Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only free the read buffers if we're not using them #24394

Closed
wants to merge 7 commits into from
Closed

Only free the read buffers if we're not using them #24394

wants to merge 7 commits into from

Conversation

mattcaswell
Copy link
Member

If we're part way through processing a record, or the application has
not released all the records then we should not free our buffer because
they are still needed.

CVE-2024-4741

@mattcaswell
Only free the read buffers if we're not using them
664daaa 
If we're part way through processing a record, or the application has
not released all the records then we should not free our buffer because
they are still needed.

CVE-2024-4741
@mattcaswell
Set rl->packet to NULL after we've finished using it
ef2eefd 
In order to ensure we do not have a UAF we reset the rl->packet pointer
to NULL after we free it.

Follow on from CVE-2024-4741
@mattcaswell
Extend the SSL_free_buffers testing
4202450 
Test that attempting to free the buffers at points where they should not
be freed works as expected.

Follow on from CVE-2024-4741
@mattcaswell
Move the ability to load the dasync engine into ssltestlib.c
f0904ce 
The sslapitest has a helper function to load the dasync engine which is
useful for testing pipelining. We would like to have the same facility
from sslbuffertest, so we move the function to the common location
ssltestlib.c

Follow on from CVE-2024-4741
@mattcaswell
Further extend the SSL_free_buffers testing
c34d0b1 
We extend the testing to test what happens when pipelining is in use.

Follow on from CVE-2024-4741
@mattcaswell mattcaswell added branch: master Merge to master branch approval: review pending This pull request needs review by a committer approval: otc review pending This pull request needs review by an OTC member triaged: bug The issue/pr is/fixes a bug severity: important Important bugs affecting a released version tests: present The PR has suitable tests present branch: 3.2 Merge to openssl-3.2 branch: 3.3 Merge to openssl-3.3 labels May 14, 2024
@mattcaswell mattcaswell mentioned this pull request May 14, 2024
Closed
@mattcaswell
Copy link
Member Author

See 3.1/3.0 backport in #24395

@t8m t8m removed the approval: otc review pending This pull request needs review by an OTC member label May 14, 2024
@mattcaswell
Copy link
Member Author

@t8m, please can you reconfirm following the latest fixup - also for the backport PR in #24395

@t8m t8m requested a review from nhorman May 16, 2024 16:17
Sashan
Sashan reviewed May 23, 2024
View reviewed changes
Copy link
Contributor

@Sashan Sashan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a question...

ssl/record/methods/tls_common.c
@@ -2129,7 +2137,10 @@ int tls_free_buffers(OSSL_RECORD_LAYER *rl)
/* Read direction */

/* If we have pending data to be read then fail */
if (rl->curr_rec < rl->num_recs || TLS_BUFFER_get_left(&rl->rbuf) != 0)
if (rl->curr_rec < rl->num_recs
|| rl->curr_rec != rl->num_released
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have question: is rl->curr_rec != rl->num_released the right cmp operation here? The reason I'm asking is that elsewhere in this file we use a < comparison. For example here tls_release_record():

1155 int tls_release_record(OSSL_RECORD_LAYER *rl, void *rechandle, size_t length)
1156 {
1157     TLS_RL_RECORD *rec = &rl->rrec[rl->num_released];
1158
1159     if (!ossl_assert(rl->num_released < rl->curr_rec)
1160             || !ossl_assert(rechandle == rec)) {
1161         /* Should not happen */

perhaps comparison type does not matter in this case. I'm rather curious if there is a reason for inconsistency.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rl->num_released should always be <= rl->curr_rec.

In the case of the code that you reference we are asserting the stricter condition that rl->num_released < rl->curr_rec since it would be a libssl bug to call tls_release_record where rl->num_released >= rl->curr_rec.

In this case it is the other way around. This function must fail if rl->curr_rec != rl->num_released. It would be sufficient to fail if rl->num_released < rl->curr_rec if we rely on the fact that rl->num_released should never be greater than rl->curr_rec - but I prefer the stricter check here.

@mattcaswell mattcaswell added approval: ready to merge The 24 hour grace period has passed, ready to merge and removed approval: review pending This pull request needs review by a committer labels May 27, 2024
@mattcaswell
Copy link
Member Author

Pushed. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Sashan Sashan Sashan left review comments

@nhorman nhorman nhorman approved these changes

@t8m t8m t8m approved these changes

Assignees
No one assigned
Labels
approval: ready to merge The 24 hour grace period has passed, ready to merge branch: master Merge to master branch branch: 3.2 Merge to openssl-3.2 branch: 3.3 Merge to openssl-3.3 severity: important Important bugs affecting a released version tests: present The PR has suitable tests present triaged: bug The issue/pr is/fixes a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mattcaswell @Sashan @nhorman @t8m