Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chip-cert tool: Fix OpenSSL Object Reuse and Double-Free #24166

Merged
merged 1 commit into from
Dec 22, 2022
Merged

chip-cert tool: Fix OpenSSL Object Reuse and Double-Free #24166

merged 1 commit into from
Dec 22, 2022

Conversation

emargolis
Copy link
Contributor

Fixed #24165

Don't rely on d2i_X509 object reuse and fix double-free

The chip-cert tool is relying on OpenSSL's "object reuse" mode in d2i_X509. d2i_X509 has a very bizarre type signature:

X509 *d2i_X509(X509 **out, const unsigned char **inp, long len);

The safest way to call this function is to pass NULL into out. The function then straightforwardly hands you a new X509 on success, or NULL on error. However, if out and *out are both NULL, OpenSSL tries to reuse the existing X509 object.

This does not work, particular not in the way that chip-cert uses it. When d2i_X509 fails, even in this mode, it will free what's at *out and set *out to NULL. So when ReadCert's d2i_X509 call fails, it will silently free the cert parameter. But the caller doesn't know this and will double-free it!

@emargolis
chip-cert tool: Fix OpenSSL Object Reuse and Double-Free
0758a0f 
Don't rely on d2i_X509 object reuse and fix double-free

The chip-cert tool is relying on OpenSSL's "object reuse" mode in
d2i_X509. d2i_X509 has a very bizarre type signature:

X509 *d2i_X509(X509 **out, const unsigned char **inp, long len);

The safest way to call this function is to pass NULL into out. The
function then straightforwardly hands you a new X509 on success, or
NULL on error. However, if out and *out are both NULL, OpenSSL tries
to reuse the existing X509 object.

This does not work, particular not in the way that chip-cert uses it.
When d2i_X509 fails, even in this mode, it will free what's at *out
and set *out to NULL. So when ReadCert's d2i_X509 call fails, it will
silently free the cert parameter. But the caller doesn't know this
and will double-free it!
@pullapprove pullapprove bot requested a review from andy31415 December 21, 2022 08:12
@github-actions github-actions bot added the tools label Dec 21, 2022
@github-actions
Copy link

github-actions bot commented Dec 21, 2022
edited
Loading

PR #24166: Size comparison from e101730 to 0758a0f

Increases (9 builds for bl702, nrfconnect, psoc6, qpg, telink)
platform target config section e101730 0758a0f change % change
bl702 lighting-app bl702 .debug_info 39187510 39187511 1 0.0
.text 956822 956824 2 0.0
bl702+rpc .debug_info 43479929 43479930 1 0.0
.text 1030802 1030804 2 0.0
nrfconnect all-clusters-app nrf7002dk_nrf5340_cpuapp text 759958 759962 4 0.0
psoc6 all-clusters cy8ckit_062s2_43012 .debug_info 27059808 27059809 1 0.0
all-clusters-minimal cy8ckit_062s2_43012 .debug_info 26796606 26796607 1 0.0
light cy8ckit_062s2_43012 .debug_info 22259220 22259221 1 0.0
lock cy8ckit_062s2_43012 .debug_info 22477606 22477607 1 0.0
qpg lock-app qpg6105+debug (read/write) 1117532 1117540 8 0.0
.text 564628 564636 8 0.0
telink light-switch-app tlsr9518adk80d (read/write) 932280 932288 8 0.0
text 638032 638034 2 0.0
Decreases (4 builds for bl602, k32w, telink)
platform target config section e101730 0758a0f change % change
bl602 lighting-app bl602 .text 1039132 1039130 -2 -0.0
k32w contact k32w0+release (read/write) 662716 662700 -16 -0.0
.text 564468 564452 -16 -0.0
telink all-clusters-app tlsr9518adk80d text 726246 726244 -2 -0.0
thermostat tlsr9518adk80d text 638718 638714 -4 -0.0
Full report (53 builds for bl602, bl702, cc13x2_26x2, cyw30739, efr32, esp32, k32w, linux, mbed, nrfconnect, psoc6, qpg, telink)
platform target config section e101730 0758a0f change % change
bl602 lighting-app bl602 (read/write) 1356338 1356338 0 0.0
.bss 86977 86977 0 0.0
.data 9984 9984 0 0.0
.text 1039132 1039130 -2 -0.0
bl602+rpc (read/write) 1402122 1402122 0 0.0
.bss 95017 95017 0 0.0
.data 10384 10384 0 0.0
.text 1070556 1070556 0 0.0
bl702 lighting-app bl702 (read only) 3262 3262 0 0.0
(read/write) 1196239 1196239 0 0.0
.bleromro 6296 6296 0 0.0
.bleromrw 124 124 0 0.0
.boot2 688 688 0 0.0
.bss 67102 67102 0 0.0
.bss_psram 30048 30048 0 0.0
.comment 48 48 0 0.0
.data 4048 4048 0 0.0
.debug_abbrev 1529044 1529044 0 0.0
.debug_aranges 132568 132568 0 0.0
.debug_frame 486476 486476 0 0.0
.debug_info 39187510 39187511 1 0.0
.debug_line 5150394 5150394 0 0.0
.debug_loc 3381271 3381271 0 0.0
.debug_ranges 363816 363816 0 0.0
.debug_str 3483190 3483190 0 0.0
.hbn 509 509 0 0.0
.hbn_noinit 260 260 0 0.0
.init 342 342 0 0.0
.init_array 144 144 0 0.0
.psram 0 0 0 0.0
.riscv.attributes 47 47 0 0.0
.rodata 116352 116352 0 0.0
.rsvd 3188 3188 0 0.0
.shstrtab 293 293 0 0.0
.stack 2048 2048 0 0.0
.strtab 569376 569376 0 0.0
.symtab 172144 172144 0 0.0
.tcm_data 36 36 0 0.0
.tcmcode 3262 3262 0 0.0
.text 0 0 0 0.0
956822 956824 2 0.0
bl702+rpc (read only) 3262 3262 0 0.0
(read/write) 1284747 1284747 0 0.0
.bleromro 6296 6296 0 0.0
.bleromrw 124 124 0 0.0
.boot2 688 688 0 0.0
.bss 75118 75118 0 0.0
.bss_psram 30304 30304 0 0.0
.comment 48 48 0 0.0
.data 4576 4576 0 0.0
.debug_abbrev 1676376 1676376 0 0.0
.debug_aranges 140688 140688 0 0.0
.debug_frame 513896 513896 0 0.0
.debug_info 43479929 43479930 1 0.0
.debug_line 5539843 5539843 0 0.0
.debug_loc 3575978 3575978 0 0.0
.debug_ranges 387352 387352 0 0.0
.debug_str 3885588 3885588 0 0.0
.hbn 509 509 0 0.0
.hbn_noinit 260 260 0 0.0
.init 342 342 0 0.0
.init_array 160 160 0 0.0
.psram 0 0 0 0.0
.riscv.attributes 47 47 0 0.0
.rodata 130112 130112 0 0.0
.rsvd 3188 3188 0 0.0
.shstrtab 293 293 0 0.0
.stack 2048 2048 0 0.0
.strtab 629660 629660 0 0.0
.symtab 190320 190320 0 0.0
.tcm_data 36 36 0 0.0
.tcmcode 3262 3262 0 0.0
.text 0 0 0 0.0
1030802 1030804 2 0.0
cc13x2_26x2 all-clusters-app LP_CC2652R7 (read only) 679867 679867 0 0.0
(read/write) 171580 171580 0 0.0
.bss 81140 81140 0 0.0
.data 3380 3380 0 0.0
.rodata 89995 89995 0 0.0
.text 589560 589560 0 0.0
all-clusters-minimal-app LP_CC2652R7 (read only) 644139 644139 0 0.0
(read/write) 157916 157916 0 0.0
.bss 80420 80420 0 0.0
.data 3380 3380 0 0.0
.rodata 79139 79139 0 0.0
.text 564680 564680 0 0.0
lock-ftd LP_CC2652R7 (read only) 677399 677399 0 0.0
(read/write) 171608 171608 0 0.0
.bss 78788 78788 0 0.0
.data 3304 3304 0 0.0
.rodata 77415 77415 0 0.0
.text 599504 599504 0 0.0
lock-mtd LP_CC2652R7 (read only) 662203 662203 0 0.0
(read/write) 182068 182068 0 0.0
.bss 74052 74052 0 0.0
.data 3304 3304 0 0.0
.rodata 103507 103507 0 0.0
.text 558216 558216 0 0.0
pump-app LP_CC2652R7 (read only) 690439 690439 0 0.0
(read/write) 159304 159304 0 0.0
.bss 78756 78756 0 0.0
.data 3296 3296 0 0.0
.rodata 91031 91031 0 0.0
.text 598924 598924 0 0.0
pump-controller-app LP_CC2652R7 (read only) 674363 674363 0 0.0
(read/write) 175484 175484 0 0.0
.bss 78860 78860 0 0.0
.data 3292 3292 0 0.0
.rodata 86587 86587 0 0.0
.text 587296 587296 0 0.0
shell LP_CC2652R7 (read only) 671090 671090 0 0.0
(read/write) 182684 182684 0 0.0
.bss 83468 83468 0 0.0
.data 3376 3376 0 0.0
.rodata 86738 86738 0 0.0
.text 584036 584036 0 0.0
cyw30739 light cyw930739m2evb_01 (read/write) 588482 588482 0 0.0
.app_xip_area 464828 464828 0 0.0
.bss 66112 66112 0 0.0
.data 728 728 0 0.0
.rodata 0 0 0 0.0
.text 112 112 0 0.0
lock cyw930739m2evb_01 (read/write) 592294 592294 0 0.0
.app_xip_area 463344 463344 0 0.0
.bss 71400 71400 0 0.0
.data 736 736 0 0.0
.rodata 0 0 0 0.0
.text 112 112 0 0.0
ota-requestor-no-progress-logging cyw930739m2evb_01 (read/write) 551862 551862 0 0.0
.app_xip_area 433704 433704 0 0.0
.bss 60656 60656 0 0.0
.data 684 684 0 0.0
.rodata 0 0 0 0.0
.text 112 112 0 0.0
efr32 lighting-app BRD4161A+rpc (read/write) 976468 976468 0 0.0
.bss 152172 152172 0 0.0
.data 2168 2168 0 0.0
.text 822108 822108 0 0.0
BRD4161A+rs911x (read/write) 1038832 1038832 0 0.0
.bss 186648 186648 0 0.0
.data 2012 2012 0 0.0
.text 850152 850152 0 0.0
BRD4187C (read/write) 1149860 1149860 0 0.0
.bss 138568 138568 0 0.0
.data 2516 2516 0 0.0
.text 984180 984180 0 0.0
lock-app BRD4161A+wf200 (read/write) 1069136 1069136 0 0.0
.bss 158184 158184 0 0.0
.data 2020 2020 0 0.0
.text 908908 908908 0 0.0
window-app BRD4187C (read/write) 1142504 1142504 0 0.0
.bss 139984 139984 0 0.0
.data 2540 2540 0 0.0
.text 975384 975384 0 0.0
esp32 all-clusters-app c3devkit (read only) 1219468 1219468 0 0.0
(read/write) 1790954 1790954 0 0.0
.dram0.bss 76912 76912 0 0.0
.dram0.data 13928 13928 0 0.0
.flash.rodata 248392 248392 0 0.0
.flash.text 1219468 1219468 0 0.0
.iram0.text 71188 71188 0 0.0
m5stack (read only) 1233407 1233407 0 0.0
(read/write) 564187 564187 0 0.0
.dram0.bss 82064 82064 0 0.0
.dram0.data 34224 34224 0 0.0
.flash.rodata 314180 314180 0 0.0
.flash.text 1228023 1228023 0 0.0
.iram0.text 124803 124803 0 0.0
k32w contact k32w0+release (read/write) 662716 662700 -16 -0.0
.bss 77032 77032 0 0.0
.data 2104 2104 0 0.0
.text 564468 564452 -16 -0.0
light k32w0+release (read/write) 673400 673400 0 0.0
.bss 74824 74824 0 0.0
.data 2060 2060 0 0.0
.text 593788 593788 0 0.0
lock k32w0+release (read/write) 634228 634228 0 0.0
.bss 75584 75584 0 0.0
.data 2080 2080 0 0.0
.text 553836 553836 0 0.0
linux all-clusters-app debug (read only) 3114233 3114233 0 0.0
(read/write) 158504 158504 0 0.0
.bss 62464 62464 0 0.0
.data 2304 2304 0 0.0
.data.rel.ro 87160 87160 0 0.0
.dynamic 608 608 0 0.0
.got 4768 4768 0 0.0
.init 27 27 0 0.0
.init_array 1184 1184 0 0.0
.rodata 281611 281611 0 0.0
.text 2648082 2648082 0 0.0
all-clusters-minimal-app debug (read only) 2937881 2937881 0 0.0
(read/write) 149936 149936 0 0.0
.bss 61664 61664 0 0.0
.data 2272 2272 0 0.0
.data.rel.ro 79528 79528 0 0.0
.dynamic 608 608 0 0.0
.got 4680 4680 0 0.0
.init 27 27 0 0.0
.init_array 1160 1160 0 0.0
.rodata 281035 281035 0 0.0
.text 2475346 2475346 0 0.0
bridge-app debug (read only) 2475721 2475721 0 0.0
(read/write) 131248 131248 0 0.0
.bss 51488 51488 0 0.0
.data 3792 3792 0 0.0
.data.rel.ro 69912 69912 0 0.0
.dynamic 608 608 0 0.0
.got 4576 4576 0 0.0
.init 27 27 0 0.0
.init_array 840 840 0 0.0
.rodata 211808 211808 0 0.0
.text 2094178 2094178 0 0.0
chip-tool debug (read only) 11182505 11182505 0 0.0
(read/write) 646712 646712 0 0.0
.bss 25912 25912 0 0.0
.data 2754 2754 0 0.0
.data.rel.ro 611488 611488 0 0.0
.dynamic 608 608 0 0.0
.got 5184 5184 0 0.0
.init 27 27 0 0.0
.init_array 728 728 0 0.0
.rodata 605061 605061 0 0.0
.text 9078724 9078724 0 0.0
chip-tool-ipv6only arm64 (read only) 10595628 10595628 0 0.0
(read/write) 695848 695848 0 0.0
.bss 33912 33912 0 0.0
.data 2768 2768 0 0.0
.data.rel.ro 640296 640296 0 0.0
.dynamic 560 560 0 0.0
.got 13824 13824 0 0.0
.init 24 24 0 0.0
.init_array 200 200 0 0.0
.rodata 535196 535196 0 0.0
.text 8412836 8412836 0 0.0
lighting-app debug+rpc (read only) 2664097 2664097 0 0.0
(read/write) 132424 132424 0 0.0
.bss 49984 49984 0 0.0
.data 2288 2288 0 0.0
.data.rel.ro 73944 73944 0 0.0
.dynamic 608 608 0 0.0
.got 4632 4632 0 0.0
.init 27 27 0 0.0
.init_array 928 928 0 0.0
.rodata 228224 228224 0 0.0
.text 2259266 2259266 0 0.0
lock-app debug (read only) 2623161 2623161 0 0.0
(read/write) 127376 127376 0 0.0
.bss 48416 48416 0 0.0
.data 1904 1904 0 0.0
.data.rel.ro 70856 70856 0 0.0
.dynamic 608 608 0 0.0
.got 4664 4664 0 0.0
.init 27 27 0 0.0
.init_array 904 904 0 0.0
.rodata 244488 244488 0 0.0
.text 2206914 2206914 0 0.0
ota-provider-app debug (read only) 2189817 2189817 0 0.0
(read/write) 105512 105512 0 0.0
.bss 46560 46560 0 0.0
.data 2080 2080 0 0.0
.data.rel.ro 51784 51784 0 0.0
.dynamic 608 608 0 0.0
.got 3728 3728 0 0.0
.init 27 27 0 0.0
.init_array 736 736 0 0.0
.rodata 195336 195336 0 0.0
.text 1854914 1854914 0 0.0
ota-requestor-app debug (read only) 2358601 2358601 0 0.0
(read/write) 113856 113856 0 0.0
.bss 49088 49088 0 0.0
.data 2448 2448 0 0.0
.data.rel.ro 57128 57128 0 0.0
.dynamic 608 608 0 0.0
.got 3728 3728 0 0.0
.init 27 27 0 0.0
.init_array 824 824 0 0.0
.rodata 202512 202512 0 0.0
.text 2007330 2007330 0 0.0
shell debug (read only) 2646705 2646705 0 0.0
(read/write) 143000 143000 0 0.0
.bss 57864 57864 0 0.0
.data 1264 1264 0 0.0
.data.rel.ro 78056 78056 0 0.0
.dynamic 608 608 0 0.0
.got 4128 4128 0 0.0
.init 27 27 0 0.0
.init_array 1032 1032 0 0.0
.rodata 239858 239858 0 0.0
.text 2247282 2247282 0 0.0
thermostat-no-ble arm64 (read only) 2477724 2477724 0 0.0
(read/write) 144936 144936 0 0.0
.bss 55336 55336 0 0.0
.data 1816 1816 0 0.0
.data.rel.ro 78560 78560 0 0.0
.dynamic 560 560 0 0.0
.got 5184 5184 0 0.0
.init 24 24 0 0.0
.init_array 432 432 0 0.0
.rodata 149560 149560 0 0.0
.text 2067776 2067776 0 0.0
tv-app debug (read only) 3286497 3286497 0 0.0
(read/write) 262216 262216 0 0.0
.bss 170808 170808 0 0.0
.data 4256 4256 0 0.0
.data.rel.ro 80464 80464 0 0.0
.dynamic 608 608 0 0.0
.got 5000 5000 0 0.0
.init 27 27 0 0.0
.init_array 1064 1064 0 0.0
.rodata 268856 268856 0 0.0
.text 2823458 2823458 0 0.0
tv-casting-app debug (read only) 5645697 5645697 0 0.0
(read/write) 162608 162608 0 0.0
.bss 52184 52184 0 0.0
.data 1936 1936 0 0.0
.data.rel.ro 101880 101880 0 0.0
.dynamic 608 608 0 0.0
.got 4920 4920 0 0.0
.init 27 27 0 0.0
.init_array 1040 1040 0 0.0
.rodata 359321 359321 0 0.0
.text 5008930 5008930 0 0.0
mbed lock-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2463832 2463832 0 0.0
.bss 214932 214932 0 0.0
.data 5872 5872 0 0.0
.text 1426476 1426476 0 0.0
nrfconnect all-clusters-app nrf52840dk_nrf52840 (read/write) 1190983 1190983 0 0.0
bss 145205 145205 0 0.0
rodata 144540 144540 0 0.0
text 820122 820122 0 0.0
nrf7002dk_nrf5340_cpuapp (read/write) 1361250 1361250 0 0.0
bss 105144 105144 0 0.0
rodata 211640 211640 0 0.0
text 759958 759962 4 0.0
all-clusters-minimal-app nrf52840dk_nrf52840 (read/write) 1136647 1136647 0 0.0
bss 144440 144440 0 0.0
rodata 120860 120860 0 0.0
text 790290 790290 0 0.0
psoc6 all-clusters cy8ckit_062s2_43012 (read only) 842056 842056 0 0.0
(read/write) 1749588 1749588 0 0.0
.ARM.attributes 46 46 0 0.0
.ARM.exidx 8 8 0 0.0
.bss 188624 188624 0 0.0
.comment 200 200 0 0.0
.copy.table 24 24 0 0.0
.cy_m0p_image 6216 6216 0 0.0
.cy_sharedmem 8 8 0 0.0
.data 2664 2664 0 0.0
.debug_abbrev 1238156 1238156 0 0.0
.debug_aranges 110768 110768 0 0.0
.debug_frame 371952 371952 0 0.0
.debug_info 27059808 27059809 1 0.0
.debug_line 3709695 3709695 0 0.0
.debug_loc 3624640 3624640 0 0.0
.debug_ranges 346584 346584 0 0.0
.debug_str 3453617 3453617 0 0.0
.heap 842056 842056 0 0.0
.noinit 148 148 0 0.0
.ramVectors 736 736 0 0.0
.shstrtab 288 288 0 0.0
.stab 156 156 0 0.0
.stabstr 335 335 0 0.0
.stack_dummy 4096 4096 0 0.0
.strtab 572204 572204 0 0.0
.symtab 422096 422096 0 0.0
.text 0 0 0 0.0
1549912 1549912 0 0.0
.zero.table 8 8 0 0.0
all-clusters-minimal cy8ckit_062s2_43012 (read only) 842784 842784 0 0.0
(read/write) 1692116 1692116 0 0.0
.ARM.attributes 46 46 0 0.0
.ARM.exidx 8 8 0 0.0
.bss 187896 187896 0 0.0
.comment 200 200 0 0.0
.copy.table 24 24 0 0.0
.cy_m0p_image 6216 6216 0 0.0
.cy_sharedmem 8 8 0 0.0
.data 2664 2664 0 0.0
.debug_abbrev 1230047 1230047 0 0.0
.debug_aranges 110240 110240 0 0.0
.debug_frame 375008 375008 0 0.0
.debug_info 26796606 26796607 1 0.0
.debug_line 3728600 3728600 0 0.0
.debug_loc 3612246 3612246 0 0.0
.debug_ranges 345200 345200 0 0.0
.debug_str 3442629 3442629 0 0.0
.heap 842784 842784 0 0.0
.noinit 148 148 0 0.0
.ramVectors 736 736 0 0.0
.shstrtab 288 288 0 0.0
.stab 156 156 0 0.0
.stabstr 335 335 0 0.0
.stack_dummy 4096 4096 0 0.0
.strtab 536293 536293 0 0.0
.symtab 408528 408528 0 0.0
.text 1493168 1493168 0 0.0
.zero.table 0 0 0 0.0
8 8 0 0.0
light cy8ckit_062s2_43012 (read only) 850976 850976 0 0.0
(read/write) 1610332 1610332 0 0.0
.ARM.attributes 46 46 0 0.0
.ARM.exidx 8 8 0 0.0
.bss 179912 179912 0 0.0
.comment 200 200 0 0.0
.copy.table 24 24 0 0.0
.cy_m0p_image 6216 6216 0 0.0
.cy_sharedmem 8 8 0 0.0
.data 2456 2456 0 0.0
.debug_abbrev 1064846 1064846 0 0.0
.debug_aranges 102440 102440 0 0.0
.debug_frame 345344 345344 0 0.0
.debug_info 22259220 22259221 1 0.0
.debug_line 3295709 3295709 0 0.0
.debug_loc 3310168 3310168 0 0.0
.debug_ranges 309336 309336 0 0.0
.debug_str 3248215 3248215 0 0.0
.heap 850976 850976 0 0.0
.noinit 148 148 0 0.0
.ramVectors 736 736 0 0.0
.shstrtab 288 288 0 0.0
.stab 156 156 0 0.0
.stabstr 335 335 0 0.0
.stack_dummy 4096 4096 0 0.0
.strtab 472618 472618 0 0.0
.symtab 376896 376896 0 0.0
.text 1419576 1419576 0 0.0
.zero.table 0 0 0 0.0
8 8 0 0.0
lock cy8ckit_062s2_43012 (read only) 845984 845984 0 0.0
(read/write) 1644268 1644268 0 0.0
.ARM.attributes 46 46 0 0.0
.ARM.exidx 8 8 0 0.0
.bss 184888 184888 0 0.0
.comment 200 200 0 0.0
.copy.table 24 24 0 0.0
.cy_m0p_image 6216 6216 0 0.0
.cy_sharedmem 8 8 0 0.0
.data 2472 2472 0 0.0
.debug_abbrev 1066756 1066756 0 0.0
.debug_aranges 102824 102824 0 0.0
.debug_frame 347140 347140 0 0.0
.debug_info 22477606 22477607 1 0.0
.debug_line 3295603 3295603 0 0.0
.debug_loc 3331600 3331600 0 0.0
.debug_ranges 311192 311192 0 0.0
.debug_str 3264053 3264053 0 0.0
.heap 845984 845984 0 0.0
.noinit 148 148 0 0.0
.ramVectors 736 736 0 0.0
.shstrtab 288 288 0 0.0
.stab 156 156 0 0.0
.stabstr 335 335 0 0.0
.stack_dummy 4096 4096 0 0.0
.strtab 475335 475335 0 0.0
.symtab 378896 378896 0 0.0
.text 1448520 1448520 0 0.0
.zero.table 0 0 0 0.0
8 8 0 0.0
qpg lighting-app qpg6105+debug (read/write) 1151236 1151236 0 0.0
.bss 100348 100348 0 0.0
.data 840 840 0 0.0
.text 598336 598336 0 0.0
lock-app qpg6105+debug (read/write) 1117532 1117540 8 0.0
.bss 95828 95828 0 0.0
.data 836 836 0 0.0
.text 564628 564636 8 0.0
telink all-clusters-app tlsr9518adk80d (read only) 4 4 0 0.0
(read/write) 1071524 1071524 0 0.0
bss 98856 98856 0 0.0
text 726246 726244 -2 -0.0
all-clusters-minimal-app tlsr9518adk80d (read only) 4 4 0 0.0
(read/write) 1010824 1010824 0 0.0
bss 98080 98080 0 0.0
text 691408 691408 0 0.0
light-switch-app tlsr9518adk80d (read only) 4 4 0 0.0
(read/write) 932280 932288 8 0.0
bss 90320 90320 0 0.0
text 638032 638034 2 0.0
lighting-app tlsr9518adk80d (read only) 4 4 0 0.0
(read/write) 1010248 1010248 0 0.0
bss 98380 98380 0 0.0
text 703808 703808 0 0.0
ota-requestor-app tlsr9518adk80d (read only) 4 4 0 0.0
(read/write) 945884 945884 0 0.0
bss 91276 91276 0 0.0
text 649288 649288 0 0.0
thermostat tlsr9518adk80d (read only) 4 4 0 0.0
(read/write) 935428 935428 0 0.0
bss 91712 91712 0 0.0
text 638718 638714 -4 -0.0

@davidben
Copy link

However, if out and *out are both NULL, OpenSSL tries to reuse the existing X509 object.

Minor correction (this was my fault; I had a typo in my description). This should have read:

However, if out and *out are both non-NULL, OpenSSL tries to reuse the existing X509 object.

@davidben
Copy link

Also worth noting, here's OpenSSL's documentation that discourages the object reuse mode.

On a successful return, if *a is not NULL then it is assumed that
*a contains a valid TYPE structure and an attempt is made to reuse
it. This "reuse" capability is present for historical compatibility
but its use is strongly discouraged (see BUGS below, and the
discussion in the RETURN VALUES section).

https://www.openssl.org/docs/man1.1.1/man3/d2i_X509.html

In addition to being slightly misleading with the error case, as described here, it can go wrong if the original object has some cached values in it. On the BoringSSL side, we're thinking of making it always free the old object and write in a fresh object, which is safer and less error-prone, but it will require a change like this one.

@bzbarsky-apple bzbarsky-apple merged commit 26bd9d6 into project-chip:master Dec 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arkq arkq arkq approved these changes

@bzbarsky-apple bzbarsky-apple bzbarsky-apple approved these changes

@andy31415 andy31415 Awaiting requested review from andy31415

@anush-apple anush-apple Awaiting requested review from anush-apple

@Byungjoo-Lee Byungjoo-Lee Awaiting requested review from Byungjoo-Lee

@carol-apple carol-apple Awaiting requested review from carol-apple

@chrisdecenzo chrisdecenzo Awaiting requested review from chrisdecenzo

@chshu chshu Awaiting requested review from chshu

@chulspro chulspro Awaiting requested review from chulspro

@Damian-Nordic Damian-Nordic Awaiting requested review from Damian-Nordic

@dhrishi dhrishi Awaiting requested review from dhrishi

@electrocucaracha electrocucaracha Awaiting requested review from electrocucaracha

@franck-apple franck-apple Awaiting requested review from franck-apple

@gjc13 gjc13 Awaiting requested review from gjc13

@harimau-qirex harimau-qirex Awaiting requested review from harimau-qirex

@harsha-rajendran harsha-rajendran Awaiting requested review from harsha-rajendran

@hawk248 hawk248 Awaiting requested review from hawk248

@jelderton jelderton Awaiting requested review from jelderton

@jepenven-silabs jepenven-silabs Awaiting requested review from jepenven-silabs

@jmartinez-silabs jmartinez-silabs Awaiting requested review from jmartinez-silabs

@jtung-apple jtung-apple Awaiting requested review from jtung-apple

@ksperling-apple ksperling-apple Awaiting requested review from ksperling-apple

@lazarkov lazarkov Awaiting requested review from lazarkov

@lpbeliveau-silabs lpbeliveau-silabs Awaiting requested review from lpbeliveau-silabs

@LuDuda LuDuda Awaiting requested review from LuDuda

@mrjerryjohns mrjerryjohns Awaiting requested review from mrjerryjohns

@msandstedt msandstedt Awaiting requested review from msandstedt

@mspang mspang Awaiting requested review from mspang

@rgoliver rgoliver Awaiting requested review from rgoliver

@robszewczyk robszewczyk Awaiting requested review from robszewczyk

@saurabhst saurabhst Awaiting requested review from saurabhst

@selissia selissia Awaiting requested review from selissia

@tcarmelveilleux tcarmelveilleux Awaiting requested review from tcarmelveilleux

@tecimovic tecimovic Awaiting requested review from tecimovic

@tehampson tehampson Awaiting requested review from tehampson

@vijs vijs Awaiting requested review from vijs

@vivien-apple vivien-apple Awaiting requested review from vivien-apple

@woody-apple woody-apple Awaiting requested review from woody-apple

@xylophone21 xylophone21 Awaiting requested review from xylophone21

@yufengwangca yufengwangca Awaiting requested review from yufengwangca

@yunhanw-google yunhanw-google Awaiting requested review from yunhanw-google

Assignees
No one assigned
Labels
review - approved tools
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] chip-cert tool: Fix OpenSSL Object Reuse and Double-Free
4 participants
@emargolis @davidben @arkq @bzbarsky-apple