From 7a05e3ac0ec0f84fd22fc39f8774d24fb987d444 Mon Sep 17 00:00:00 2001 From: lijunlong Date: Thu, 18 Jul 2024 00:00:18 +0800 Subject: [PATCH] bugfix: fixed multiple use-after-free. --- lib/resty/openssl/auxiliary/bio.lua | 2 +- lib/resty/openssl/stack.lua | 2 +- lib/resty/openssl/x509/csr.lua | 10 ++++++---- lib/resty/openssl/x509/extension.lua | 6 +++++- lib/resty/openssl/x509/init.lua | 26 ++++++++++++++++++++++---- lib/resty/openssl/x509/store.lua | 6 +++++- 6 files changed, 40 insertions(+), 12 deletions(-) diff --git a/lib/resty/openssl/auxiliary/bio.lua b/lib/resty/openssl/auxiliary/bio.lua index 3eed9f0c..47a4075d 100644 --- a/lib/resty/openssl/auxiliary/bio.lua +++ b/lib/resty/openssl/auxiliary/bio.lua @@ -40,4 +40,4 @@ end return { read_wrap = read_wrap, -} \ No newline at end of file +} diff --git a/lib/resty/openssl/stack.lua b/lib/resty/openssl/stack.lua index b4570e6f..afbdee47 100644 --- a/lib/resty/openssl/stack.lua +++ b/lib/resty/openssl/stack.lua @@ -156,4 +156,4 @@ _M.deep_copy_of = function(typ) end end -return _M \ No newline at end of file +return _M diff --git a/lib/resty/openssl/x509/csr.lua b/lib/resty/openssl/x509/csr.lua index 93263df0..8a5fc081 100644 --- a/lib/resty/openssl/x509/csr.lua +++ b/lib/resty/openssl/x509/csr.lua @@ -190,7 +190,8 @@ end local function modify_extension(replace, ctx, nid, toset, crit) local extensions_ptr = stack_ptr_type() - extensions_ptr[0] = C.X509_REQ_get_extensions(ctx) + local extension = C.X509_REQ_get_extensions(ctx) + extensions_ptr[0] = extension local need_cleanup = extensions_ptr[0] ~= nil and -- extensions_ptr being nil is fine: it may just because there's no extension yet -- https://github.com/openssl/openssl/commit/2039ac07b401932fa30a05ade80b3626e189d78a @@ -210,7 +211,7 @@ local function modify_extension(replace, ctx, nid, toset, crit) local code = C.X509V3_add1_i2d(extensions_ptr, nid, toset, crit and 1 or 0, flag) -- when the stack is newly allocated, we want to cleanup the newly created stack as well -- setting the gc handler here as it's mutated in X509V3_add1_i2d if it's pointing to NULL - ffi_gc(extensions_ptr[0], x509_extensions_gc) + ffi_gc(extension, x509_extensions_gc) if code ~= 1 then return false, format_error("X509V3_add1_i2d", code) end @@ -224,7 +225,7 @@ local function modify_extension(replace, ctx, nid, toset, crit) end end - code = C.X509_REQ_add_extensions(ctx, extensions_ptr[0]) + code = C.X509_REQ_add_extensions(ctx, extension) if code ~= 1 then return false, format_error("X509_REQ_add_extensions", code) end @@ -250,7 +251,8 @@ function _M:add_extension(extension) local nid = extension:get_object().nid local toset = extension_lib.to_data(extension, nid) - return add_extension(self.ctx, nid, toset.ctx, extension:get_critical()) + local res, err = add_extension(self.ctx, nid, toset.ctx, extension:get_critical()) + return res, err end function _M:set_extension(extension) diff --git a/lib/resty/openssl/x509/extension.lua b/lib/resty/openssl/x509/extension.lua index f0bcd88e..bda95744 100644 --- a/lib/resty/openssl/x509/extension.lua +++ b/lib/resty/openssl/x509/extension.lua @@ -225,7 +225,11 @@ function _M.to_data(extension, nid) local got = ffi_cast("GENERAL_NAMES*", void_ptr) local lib = require("resty.openssl.x509.altname") -- the internal ptr is returned, ie we need to copy it - return lib.dup(got) + local res, err = lib.dup(got) + if res ~= nil then + res._dupped_from = void_ptr + end + return res, err end return nil, string.format("x509.extension:to_data: don't know how to convert to NID %d", nid) diff --git a/lib/resty/openssl/x509/init.lua b/lib/resty/openssl/x509/init.lua index 77bebbce..da480833 100644 --- a/lib/resty/openssl/x509/init.lua +++ b/lib/resty/openssl/x509/init.lua @@ -692,7 +692,12 @@ function _M:get_subject_alt_name() got = ffi_cast("GENERAL_NAMES*", got_ref) local lib = require("resty.openssl.x509.altname") -- the internal ptr is returned, ie we need to copy it - return lib.dup(got) + local res, err = lib.dup(got) + if res ~= nil then + res._dupped_from = got_ref -- keep got_ref from gc + end + + return res, err end -- AUTO GENERATED: EXTENSIONS @@ -746,7 +751,12 @@ function _M:get_issuer_alt_name() got = ffi_cast("GENERAL_NAMES*", got_ref) local lib = require("resty.openssl.x509.altname") -- the internal ptr is returned, ie we need to copy it - return lib.dup(got) + local res, err = lib.dup(got) + if res ~= nil then + res._dupped_from = got_ref -- keep got_ref from gc + end + + return res, err end -- AUTO GENERATED: EXTENSIONS @@ -891,7 +901,10 @@ function _M:get_info_access() got = ffi_cast("AUTHORITY_INFO_ACCESS*", got_ref) local lib = require("resty.openssl.x509.extension.info_access") -- the internal ptr is returned, ie we need to copy it - return lib.dup(got) + local res, err = lib.dup(got) + if res ~= nil then + res._dupped_from = got_ref -- keep got_ref from gc + end end -- AUTO GENERATED: EXTENSIONS @@ -945,7 +958,12 @@ function _M:get_crl_distribution_points() got = ffi_cast("OPENSSL_STACK*", got_ref) local lib = require("resty.openssl.x509.extension.dist_points") -- the internal ptr is returned, ie we need to copy it - return lib.dup(got) + local res, err = lib.dup(got) + if res ~= nil then + res._dupped_from = got_ref -- keep got_ref from gc + end + + return res, err end -- AUTO GENERATED: EXTENSIONS diff --git a/lib/resty/openssl/x509/store.lua b/lib/resty/openssl/x509/store.lua index ead7e8a1..f52919c3 100644 --- a/lib/resty/openssl/x509/store.lua +++ b/lib/resty/openssl/x509/store.lua @@ -217,7 +217,11 @@ function _M:verify(x509, chain, return_chain, properties, verify_method, flags) return true, nil end local ret_chain_ctx = C.X509_STORE_CTX_get0_chain(ctx) - return chain_lib.dup(ret_chain_ctx) + local res, err = chain_lib.dup(ret_chain_ctx) + if res ~= nil then + res._anchor_ctx = ctx + end + return res, err elseif code == 0 then -- unverified local vfy_code = C.X509_STORE_CTX_get_error(ctx)