lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 21 Apr 2012 17:33:39 -0400
From: Jeffrey Walton <noloader@...il.com>
To: Benjamin Kreuter <ben.kreuter@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: incorrect integer conversions in OpenSSL can
 result in memory corruption.

On Thu, Apr 19, 2012 at 10:32 AM, Benjamin Kreuter
<ben.kreuter@...il.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Thu, 19 Apr 2012 12:35:22 +0200
> Tavis Ormandy <taviso@...xchg8b.com> wrote:
>
>> All versions of OpenSSL on all platforms up to and including version
>> 1.0.1 are affected.
>
> [snip]
>
>> BUF_MEM_grow_clean accepts a size_t, but the subroutine it uses to
>> handle the allocation only accepts a 32bit signed integer.
>
> Correct me if I am wrong, but shouldn't this only be a problem on
> systems where a size_t is wider than an int i.e. not on 32 bit systems?
I don't believe so (that is, it can be a problem on 32 bit systems),
but I'd need to see more context. For example, if the attacker
controls the size and forces the size to negative (due to use of an
int), then it will never convert to a size_t.

void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char
*file, int line)
{
   /* ... */
   ret=malloc_ex_func(num,file,line);
   if(ret)
       {
       memcpy(ret,str,old_len);
       OPENSSL_cleanse(str,old_len);
       free_func(str);
       }
   /* ... */
   return ret;
}

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ