From 934a04f0e775309cadbef0aa6b9692e1b12a76c6 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 16 Jan 2023 19:45:23 +0100 Subject: [PATCH 08/18] Do not dereference PKCS7 object data if not set Fixes CVE-2023-0216 Reviewed-by: Shane Lontis Reviewed-by: Paul Dale --- crypto/pkcs7/pk7_lib.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index 753f1276e6..936e50da54 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -414,6 +414,8 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey, static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7) { + if (p7->d.ptr == NULL) + return NULL; if (PKCS7_type_is_signed(p7)) return p7->d.sign->cert; if (PKCS7_type_is_signedAndEnveloped(p7)) @@ -423,6 +425,8 @@ static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7) static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7) { + if (p7->d.ptr == NULL) + return NULL; if (PKCS7_type_is_signedAndEnveloped(p7)) return p7->d.signed_and_enveloped->recipientinfo; if (PKCS7_type_is_enveloped(p7)) @@ -440,13 +444,17 @@ void ossl_pkcs7_resolve_libctx(PKCS7 *p7) const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx); const char *propq = ossl_pkcs7_ctx_get0_propq(ctx); - STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7); - STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7); - STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7); + STACK_OF(PKCS7_RECIP_INFO) *rinfos; + STACK_OF(PKCS7_SIGNER_INFO) *sinfos; + STACK_OF(X509) *certs; - if (ctx == NULL) + if (ctx == NULL || p7->d.ptr == NULL) return; + rinfos = pkcs7_get_recipient_info(p7); + sinfos = PKCS7_get_signer_info(p7); + certs = pkcs7_get_signer_certs(p7); + for (i = 0; i < sk_X509_num(certs); i++) ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq); -- 2.39.1 From 67813d8a4d110f4174bbd2fee8a2f15388e324b5 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 16 Jan 2023 19:56:20 +0100 Subject: [PATCH 09/18] Add test for d2i_PKCS7 NULL dereference Reviewed-by: Shane Lontis Reviewed-by: Paul Dale --- test/recipes/25-test_pkcs7.t | 7 +++++-- test/recipes/25-test_pkcs7_data/malformed.pkcs7 | 3 +++ 2 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 test/recipes/25-test_pkcs7_data/malformed.pkcs7 diff --git a/test/recipes/25-test_pkcs7.t b/test/recipes/25-test_pkcs7.t index 37cd43dc6b..d61cd6abad 100644 --- a/test/recipes/25-test_pkcs7.t +++ b/test/recipes/25-test_pkcs7.t @@ -11,11 +11,11 @@ use strict; use warnings; use File::Spec; -use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test qw/:DEFAULT srctop_file data_file/; setup("test_pkcs7"); -plan tests => 3; +plan tests => 4; require_ok(srctop_file('test','recipes','tconversion.pl')); @@ -27,3 +27,6 @@ subtest 'pkcs7 conversions -- pkcs7d' => sub { tconversion( -type => 'p7d', -in => srctop_file("test", "pkcs7-1.pem"), -args => ["pkcs7"] ); }; + +my $malformed = data_file('malformed.pkcs7'); +ok(run(app(["openssl", "pkcs7", "-in", $malformed]))); diff --git a/test/recipes/25-test_pkcs7_data/malformed.pkcs7 b/test/recipes/25-test_pkcs7_data/malformed.pkcs7 new file mode 100644 index 0000000000..e30d1b582c --- /dev/null +++ b/test/recipes/25-test_pkcs7_data/malformed.pkcs7 @@ -0,0 +1,3 @@ +-----BEGIN PKCS7----- +MAsGCSqGSIb3DQEHAg== +-----END PKCS7----- -- 2.39.1