Opened 4 years ago

Closed 3 years ago

#19152 closed defect (fixed)

use-after-free on failing RSA_generate_key_ex()

Reported by: nickm Owned by: nickm
Priority: Medium Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: 027-backport
Cc: Actual Points:
Parent ID: Points:
Reviewer: arma Sponsor:

Description

Reported by Yuan Kang.

When we generate a key, if openssl fails to generate an RSA key, we currently retain a dangling pointer to the previous (uninitialized) key value. The impact here should be limited to a difficult-to-trigger crash, if OpenSSL is running an engine that makes key generation failures possible, or if OpenSSL runs out of memory.

Child Tickets

Change History (10)

comment:1 Changed 4 years ago by nickm

Status: newneeds_review

My branch bug19152_024 has a possible fix.

comment:2 Changed 4 years ago by nickm

Keywords: must-fix-before-028-alpha added

comment:3 Changed 4 years ago by arma

s/failes/fails/

"exactly when to"...?

The commit log starts with "let me walk through my analysis" rather than explaining what the issue is or what the fix is. Re-using some of the text from the changes file would be helpful, to give context to the person who is reading (since you clearly are intending for people to read this commit log). Like, you start talking about a non-engine case before I knew engines were involved.

The patch itself looks good to me.

I've mailed the original bug reporter so he can look it over too if he wants.

Thanks!

comment:4 Changed 4 years ago by arma

Keywords: CoreTorTeam201606 added
Reviewer: arma

comment:5 Changed 4 years ago by arma

Status: needs_reviewneeds_revision

comment:6 Changed 4 years ago by arma

Ok: the bug reporter wants to be credited as "Yuan Jochen Kang, Suman Jana, and Baishakhi Ray".

The bug reporter also confirms that the patch looks good.

comment:7 Changed 4 years ago by nickm

Keywords: must-fix-before-028-alpha CoreTorTeam201606 removed
Milestone: Tor: 0.2.8.x-finalTor: 0.2.7.x-final
Status: needs_revisionneeds_review

bug19152_024_v2 has the requested changes. Merging to 028 and forward, marking for possible 027 backport.

comment:8 Changed 3 years ago by nickm

Milestone: Tor: 0.2.7.x-finalTor: 0.2.4.x-final

comment:9 Changed 3 years ago by nickm

(backported to 0.2.4)

comment:10 Changed 3 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed
Note: See TracTickets for help on using tickets.