From 7dab3e8266b8de8604dbae0a90eade85c5c0e3f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= Date: Tue, 5 Dec 2023 14:50:40 +0100 Subject: [PATCH] BUG/MINOR: ssl: Double free of OCSP Certificate ID This bug could be reproduced loading several certificated from "bind" line: with "server_ocsp.pem" as argument to "crt" setting and updating the CDSA certificate with the RSA as follows: echo -e "set ssl cert reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa \ <<\n$(cat reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.rsa)\n" | socat - /tmp/stats followed by an "commit ssl cert reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa" command. This could be detected by libasan as follows: ================================================================= ==507223==ERROR: AddressSanitizer: attempting double-free on 0x60200007afb0 in thread T3: #0 0x7fabc6fb5527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527) #1 0x7fabc6ae8f8c in ossl_asn1_string_embed_free (/opt/quictls/lib/libcrypto.so.81.3+0xd4f8c) #2 0x7fabc6af54e9 in ossl_asn1_primitive_free (/opt/quictls/lib/libcrypto.so.81.3+0xe14e9) #3 0x7fabc6af5960 in ossl_asn1_template_free (/opt/quictls/lib/libcrypto.so.81.3+0xe1960) #4 0x7fabc6af569f in ossl_asn1_item_embed_free (/opt/quictls/lib/libcrypto.so.81.3+0xe169f) #5 0x7fabc6af58a4 in ASN1_item_free (/opt/quictls/lib/libcrypto.so.81.3+0xe18a4) #6 0x46a159 in ssl_sock_free_cert_key_and_chain_contents src/ssl_ckch.c:723 #7 0x46aa92 in ckch_store_free src/ssl_ckch.c:869 #8 0x4704ad in cli_release_commit_cert src/ssl_ckch.c:1981 #9 0x962e83 in cli_io_handler src/cli.c:1140 #10 0xc1edff in task_run_applet src/applet.c:454 #11 0xaf8be9 in run_tasks_from_lists src/task.c:634 #12 0xafa2ed in process_runnable_tasks src/task.c:876 #13 0xa23c72 in run_poll_loop src/haproxy.c:3024 #14 0xa24aa3 in run_thread_poll_loop src/haproxy.c:3226 #15 0x7fabc69e7ea6 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7ea6) #16 0x7fabc6907a2e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfba2e) 0x60200007afb0 is located 0 bytes inside of 3-byte region [0x60200007afb0,0x60200007afb3) freed by thread T3 here: #0 0x7fabc6fb5527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527) #1 0x7fabc6ae8f8c in ossl_asn1_string_embed_free (/opt/quictls/lib/libcrypto.so.81.3+0xd4f8c) previously allocated by thread T2 here: #0 0x7fabc6fb573f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x7fabc6ae8d77 in ASN1_STRING_set (/opt/quictls/lib/libcrypto.so.81.3+0xd4d77) Thread T3 created by T0 here: #0 0x7fabc6f84bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba) #1 0xc04f36 in setup_extra_threads src/thread.c:252 #2 0xa2761f in main src/haproxy.c:3917 #3 0x7fabc682fd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09) Thread T2 created by T0 here: #0 0x7fabc6f84bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba) #1 0xc04f36 in setup_extra_threads src/thread.c:252 #2 0xa2761f in main src/haproxy.c:3917 #3 0x7fabc682fd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09) SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_free ==507223==ABORTING Aborted The OCSP CID stored in the impacted ckch data were freed but not reset to NULL, leading to a subsequent double free. Must be backported to 2.8. --- src/ssl_sock.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 99a72d33d..46bfb4bf4 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1292,8 +1292,10 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data * } out: - if (ret && data->ocsp_cid) + if (ret && data->ocsp_cid) { OCSP_CERTID_free(data->ocsp_cid); + data->ocsp_cid = NULL; + } if (!ret && data->ocsp_response) { ha_free(&data->ocsp_response->area);