Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIGSEGV in bn_bitsize triggerable via remote (s_client) #1037

Open
nbars opened this issue Mar 28, 2024 · 1 comment
Open

SIGSEGV in bn_bitsize triggerable via remote (s_client) #1037

nbars opened this issue Mar 28, 2024 · 1 comment
Labels

Comments

@nbars
Copy link

nbars commented Mar 28, 2024

Hey,

I found a bug (presumably in the s_client) that causes a null ptr dereference when communicating with a server. If you need a gdb session for debugging the crash, please use pernos.co.

The tested version was v3.8.1. If you need any further help, please let me know.

Program received signal SIGSEGV, Segmentation fault.
bn_bitsize (bn=0x0)
    at crypto/bn/bn_primitives.c:55
55		while (i < bn->top) {
(rr) bt
#0  bn_bitsize (bn=0x0)
    at crypto/bn/bn_primitives.c:55
#1  0x00005555555e0698 in ssl_print_tmp_key (out=out@entry=0x555555c881b0, s=s@entry=0x555555c8bda0)
    at apps/openssl/s_cb.c:273
#2  0x00005555555e71e6 in print_stuff (bio=bio@entry=0x555555c881b0, s=s@entry=0x555555c8bda0, full=full@entry=1)
    at apps/openssl/s_client.c:1705
#3  0x00005555555e63c2 in s_client_main (argc=<optimized out>, argv=<optimized out>)
    at apps/openssl/s_client.c:1587
#4  0x00005555555cd732 in do_cmd (prog=0x555555c7ee20, argc=18, argv=0x7fffffffe5b0)
    at apps/openssl/openssl.c:513
#5  main (argc=18, argv=0x7fffffffe5b0)
    at apps/openssl/openssl.c:458

The public key that is passed to bn_bitsize is zeroed out here

Hardware watchpoint 1: pkey

Old value = (EVP_PKEY *) 0x555555ca1940
New value = (EVP_PKEY *) 0x0
0x00005555556156e5 in _SSL_get_peer_tmp_key (s=0x555555c8bda0, key=0x7fffffffc200)
    at libressl/ssl/s3_lib.c:1729
1729		*key = pkey;
(rr) bt
#0  0x00005555556156e5 in _SSL_get_peer_tmp_key (s=0x555555c8bda0, key=0x7fffffffc200)
    at libressl/ssl/s3_lib.c:1729
#1  0x00005555555e0644 in ssl_print_tmp_key (out=out@entry=0x555555c881b0, s=0x555555a66120 <locks+1040>, 
    s@entry=0x555555c8bda0)
    at libressl/apps/openssl/s_cb.c:267
#2  0x00005555555e71e6 in print_stuff (bio=bio@entry=0x555555c881b0, s=s@entry=0x555555c8bda0, full=full@entry=1)
    at libressl/apps/openssl/s_client.c:1705
#3  0x00005555555e63c2 in s_client_main (argc=<optimized out>, argv=<optimized out>)
    at libressl/apps/openssl/s_client.c:1587
#4  0x00005555555cd732 in do_cmd (prog=0x555555c7ee20, argc=18, argv=0x7fffffffe5b0)
    at libressl/apps/openssl/openssl.c:513
#5  main (argc=18, argv=0x7fffffffe5b0)
    at libressl/apps/openssl/openssl.c:458

Best,
Nils

@joshuasing joshuasing added the bug label Mar 30, 2024
@botovq
Copy link
Contributor

botovq commented Apr 9, 2024

Thanks for the report. This is indeed mostly a bug in the s_client that tries to print out as much information as it can instead of erroring out. However, libssl could be a bit more careful and not leave behind an invalid DH object in that situation so that ssl_print_tmp_key() doesn't access NULL.

Fixing this is on my todo list, but not super high priority.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants