Serious OpenSSL vulnerability

Sun Apr 13 14:18:32 UTC 2014

On Sun, 13 Apr 2014 15:48:23 +0200 Suvayu Ali <fatkasuvayu
+linux at gmail.com> wrote:

> On Sun, Apr 13, 2014 at 08:38:11AM -0500, Ranjan Maitra wrote:
> > On Sun, 13 Apr 2014 09:15:04 -0400 Rahul Sundaram <metherid at gmail.com>
> > wrote:
> > 
> > > Hi
> > > 
> > > 
> > > On Sun, Apr 13, 2014 at 6:23 AM, Timothy Murphy wrote:
> > > 
> > > > Roger wrote:
> > > >
> > > > > It happened. It was known for years.
> > > >
> > > > Everything I have seen says it has been known for about 1 week.
> > > >
> > > > Incidentally, I am no programmer but I would have thought
> > > > it would be relatively simple to set up a test
> > > > to see if a "malloc"-ed space could be transgressed.
> > > >
> > > 
> > > Not in this case.  openssl uses a custom malloc
> > > 
> > 
> > So, a valgrind -tool=memcheck --leak-check=yes --show-reachable=yes
> > --track-fds=yes --track-origins=yes would not have helped?
> 
> AFAIU this is not a memory leak; it is a buffer overflow: lack of bounds
> checking.  I do not think valgrind (or any other tool) can help with
> that.  Feel free to correct me if I am wrong.

Actually, in my experience, valgrind has picked up everything pretty
much, including (amazingly!) logically incorrect statements (even
when there was no memory leak). In other words, it reports no leaks
possible but some errors. And if you go look with the -v option (on a
-g compiled executable) one gets the line number and finds errors from
there. 

Of course, I understand that this is no guarantee.

Here is an example (on F20):

/*  file: testrealloc.c (note the access in the last element) */

#include <stdio.h>
#include <stdlib.h>

int main(void) {
	int n = 50;
	double *a, *p;

	a = malloc(n * sizeof( *a));

	for (int i = 0; i < n; i++)
		a[i] = i;

	p = realloc(a, (n - 2) * sizeof( *p));

	for (int i = (n - 4); i < (n - 1); i++)
		printf("%f ", p[i]);
	free(p);

	return EXIT_SUCCESS;

}

/* compile with:

gcc -o testrealloc testrealloc.c -std=c99 -Wall -pedantic

run valgrind:

valgrind --tool=memcheck --leak-check=yes --show-reachable=yes
--track-fds=yes --track-origins=yes   -v ./testrealloc 

Here are the results:

......snipped....
--12324-- REDIR: 0x35bd018380 (index) redirected to 0x4a08f60 (index)
--12324-- REDIR: 0x35bd018400 (strcmp) redirected to 0x4a0a040 (strcmp)
--12324-- Reading syms from /usr/lib64/libc-2.18.so
--12324-- REDIR: 0x35bd489b90 (strcasecmp) redirected to 0x4801716
(_vgnU_ifunc_wrapper)
--12324-- REDIR: 0x35bd48be80 (strncasecmp) redirected to 0x4801716
(_vgnU_ifunc_wrapper)
--12324-- REDIR: 0x35bd489360 (memcpy at GLIBC_2.2.5) redirected to
0x4801716 (_vgnU_ifunc_wrapper)
--12324-- REDIR: 0x35bd488340 (__GI_strrchr) redirected to 0x4a08d80
(__GI_strrchr)
--12324-- REDIR: 0x35bd47ff10 (malloc) redirected to 0x4a063d6 (malloc)
--12324-- REDIR: 0x35bd480410 (realloc) redirected to 0x4a082e0
(realloc)
--12324-- REDIR: 0x35bd48fe40 (strchrnul) redirected to 0x4a0bd30
(strchrnul)
--12324-- REDIR: 0x35bd4865f0 (strlen) redirected to 0x4a092f0 (strlen)
==12324== Invalid read of size 8
==12324==    at 0x4006A8: main (in /tmp/testrealloc)
==12324==  Address 0x4c2a390 is 0 bytes after a block of size 384
alloc'd ==12324==    at 0x4A083AA: realloc
(in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==12324==
by 0x400684: main (in /tmp/testrealloc) ==12324== 
--12324-- REDIR: 0x35bd480330 (free) redirected to 0x4a074f0 (free)
46.000000 47.000000 0.000000 ==12324== 
==12324== FILE DESCRIPTORS: 3 open at exit.
==12324== Open file descriptor 2: /dev/pts/8
==12324==    <inherited from parent>
==12324== 
==12324== Open file descriptor 1: /dev/pts/8
==12324==    <inherited from parent>
==12324== 
==12324== Open file descriptor 0: /dev/pts/8
==12324==    <inherited from parent>
==12324== 
==12324== 
==12324== HEAP SUMMARY:
==12324==     in use at exit: 0 bytes in 0 blocks
==12324==   total heap usage: 2 allocs, 2 frees, 784 bytes allocated
==12324== 
==12324== All heap blocks were freed -- no leaks are possible
==12324== 
==12324== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 2)
==12324== 
==12324== 1 errors in context 1 of 1:
==12324== Invalid read of size 8
==12324==    at 0x4006A8: main (in /tmp/testrealloc)
==12324==  Address 0x4c2a390 is 0 bytes after a block of size 384
alloc'd ==12324==    at 0x4A083AA: realloc
(in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==12324==
by 0x400684: main (in /tmp/testrealloc) ==12324== 
--12324-- 
--12324-- used_suppression:      2
glibc-2.5.x-on-SUSE-10.2-(PPC)-2a /usr/lib64/valgrind/default.supp:1286
==12324== ==12324== ERROR SUMMARY: 1 errors from 1 contexts
(suppressed: 2 from 2)

*/

Btw, there are always 2 suppressed errors (from the compiled standard
library, I guess). I wish that someone could look into these).

I have become a great fan of valgrind. Of course, that in itself may be
a problem if it lulls one to a false sense of complacency.

Best wishes,
Ranjan

____________________________________________________________
FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks & orcas on your desktop!
Check it out at http://www.inbox.com/marineaquarium