Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
BUG/MINOR: ssl: Double free of OCSP Certificate ID
This bug could be reproduced loading several certificated from "bind" line: with "server_ocsp.pem" as argument to "crt" setting and updating the CDSA certificate with the RSA as follows: echo -e "set ssl cert reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa \ <<\n$(cat reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.rsa)\n" | socat - /tmp/stats followed by an "commit ssl cert reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa" command. This could be detected by libasan as follows: ================================================================= ==507223==ERROR: AddressSanitizer: attempting double-free on 0x60200007afb0 in thread T3: #0 0x7fabc6fb5527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527) joyent#1 0x7fabc6ae8f8c in ossl_asn1_string_embed_free (/opt/quictls/lib/libcrypto.so.81.3+0xd4f8c) joyent#2 0x7fabc6af54e9 in ossl_asn1_primitive_free (/opt/quictls/lib/libcrypto.so.81.3+0xe14e9) haproxy#3 0x7fabc6af5960 in ossl_asn1_template_free (/opt/quictls/lib/libcrypto.so.81.3+0xe1960) haproxy#4 0x7fabc6af569f in ossl_asn1_item_embed_free (/opt/quictls/lib/libcrypto.so.81.3+0xe169f) haproxy#5 0x7fabc6af58a4 in ASN1_item_free (/opt/quictls/lib/libcrypto.so.81.3+0xe18a4) haproxy#6 0x46a159 in ssl_sock_free_cert_key_and_chain_contents src/ssl_ckch.c:723 haproxy#7 0x46aa92 in ckch_store_free src/ssl_ckch.c:869 haproxy#8 0x4704ad in cli_release_commit_cert src/ssl_ckch.c:1981 haproxy#9 0x962e83 in cli_io_handler src/cli.c:1140 haproxy#10 0xc1edff in task_run_applet src/applet.c:454 haproxy#11 0xaf8be9 in run_tasks_from_lists src/task.c:634 haproxy#12 0xafa2ed in process_runnable_tasks src/task.c:876 haproxy#13 0xa23c72 in run_poll_loop src/haproxy.c:3024 haproxy#14 0xa24aa3 in run_thread_poll_loop src/haproxy.c:3226 haproxy#15 0x7fabc69e7ea6 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7ea6) haproxy#16 0x7fabc6907a2e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfba2e) 0x60200007afb0 is located 0 bytes inside of 3-byte region [0x60200007afb0,0x60200007afb3) freed by thread T3 here: #0 0x7fabc6fb5527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527) joyent#1 0x7fabc6ae8f8c in ossl_asn1_string_embed_free (/opt/quictls/lib/libcrypto.so.81.3+0xd4f8c) previously allocated by thread T2 here: #0 0x7fabc6fb573f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) joyent#1 0x7fabc6ae8d77 in ASN1_STRING_set (/opt/quictls/lib/libcrypto.so.81.3+0xd4d77) Thread T3 created by T0 here: #0 0x7fabc6f84bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba) joyent#1 0xc04f36 in setup_extra_threads src/thread.c:252 joyent#2 0xa2761f in main src/haproxy.c:3917 haproxy#3 0x7fabc682fd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09) Thread T2 created by T0 here: #0 0x7fabc6f84bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba) joyent#1 0xc04f36 in setup_extra_threads src/thread.c:252 joyent#2 0xa2761f in main src/haproxy.c:3917 haproxy#3 0x7fabc682fd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09) SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_free ==507223==ABORTING Aborted The OCSP CID stored in the impacted ckch data were freed but not reset to NULL, leading to a subsequent double free. Must be backported to 2.8. (cherry picked from commit 7dab3e8) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> (cherry picked from commit 5c82bd9) Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
- Loading branch information