Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] chip-cert tool: Fix OpenSSL Object Reuse and Double-Free #24165

Closed
emargolis opened this issue Dec 21, 2022 · 0 comments · Fixed by #24166
Closed

[BUG] chip-cert tool: Fix OpenSSL Object Reuse and Double-Free #24165

emargolis opened this issue Dec 21, 2022 · 0 comments · Fixed by #24166
Assignees

Comments

@emargolis
Copy link
Contributor

Reproduction steps

Don't rely on d2i_X509 object reuse and fix double-free

The chip-cert tool is relying on OpenSSL's "object reuse" mode in
d2i_X509. d2i_X509 has a very bizarre type signature:

X509 *d2i_X509(X509 **out, const unsigned char **inp, long len);

The safest way to call this function is to pass NULL into out. The
function then straightforwardly hands you a new X509 on success, or
NULL on error. However, if out and *out are both NULL, OpenSSL tries
to reuse the existing X509 object.

This does not work, particular not in the way that chip-cert uses it.
When d2i_X509 fails, even in this mode, it will free what's at *out
and set *out to NULL. So when ReadCert's d2i_X509 call fails, it will
silently free the cert parameter. But the caller doesn't know this
and will double-free it!

OpenSSL's documentation also discourages it:

On a successful return, if *a is not NULL then it is assumed that
*a contains a valid TYPE structure and an attempt is made to reuse
it. This "reuse" capability is present for historical compatibility
but its use is strongly discouraged (see BUGS below, and the
discussion in the RETURN VALUES section).

https://www.openssl.org/docs/man1.1.1/man3/d2i_X509.html

Bug prevalence

100% of the time

GitHub hash of the SDK that was being used

07fe190

Platform

core

Platform Version(s)

No response

Anything else?

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant