROK) RV = 0xd47a90 SV = PVCV(0xdba708) at 0xd47a90 REFCNT = 4 FLAGS = () COMP_STASH = 0x9f2e30 "main" START = 0xc8ac60 ===> 1 ROOT = 0xd3e578 GVGV::GV = 0xd47bc8 "main" :: "cb" FILE = "t/local/31_rsa_generate_key.t" DEPTH = 1 FLAGS = 0x0 OUTSIDE_SEQ = 2170 PADLIST = 0xc8a6d0 PADNAME = 0xd47a60(0xc8a5f0) PAD = 0xd47a78(0xc8b7a0) 1. 0xd47a30<1> (2170,2173) "$i" 2. 0xd47a00<1> (2170,2173) "$n" 3. 0xd479d0<1> (2170,2173) "$d" 6. 0xd47ca0<2> FAKE "$called" flags=0x0 index=11 OUTSIDE = 0x9f3670 (MAIN)

Mon Dec 30 12:19:33 2013 rurban [...] x-ray.at - Correspondence added

From:

rurban [...] x-ray.at

and the args av is invalid like this: (gdb) do #0 0x000000000058f8b2 in Perl_pp_entersub () at pp_hot.c:2689 2689 if (SvPADTMP(*MARK) && !IS_PADGV(*MARK)) (gdb) l 2684 2685 MARK = AvARRAY(av); 2686 while (items--) { 2687 if (*MARK) 2688 { 2689 if (SvPADTMP(*MARK) && !IS_PADGV(*MARK)) 2690 *MARK = sv_mortalcopy(*MARK); 2691 SvTEMP_off(*MARK); 2692 } 2693 MARK++; (gdb) p av $11 = (AV * const) 0xd47820 (gdb) p *av $12 = {sv_any = 0xd7e660, sv_refcnt = 3, sv_flags = 2147483659, sv_u = { svu_pv = 0xe1b930 "\270", <incomplete sequence \324>, svu_iv = 14793008, svu_uv = 14793008, svu_rv = 0xe1b930, svu_rx = 0xe1b930, svu_array = 0xe1b930, svu_hash = 0xe1b930, svu_gp = 0xe1b930, svu_fp = 0xe1b930}} (gdb) p Perl_sv_dump(av) SV = PVAV(0xd7e660) at 0xd47820 REFCNT = 3 FLAGS = () ARRAY = 0xe1b930 FILL = 2 MAX = 2 ARYLEN = 0x0 FLAGS = (REIFY) $13 = void (gdb) p items $14 = 1 (gdb) p mark $15 = (SV **) 0xe1b938 (gdb) p Perl_sv_dump(0xe1b930) SV = UNKNOWN(0x14) (0xd476b8) at 0xe1b930 REFCNT = 296 FLAGS = (TEMP,OBJECT,GMG,SMG,RMG,NOK,POK,ROK,WEAKREF,OOK,FAKE,READONLY,IsCOW,BREAK,OVERLOAD,pNOK,PCS_IMPORTED,EVALED,UTF8) $16 = void (gdb) p Perl_sv_dump(0xe1b938) SV = NULL(0xfff9ae1400000128) at 0xe1b938 REFCNT = 13924816 FLAGS = () $17 = void (gdb) p PAD_SVl(0) $18 = (SV *) 0xd47820 (gdb) p Perl_sv_dump(PAD_SVl(0)) SV = PVAV(0xd7e660) at 0xd47820 REFCNT = 3 FLAGS = () *** Error in `/usr/local/bin/perl5.19.8d-nt@91fc0422': free(): invalid next size (normal): 0x00000000009f5b80 *** ^C

Mon Dec 30 13:12:48 2013 rurban [...] x-ray.at - Correspondence added

From:

rurban [...] x-ray.at

Attached patch fixes the problems. You mixed up PUTBACK with SPAGAIN in ssleay_RSA_generate_key_cb_invoke() A final PUTBACK is needed here. A second issue is also fixed: cb->data defaults to &PL_sv_undef but throught the code you do not check against &PL_sv_undef, just NULL. To avoid passing the 3rd optional arg at all, do not create it. This fixes all the cb->data checks and wrong refcounts on &PL_sv_undef.

Subject:

0001-Fix-91310-and-PL_sv_undef-cb-data-checks.patch

From c78d63e428d3041e2253c90cdd218c3865921a91 Mon Sep 17 00:00:00 2001 From: Reini Urban <rurban@cpanel.net> Date: Mon, 30 Dec 2013 12:11:50 -0600 Subject: [PATCH] Fix #91310 and &PL_sv_undef cb->data checks You mixed up PUTBACK with SPAGAIN in ssleay_RSA_generate_key_cb_invoke() A final PUTBACK is needed here. cb->data defaults to &PL_sv_undef but throughout the code you do not check against &PL_sv_undef, just NULL. To avoid passing the 3rd optional arg at all, do not create it. This fixes all the cb->data checks and wrong refcounts on &PL_sv_undef. --- SSLeay.xs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SSLeay.xs b/SSLeay.xs index fa51e22..2ed8508 100644 --- a/SSLeay.xs +++ b/SSLeay.xs @@ -424,7 +424,7 @@ simple_cb_data_t* simple_cb_data_new(SV* func, SV* data) SvREFCNT_inc(func); SvREFCNT_inc(data); cb->func = func; - cb->data = data; + cb->data = (data == &PL_sv_undef) ? NULL : data; } return cb; } @@ -955,7 +955,7 @@ void ssleay_RSA_generate_key_cb_invoke(int i, int n, void* data) croak ("Net::SSLeay: ssleay_RSA_generate_key_cb_invoke " "perl function did return something in void context.\n"); - PUTBACK; + SPAGAIN; FREETMPS; LEAVE; } -- 1.8.5.2

Mon Dec 30 14:50:39 2013 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #91310] heap-buffer-overflow with RSA_generate_key with valid callback and userdata
Date:	Tue, 31 Dec 2013 05:50:26 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hi, Thanks for the patch. It is now in SVN 390. Cheers. On Monday, December 30, 2013 01:12:49 PM you wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=91310 > > > Attached patch fixes the problems. > > You mixed up PUTBACK with SPAGAIN in ssleay_RSA_generate_key_cb_invoke() > A final PUTBACK is needed here. > > A second issue is also fixed: > cb->data defaults to &PL_sv_undef but throught the code you do not check > against &PL_sv_undef, just NULL. To avoid passing the 3rd optional arg at > all, do not create it. This fixes all the cb->data checks and wrong > refcounts on &PL_sv_undef.

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474 Fax +61 7 5598-7070

Sat May 24 03:07:05 2014 MIKEM [...] cpan.org - Status changed from 'open' to 'resolved'

Bug #91310 for Net-SSLeay: heap-buffer-overflow with RSA_generate_key with valid callback and userdata