libressl/portable

SIGSEGV in `bn_bitsize` triggerable via remote (s_client)

Opened this issue · 1 comments

nbars commented

Hey,

I found a bug (presumably in the s_client) that causes a null ptr dereference when communicating with a server. If you need a gdb session for debugging the crash, please use pernos.co.

The tested version was v3.8.1. If you need any further help, please let me know.

Program received signal SIGSEGV, Segmentation fault.
bn_bitsize (bn=0x0)
    at crypto/bn/bn_primitives.c:55
55		while (i < bn->top) {
(rr) bt
#0  bn_bitsize (bn=0x0)
    at crypto/bn/bn_primitives.c:55
#1  0x00005555555e0698 in ssl_print_tmp_key (out=out@entry=0x555555c881b0, s=s@entry=0x555555c8bda0)
    at apps/openssl/s_cb.c:273
#2  0x00005555555e71e6 in print_stuff (bio=bio@entry=0x555555c881b0, s=s@entry=0x555555c8bda0, full=full@entry=1)
    at apps/openssl/s_client.c:1705
#3  0x00005555555e63c2 in s_client_main (argc=<optimized out>, argv=<optimized out>)
    at apps/openssl/s_client.c:1587
#4  0x00005555555cd732 in do_cmd (prog=0x555555c7ee20, argc=18, argv=0x7fffffffe5b0)
    at apps/openssl/openssl.c:513
#5  main (argc=18, argv=0x7fffffffe5b0)
    at apps/openssl/openssl.c:458

The public key that is passed to bn_bitsize is zeroed out here

Hardware watchpoint 1: pkey

Old value = (EVP_PKEY *) 0x555555ca1940
New value = (EVP_PKEY *) 0x0
0x00005555556156e5 in _SSL_get_peer_tmp_key (s=0x555555c8bda0, key=0x7fffffffc200)
    at libressl/ssl/s3_lib.c:1729
1729		*key = pkey;
(rr) bt
#0  0x00005555556156e5 in _SSL_get_peer_tmp_key (s=0x555555c8bda0, key=0x7fffffffc200)
    at libressl/ssl/s3_lib.c:1729
#1  0x00005555555e0644 in ssl_print_tmp_key (out=out@entry=0x555555c881b0, s=0x555555a66120 <locks+1040>, 
    s@entry=0x555555c8bda0)
    at libressl/apps/openssl/s_cb.c:267
#2  0x00005555555e71e6 in print_stuff (bio=bio@entry=0x555555c881b0, s=s@entry=0x555555c8bda0, full=full@entry=1)
    at libressl/apps/openssl/s_client.c:1705
#3  0x00005555555e63c2 in s_client_main (argc=<optimized out>, argv=<optimized out>)
    at libressl/apps/openssl/s_client.c:1587
#4  0x00005555555cd732 in do_cmd (prog=0x555555c7ee20, argc=18, argv=0x7fffffffe5b0)
    at libressl/apps/openssl/openssl.c:513
#5  main (argc=18, argv=0x7fffffffe5b0)
    at libressl/apps/openssl/openssl.c:458

Best,
Nils

botovq commented

Thanks for the report. This is indeed mostly a bug in the s_client that tries to print out as much information as it can instead of erroring out. However, libssl could be a bit more careful and not leave behind an invalid DH object in that situation so that ssl_print_tmp_key() doesn't access NULL.

Fixing this is on my todo list, but not super high priority.