Skip to content

Commit

Permalink
BUG/MINOR: ssl: Double free of OCSP Certificate ID
Browse files Browse the repository at this point in the history
This bug could be reproduced loading several certificated from "bind" line:
with "server_ocsp.pem" as argument to "crt" setting and updating
the CDSA certificate with the RSA as follows:

echo -e "set ssl cert reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa \
	     <<\n$(cat reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.rsa)\n" | socat - /tmp/stats
followed by an "commit ssl cert reg-tests/ssl/ocsp_update/multicert/server_ocsp.pem.ecdsa"
command. This could be detected by libasan as follows:

=================================================================
==507223==ERROR: AddressSanitizer: attempting double-free on 0x60200007afb0 in thread T3:
    #0 0x7fabc6fb5527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
    joyent#1 0x7fabc6ae8f8c in ossl_asn1_string_embed_free (/opt/quictls/lib/libcrypto.so.81.3+0xd4f8c)
    joyent#2 0x7fabc6af54e9 in ossl_asn1_primitive_free (/opt/quictls/lib/libcrypto.so.81.3+0xe14e9)
    haproxy#3 0x7fabc6af5960 in ossl_asn1_template_free (/opt/quictls/lib/libcrypto.so.81.3+0xe1960)
    haproxy#4 0x7fabc6af569f in ossl_asn1_item_embed_free (/opt/quictls/lib/libcrypto.so.81.3+0xe169f)
    haproxy#5 0x7fabc6af58a4 in ASN1_item_free (/opt/quictls/lib/libcrypto.so.81.3+0xe18a4)
    haproxy#6 0x46a159 in ssl_sock_free_cert_key_and_chain_contents src/ssl_ckch.c:723
    haproxy#7 0x46aa92 in ckch_store_free src/ssl_ckch.c:869
    haproxy#8 0x4704ad in cli_release_commit_cert src/ssl_ckch.c:1981
    haproxy#9 0x962e83 in cli_io_handler src/cli.c:1140
    haproxy#10 0xc1edff in task_run_applet src/applet.c:454
    haproxy#11 0xaf8be9 in run_tasks_from_lists src/task.c:634
    haproxy#12 0xafa2ed in process_runnable_tasks src/task.c:876
    haproxy#13 0xa23c72 in run_poll_loop src/haproxy.c:3024
    haproxy#14 0xa24aa3 in run_thread_poll_loop src/haproxy.c:3226
    haproxy#15 0x7fabc69e7ea6 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7ea6)
    haproxy#16 0x7fabc6907a2e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfba2e)

0x60200007afb0 is located 0 bytes inside of 3-byte region [0x60200007afb0,0x60200007afb3)
freed by thread T3 here:
    #0 0x7fabc6fb5527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
    joyent#1 0x7fabc6ae8f8c in ossl_asn1_string_embed_free (/opt/quictls/lib/libcrypto.so.81.3+0xd4f8c)

previously allocated by thread T2 here:
    #0 0x7fabc6fb573f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    joyent#1 0x7fabc6ae8d77 in ASN1_STRING_set (/opt/quictls/lib/libcrypto.so.81.3+0xd4d77)

Thread T3 created by T0 here:
    #0 0x7fabc6f84bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
    joyent#1 0xc04f36 in setup_extra_threads src/thread.c:252
    joyent#2 0xa2761f in main src/haproxy.c:3917
    haproxy#3 0x7fabc682fd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)

Thread T2 created by T0 here:
    #0 0x7fabc6f84bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
    joyent#1 0xc04f36 in setup_extra_threads src/thread.c:252
    joyent#2 0xa2761f in main src/haproxy.c:3917
    haproxy#3 0x7fabc682fd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)

SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_free
==507223==ABORTING
Aborted

The OCSP CID stored in the impacted ckch data were freed but not reset to NULL,
leading to a subsequent double free.

Must be backported to 2.8.

(cherry picked from commit 7dab3e8)
Signed-off-by: Christopher Faulet <[email protected]>
(cherry picked from commit 5c82bd9)
Signed-off-by: Christopher Faulet <[email protected]>
  • Loading branch information
haproxyFred authored and capflam committed Dec 7, 2023
1 parent 1b0a5a0 commit 57359b9
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion src/ssl_sock.c
Original file line number Diff line number Diff line change
Expand Up @@ -1288,8 +1288,10 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
}

out:
if (ret && data->ocsp_cid)
if (ret && data->ocsp_cid) {
OCSP_CERTID_free(data->ocsp_cid);
data->ocsp_cid = NULL;
}

if (!ret && data->ocsp_response) {
ha_free(&data->ocsp_response->area);
Expand Down

0 comments on commit 57359b9

Please sign in to comment.