{"id":690,"date":"2016-10-14T15:21:45","date_gmt":"2016-10-14T13:21:45","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=690"},"modified":"2016-10-15T12:52:40","modified_gmt":"2016-10-15T10:52:40","slug":"openssl-libcrypto-stack-based-buffer-overflow-in-err_error_string_n-err-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/10\/14\/openssl-libcrypto-stack-based-buffer-overflow-in-err_error_string_n-err-c\/","title":{"rendered":"openssl: libcrypto: stack-based buffer overflow in ERR_error_string_n (err.c)"},"content":{"rendered":"

Description<\/strong>:
\nopenSSL<\/a> is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.<\/p>\n

A fuzz of nginx, discovered a stack overflow that resides in libcrypto.<\/p>\n

After looked into it with an nginx developer (Sergey Kandaurov), he said:<\/p>\n

This is caused by OpenSSL disfunction in ERR_error_string_n() which happens
\nwhen the function is used with zero len argument and the string is not null
\nterminated. In nginx that\u2019s possible when the string had been previously
\ntruncated for some reason.<\/p>\n

From ERR_error_string_n documentation:<\/p>\n

void ERR_error_string_n(unsigned long e, char *buf, size_t len);<\/p>\n

ERR_error_string_n() is a variant of ERR_error_string() that writes at
\n most len characters (including the terminating 0) and truncates the
\n string if necessary.<\/p>\n

The problem is that ERR_error_string_n() doesn\u2019t cope with zero len parameter.
\nIt uses len-capped BIO_snprintf() to write error string safely, then it checks
\nbuffer truncation for some useless things using strlen() in unsafe manner.
\nThis is where the buffer is overread.<\/p><\/blockquote>\n

I don’t know if the bug is reachable in another way, but Matt Caswell from OpenSSL does not judge it as a security issue.<\/p>\n

The complete ASan output:<\/p>\n

# nginx -t -p \"\" -c $FILE\r\n==24306==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe6cc74f50 at pc 0x00000046f20c bp 0x7ffe6cc749c0 sp 0x7ffe6cc74170\r\nREAD of size 7 at 0x7ffe6cc74f50 thread T0\r\n    #0 0x46f20b in strlen \/var\/tmp\/portage\/sys-devel\/llvm-3.8.1-r2\/work\/llvm-3.8.1.src\/projects\/compiler-rt\/lib\/asan\/asan_interceptors.cc:581\r\n    #1 0x7fa541c4a5b4 in ERR_error_string_n \/tmp\/portage\/dev-libs\/openssl-1.0.2j\/work\/openssl-1.0.2j-abi_x86_64.amd64\/crypto\/err\/err.c:888\r\n    #2 0x57e70e in ngx_ssl_error \/tmp\/portage\/www-servers\/nginx-1.10.1\/work\/nginx-1.10.1\/src\/event\/ngx_event_openssl.c:2061:9\r\n    #3 0x57f253 in ngx_ssl_certificate \/tmp\/portage\/www-servers\/nginx-1.10.1\/work\/nginx-1.10.1\/src\/event\/ngx_event_openssl.c:333:9\r\n    #4 0x6791c8 in ngx_http_ssl_merge_srv_conf \/tmp\/portage\/www-servers\/nginx-1.10.1\/work\/nginx-1.10.1\/src\/http\/modules\/ngx_http_ssl_module.c:669:9\r\n    #5 0x592f66 in ngx_http_merge_servers \/tmp\/portage\/www-servers\/nginx-1.10.1\/work\/nginx-1.10.1\/src\/http\/ngx_http.c:582:18\r\n    #6 0x592f66 in ngx_http_block \/tmp\/portage\/www-servers\/nginx-1.10.1\/work\/nginx-1.10.1\/src\/http\/ngx_http.c:268\r\n    #7 0x53b264 in ngx_conf_handler \/tmp\/portage\/www-servers\/nginx-1.10.1\/work\/nginx-1.10.1\/src\/core\/ngx_conf_file.c:427:18\r\n    #8 0x53b264 in ngx_conf_parse \/tmp\/portage\/www-servers\/nginx-1.10.1\/work\/nginx-1.10.1\/src\/core\/ngx_conf_file.c:283\r\n    #9 0x533b2a in ngx_init_cycle \/tmp\/portage\/www-servers\/nginx-1.10.1\/work\/nginx-1.10.1\/src\/core\/ngx_cycle.c:274:9\r\n    #10 0x4ff1cc in main \/tmp\/portage\/www-servers\/nginx-1.10.1\/work\/nginx-1.10.1\/src\/core\/nginx.c:276:13\r\n    #11 0x7fa540a6761f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #12 0x425b18 in _start (\/usr\/sbin\/nginx+0x425b18)\r\n\r\nAddress 0x7ffe6cc74f50 is located in stack of thread T0 at offset 1136 in frame\r\n    #0 0x57e53f in ngx_ssl_error \/tmp\/portage\/www-servers\/nginx-1.10.1\/work\/nginx-1.10.1\/src\/event\/ngx_event_openssl.c:2031\r\n\r\n  This frame has 4 object(s):\r\n    [32, 36) 'flags'\r\n    [48, 72) 'args'\r\n    [112, 1136) 'errstr' 0x10004d9869e0: 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2\r\n  0x10004d9869f0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 f3 f3 f3 f3 f3\r\n  0x10004d986a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x10004d986a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x10004d986a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x10004d986a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==24306==ABORTING\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n1.0.2j and 1.1.0b<\/p>\n
Fixed version:<\/strong>
\n1.1.0c and 1.0.2k (not yet released)<\/p>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/openssl\/openssl\/commit\/e5c1361580d8de79682958b04a5f0d262e680f8b<\/a><\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
Timeline:<\/strong>
\n2016-10-11: bug discovered
\n2016-10-12: bug reported to upstream
\n2016-10-14: blog post about the issue<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
openssl: libcrypto: stack-based buffer overflow in ERR_error_string_n (err.c)<\/a><\/p><\/blockquote>\n