bugfix: fixed multiple use-after-free.

fffonion · Jul 23, 2024 · 7a05e3a · 7a05e3a
1 parent e924ee0
commit 7a05e3a
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 12 deletions.
diff --git a/lib/resty/openssl/auxiliary/bio.lua b/lib/resty/openssl/auxiliary/bio.lua
@@ -40,4 +40,4 @@ end
 
 return {
   read_wrap = read_wrap,
-}
+}
diff --git a/lib/resty/openssl/stack.lua b/lib/resty/openssl/stack.lua
@@ -156,4 +156,4 @@ _M.deep_copy_of = function(typ)
   end
 end
 
-return _M
+return _M
diff --git a/lib/resty/openssl/x509/csr.lua b/lib/resty/openssl/x509/csr.lua
@@ -190,7 +190,8 @@ end
 
 local function modify_extension(replace, ctx, nid, toset, crit)
   local extensions_ptr = stack_ptr_type()
-  extensions_ptr[0] = C.X509_REQ_get_extensions(ctx)
+  local extension = C.X509_REQ_get_extensions(ctx)
+  extensions_ptr[0] = extension
   local need_cleanup = extensions_ptr[0] ~= nil and
   -- extensions_ptr being nil is fine: it may just because there's no extension yet
   -- https://github.com/openssl/openssl/commit/2039ac07b401932fa30a05ade80b3626e189d78a
@@ -210,7 +211,7 @@ local function modify_extension(replace, ctx, nid, toset, crit)
   local code = C.X509V3_add1_i2d(extensions_ptr, nid, toset, crit and 1 or 0, flag)
   -- when the stack is newly allocated, we want to cleanup the newly created stack as well
   -- setting the gc handler here as it's mutated in X509V3_add1_i2d if it's pointing to NULL
-  ffi_gc(extensions_ptr[0], x509_extensions_gc)
+  ffi_gc(extension, x509_extensions_gc)
   if code ~= 1 then
     return false, format_error("X509V3_add1_i2d", code)
   end
@@ -224,7 +225,7 @@ local function modify_extension(replace, ctx, nid, toset, crit)
     end
   end
 
-  code = C.X509_REQ_add_extensions(ctx, extensions_ptr[0])
+  code = C.X509_REQ_add_extensions(ctx, extension)
   if code ~= 1 then
     return false, format_error("X509_REQ_add_extensions", code)
   end
@@ -250,7 +251,8 @@ function _M:add_extension(extension)
 
   local nid = extension:get_object().nid
   local toset = extension_lib.to_data(extension, nid)
-  return add_extension(self.ctx, nid, toset.ctx, extension:get_critical())
+  local res, err = add_extension(self.ctx, nid, toset.ctx, extension:get_critical())
+  return res, err
 end
 
 function _M:set_extension(extension)

diff --git a/lib/resty/openssl/x509/extension.lua b/lib/resty/openssl/x509/extension.lua
@@ -225,7 +225,11 @@ function _M.to_data(extension, nid)
     local got = ffi_cast("GENERAL_NAMES*", void_ptr)
     local lib = require("resty.openssl.x509.altname")
     -- the internal ptr is returned, ie we need to copy it
-    return lib.dup(got)
+    local res, err = lib.dup(got)
+    if res ~= nil then
+        res._dupped_from = void_ptr
+    end
+    return res, err
   end
 
   return nil, string.format("x509.extension:to_data: don't know how to convert to NID %d", nid)

diff --git a/lib/resty/openssl/x509/init.lua b/lib/resty/openssl/x509/init.lua
@@ -692,7 +692,12 @@ function _M:get_subject_alt_name()
   got = ffi_cast("GENERAL_NAMES*", got_ref)
   local lib = require("resty.openssl.x509.altname")
   -- the internal ptr is returned, ie we need to copy it
-  return lib.dup(got)
+  local res, err = lib.dup(got)
+  if res ~= nil then
+    res._dupped_from = got_ref -- keep got_ref from gc
+  end
+
+  return res, err
 end
 
 -- AUTO GENERATED: EXTENSIONS
@@ -746,7 +751,12 @@ function _M:get_issuer_alt_name()
   got = ffi_cast("GENERAL_NAMES*", got_ref)
   local lib = require("resty.openssl.x509.altname")
   -- the internal ptr is returned, ie we need to copy it
-  return lib.dup(got)
+  local res, err = lib.dup(got)
+  if res ~= nil then
+    res._dupped_from = got_ref -- keep got_ref from gc
+  end
+
+  return res, err
 end
 
 -- AUTO GENERATED: EXTENSIONS
@@ -891,7 +901,10 @@ function _M:get_info_access()
   got = ffi_cast("AUTHORITY_INFO_ACCESS*", got_ref)
   local lib = require("resty.openssl.x509.extension.info_access")
   -- the internal ptr is returned, ie we need to copy it
-  return lib.dup(got)
+  local res, err = lib.dup(got)
+  if res ~= nil then
+    res._dupped_from = got_ref -- keep got_ref from gc
+  end
 end
 
 -- AUTO GENERATED: EXTENSIONS
@@ -945,7 +958,12 @@ function _M:get_crl_distribution_points()
   got = ffi_cast("OPENSSL_STACK*", got_ref)
   local lib = require("resty.openssl.x509.extension.dist_points")
   -- the internal ptr is returned, ie we need to copy it
-  return lib.dup(got)
+  local res, err = lib.dup(got)
+  if res ~= nil then
+    res._dupped_from = got_ref -- keep got_ref from gc
+  end
+
+  return res, err
 end
 
 -- AUTO GENERATED: EXTENSIONS

diff --git a/lib/resty/openssl/x509/store.lua b/lib/resty/openssl/x509/store.lua
@@ -217,7 +217,11 @@ function _M:verify(x509, chain, return_chain, properties, verify_method, flags)
       return true, nil
     end
     local ret_chain_ctx = C.X509_STORE_CTX_get0_chain(ctx)
-    return chain_lib.dup(ret_chain_ctx)
+    local res, err = chain_lib.dup(ret_chain_ctx)
+    if res ~= nil then
+        res._anchor_ctx = ctx
+    end
+    return res, err
   elseif code == 0 then -- unverified
     local vfy_code = C.X509_STORE_CTX_get_error(ctx)
-Original file line number
+Diff line change
@@ Expand Up / @@ -40,4 +40,4 @@ end @@
     return {
       read_wrap = read_wrap,
-    }
+    }