Skip to content

Fix potential NULL pointer dereference before calling EVP_SignInit #13870

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fix potential NULL pointer dereference before calling EVP_SignInit #13870

wants to merge 1 commit into from

Conversation

icy17
Copy link
Contributor

@icy17 icy17 commented Apr 2, 2024

No description provided.

staabm
staabm reviewed Apr 2, 2024
View reviewed changes
@staabm
Copy link
Contributor

staabm commented Apr 3, 2024
edited
Loading

Same problem here?

php-src/ext/openssl/openssl.c

Line 7381 in 7db7c42

md_ctx = EVP_MD_CTX_create();

Maybe in more places...?

@icy17
Copy link
Contributor Author

icy17 commented Apr 3, 2024

Same problem here?

php-src/ext/openssl/openssl.c

Line 7381 in 7db7c42

md_ctx = EVP_MD_CTX_create();

Maybe in more places...?

Yes, this is a potential NULL dereference.

@nielsdos
Copy link
Member

nielsdos commented Apr 7, 2024

Thanks for this patch.
One thing to improve: I think you need to emit an error, like is done here:

php-src/ext/phar/util.c

Line 1593 in 1e4bb03

spprintf(error, 0, "openssl signature could not be verified");

@icy17
Copy link
Contributor Author

icy17 commented Apr 8, 2024

openssl signature could not be verified

got it, but I'm not sure about the content of error, should be "openssl signature could not be verified"?

@nielsdos
Copy link
Member

nielsdos commented Apr 8, 2024

openssl signature could not be verified

got it, but I'm not sure about the content of error, should be "openssl signature could not be verified"?

Works for me

nielsdos
nielsdos approved these changes Apr 8, 2024
View reviewed changes
Copy link
Member

@nielsdos nielsdos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems right, thanks! I'll merge this into PHP-8.2 and above.
Note that for next time you create a PR for a bugfix, please target not the master branch, but the lowest supported branch for bugfixes.

@nielsdos nielsdos closed this in 6f8bda0 Apr 8, 2024
@nielsdos
Copy link
Member

nielsdos commented Apr 8, 2024

I adapted the patch a bit in the merge to also free key like the error block below did too, while at it I just copied the error message too, such that the error block is identical except for freeing sigbuf.
Thanks!

@icy17
Copy link
Contributor Author

icy17 commented May 15, 2024

Hi! Thanks for merging my pull requests!
I noticed these PR addresse potential security issues. I'm wondering if it would be appropriate to apply for CVEs for these bugs? Could you let me know if that's possible and what steps I should take?

@nielsdos
Copy link
Member

I noticed these PR addresse potential security issues. I'm wondering if it would be appropriate to apply for CVEs for these bugs? Could you let me know if that's possible and what steps I should take?

I've looked in the OpenSSL code, and the only way the function can fail is if the memory allocation fails. On modern systems the allocator normally doesn't fail, but even if it does, this doesn't seem attacker controllable. If the context is NULL, then the request will crash, but it would've aborted anyway because we're out of memory at this point, it's just that the abort of the request happens more gracefully now.
I don't really see how this fits in PHP's security policy: https://wiki.php.net/security

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@staabm staabm staabm left review comments

@nielsdos nielsdos nielsdos approved these changes

Assignees
No one assigned
Labels
Extension: phar
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@icy17 @staabm @nielsdos