x509: fix use-after-free in wolfSSL_X509_STORE_get0_objects#10650
Draft
ColtonWilley wants to merge 1 commit into
Draft
x509: fix use-after-free in wolfSSL_X509_STORE_get0_objects#10650ColtonWilley wants to merge 1 commit into
ColtonWilley wants to merge 1 commit into
Conversation
wolfSSL_X509_STORE_get0_objects builds its list from CertManager certs (owned by the list) and borrowed store->certs entries, using store->numAdded to mark the borrowed tail so they aren't freed. When the store has a CRL, a CRL object is appended after those certs, so the count freed a cert still owned by store->certs. The next get0_objects call then returned a dangling pointer - the use-after-free reported with HAProxy under ASAN. The list now takes its own reference on every cert (wolfSSL_X509_up_ref), so it owns all its entries and is freed uniformly, and the numAdded bookkeeping (and its struct field) is removed. Fixes wolfSSL#10123
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
wolfSSL_X509_STORE_get0_objectsbuilds its list from CertManager certs (ownedby the list) and borrowed
store->certsentries, usingstore->numAddedtomark the borrowed tail so they aren't freed. When the store has a CRL, a CRL
object is appended after those certs, so the count freed a cert still owned by
store->certs. The nextget0_objectscall then returned a dangling pointer —the use-after-free reported with HAProxy under ASAN.
The list now takes its own reference on every cert (
wolfSSL_X509_up_ref), so itowns all its entries and is freed uniformly, and the
numAddedbookkeeping (andits struct field) is removed.
Fixes #10123
Testing
Added
test_X509_STORE_get0_objects_extern_repeat: loads a root and anintermediate into a standalone
X509_STOREand callsget0_objectsrepeatedly.Faults under ASAN on master, passes with the fix. Full
unit.testpasses underASAN with
--enable-haproxy.Checklist