Skip to content

Commit 8c11370

Browse files
ndosschendossche
committed
Fix crash when ASN1_STRING_to_UTF8() fails
This function returns -1 on failure. Not checking this causes a segfault if `cert_name` is still NULL, i.e. if the failure happens on the first iteration. If the failure happens on the second iteration, we get a use-after-free. NULL deref example: ``` ==189347==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f961f6f379d bp 0x7ffdc44afed0 sp 0x7ffdc44af658 T0) ==189347==The signal is caused by a READ memory access. ==189347==Hint: address points to the zero page. #0 0x7f961f6f379d (/lib/x86_64-linux-gnu/libc.so.6+0x18b79d) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #1 0x7f9620217826 in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389 #2 0x560faa92d119 in php_openssl_matches_san_list /work/php-src/ext/openssl/xp_ssl.c:478 #3 0x560faa92e912 in php_openssl_apply_peer_verification_policy /work/php-src/ext/openssl/xp_ssl.c:636 #4 0x560faa93565b in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1893 #5 0x560faa939c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516 #6 0x560fab74c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 #7 0x560fab7557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387 #8 0x560faa939f29 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2541 php#9 0x560fab74c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 php#10 0x560fab754655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248 php#11 0x560fab75365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145 php#12 0x560fab54d725 in zif_stream_socket_client /work/php-src/ext/standard/streamsfuncs.c:158 php#13 0x560fab6b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306 php#14 0x560fab9e024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154 php#15 0x560fabb40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519 php#16 0x560fabb558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962 php#17 0x560fabcba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980 php#18 0x560fab6ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645 php#19 0x560fab6ecccb in php_execute_script /work/php-src/main/main.c:2685 php#20 0x560fabcbfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951 php#21 0x560fabcc21e3 in main /work/php-src/sapi/cli/php_cli.c:1362 php#22 0x7f961f5921c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) php#23 0x7f961f59228a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) php#24 0x560faa809b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c) ``` UAF example: ``` ==190632==ERROR: AddressSanitizer: heap-use-after-free on address 0x5020000690f0 at pc 0x7fc2cdb3596f bp 0x7ffce2ed98d0 sp 0x7ffce2ed9078 READ of size 3 at 0x5020000690f0 thread T0 #0 0x7fc2cdb3596e in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:391 #1 0x558b6eb2d119 in php_openssl_matches_san_list /work/php-src/ext/openssl/xp_ssl.c:478 #2 0x558b6eb2e912 in php_openssl_apply_peer_verification_policy /work/php-src/ext/openssl/xp_ssl.c:636 #3 0x558b6eb3565b in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1893 #4 0x558b6eb39c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516 #5 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 #6 0x558b6f9557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387 #7 0x558b6eb39f29 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2541 #8 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 php#9 0x558b6f954655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248 php#10 0x558b6f95365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145 php#11 0x558b6f74d725 in zif_stream_socket_client /work/php-src/ext/standard/streamsfuncs.c:158 php#12 0x558b6f8b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306 php#13 0x558b6fbe024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154 php#14 0x558b6fd40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519 php#15 0x558b6fd558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962 php#16 0x558b6feba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980 php#17 0x558b6f8ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645 php#18 0x558b6f8ecccb in php_execute_script /work/php-src/main/main.c:2685 php#19 0x558b6febfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951 php#20 0x558b6fec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362 php#21 0x7fc2cceb01c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) php#22 0x7fc2cceb028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) php#23 0x558b6ea09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c) 0x5020000690f0 is located 0 bytes inside of 9-byte region [0x5020000690f0,0x5020000690f9) freed by thread T0 here: #0 0x7fc2cdbb44d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 #1 0x558b6eb2d2fa in php_openssl_matches_san_list /work/php-src/ext/openssl/xp_ssl.c:496 #2 0x558b6eb2e912 in php_openssl_apply_peer_verification_policy /work/php-src/ext/openssl/xp_ssl.c:636 #3 0x558b6eb3565b in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1893 #4 0x558b6eb39c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516 #5 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 #6 0x558b6f9557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387 #7 0x558b6eb39f29 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2541 #8 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 php#9 0x558b6f954655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248 php#10 0x558b6f95365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145 php#11 0x558b6f74d725 in zif_stream_socket_client /work/php-src/ext/standard/streamsfuncs.c:158 php#12 0x558b6f8b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306 php#13 0x558b6fbe024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154 php#14 0x558b6fd40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519 php#15 0x558b6fd558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962 php#16 0x558b6feba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980 php#17 0x558b6f8ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645 php#18 0x558b6f8ecccb in php_execute_script /work/php-src/main/main.c:2685 php#19 0x558b6febfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951 php#20 0x558b6fec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362 php#21 0x7fc2cceb01c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) php#22 0x7fc2cceb028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) php#23 0x558b6ea09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c) previously allocated by thread T0 here: #0 0x7fc2cdbb59c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x7fc2cd2faeab in ASN1_mbstring_ncopy (/lib/x86_64-linux-gnu/libcrypto.so.3+0xcceab) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #2 0x7fc2cd2fb2e5 in ASN1_mbstring_copy (/lib/x86_64-linux-gnu/libcrypto.so.3+0xcd2e5) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #3 0x7fc2cd2fe2a5 in ASN1_STRING_to_UTF8 (/lib/x86_64-linux-gnu/libcrypto.so.3+0xd02a5) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade) #4 0x558b6eb2d0a8 in php_openssl_matches_san_list /work/php-src/ext/openssl/xp_ssl.c:477 #5 0x558b6eb2e912 in php_openssl_apply_peer_verification_policy /work/php-src/ext/openssl/xp_ssl.c:636 #6 0x558b6eb3565b in php_openssl_enable_crypto /work/php-src/ext/openssl/xp_ssl.c:1893 #7 0x558b6eb39c86 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2516 #8 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 php#9 0x558b6f9557c1 in php_stream_xport_crypto_enable /work/php-src/main/streams/transports.c:387 php#10 0x558b6eb39f29 in php_openssl_sockop_set_option /work/php-src/ext/openssl/xp_ssl.c:2541 php#11 0x558b6f94c610 in _php_stream_set_option /work/php-src/main/streams/streams.c:1466 php#12 0x558b6f954655 in php_stream_xport_connect /work/php-src/main/streams/transports.c:248 php#13 0x558b6f95365d in _php_stream_xport_create /work/php-src/main/streams/transports.c:145 php#14 0x558b6f74d725 in zif_stream_socket_client /work/php-src/ext/standard/streamsfuncs.c:158 php#15 0x558b6f8b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306 php#16 0x558b6fbe024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154 php#17 0x558b6fd40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519 php#18 0x558b6fd558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962 php#19 0x558b6feba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980 php#20 0x558b6f8ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645 php#21 0x558b6f8ecccb in php_execute_script /work/php-src/main/main.c:2685 php#22 0x558b6febfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951 php#23 0x558b6fec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362 php#24 0x7fc2cceb01c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) php#25 0x7fc2cceb028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) php#26 0x558b6ea09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c) ``` Closes phpGH-21017.
1 parent e474d3c commit 8c11370

File tree

1 file changed

+4
-5
lines changed

1 file changed

+4
-5
lines changed

ext/openssl/xp_ssl.c

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -126,10 +126,6 @@
126126
#define GET_VER_OPT_LONG(_name, _num) \
127127
if (GET_VER_OPT(_name)) _num = zval_get_long(val)
128128

129-
/* Used for peer verification in windows */
130-
#define PHP_X509_NAME_ENTRY_TO_UTF8(ne, i, out) \
131-
ASN1_STRING_to_UTF8(&out, X509_NAME_ENTRY_get_data(X509_NAME_get_entry(ne, i)))
132-
133129
#ifdef HAVE_IPV6
134130
/* Used for IPv6 Address peer verification */
135131
#define EXPAND_IPV6_ADDRESS(_str, _bytes) \
@@ -476,7 +472,10 @@ static bool php_openssl_matches_san_list(X509 *peer, const char *subject_name) /
476472
GENERAL_NAME *san = sk_GENERAL_NAME_value(alt_names, i);
477473

478474
if (san->type == GEN_DNS) {
479-
ASN1_STRING_to_UTF8(&cert_name, san->d.dNSName);
475+
if (ASN1_STRING_to_UTF8(&cert_name, san->d.dNSName) < 0) {
476+
/* TODO: warn ? */
477+
continue;
478+
}
480479
if ((size_t)ASN1_STRING_length(san->d.dNSName) != strlen((const char*)cert_name)) {
481480
OPENSSL_free(cert_name);
482481
/* prevent null-byte poisoning*/

0 commit comments

Comments
 (0)