NetBSD Problem Report #58039
From www@netbsd.org Fri Mar 15 10:29:28 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 1B9291A924A
for <gnats-bugs@gnats.NetBSD.org>; Fri, 15 Mar 2024 10:29:28 +0000 (UTC)
Message-Id: <20240315102926.5FADA1A924B@mollari.NetBSD.org>
Date: Fri, 15 Mar 2024 10:29:26 +0000 (UTC)
From: netbsd-bugs@michael-kaufmann.ch
Reply-To: netbsd-bugs@michael-kaufmann.ch
To: gnats-bugs@NetBSD.org
Subject: Buffer overflow when writing a SHA512_224 or SHA512_256 digest
X-Send-Pr-Version: www-1.0
>Number: 58039
>Category: lib
>Synopsis: Buffer overflow when writing a SHA512_224 or SHA512_256 digest
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: riastradh
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Mar 15 10:30:00 +0000 2024
>Closed-Date: Mon Mar 25 17:56:17 +0000 2024
>Last-Modified: Tue Oct 15 23:30:02 +0000 2024
>Originator: Michael Kaufmann
>Release: 10.0 RC6
>Organization:
>Environment:
NetBSD netbsd.localdomain 10.0_RC6 NetBSD 10.0_RC6 (GENERIC) #0: Tue Mar 12 10:19:02 UTC 2024 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
When calculating digests with EVP_sha512_224() or EVP_sha512_256(), 64 bytes are written. Applications expect that 28 bytes are written (for EVP_sha512_224) or 32 bytes are written (for EVP_sha512_256). This results in a buffer overflow.
NetBSD uses a patched OpenSSL, with a custom implementation of the SHA512 functions. The original OpenSSL implementation does not have this problem.
Please also see problem report #51333
This bug has been discovered while debugging a curl problem: https://github.com/curl/curl/pull/13070
>How-To-Repeat:
Build and run this program. It crashes on NetBSD, runs fine on other operating systems, e.g. Linux.
gcc -Wall digest.c -lcrypto
#include <stdio.h>
#include <string.h>
#include <openssl/evp.h>
int main()
{
const char* data = "1";
size_t length = 1;
unsigned char digest[32];
int check_val = 123;
printf("%d\n", check_val);
memset(digest, '\0', sizeof(digest));
EVP_MD_CTX* ctx = EVP_MD_CTX_create();
if (!ctx) {
fprintf(stderr, "EVP_MD_CTX_create() failed\n");
return 1;
}
if (!EVP_DigestInit_ex(ctx, EVP_sha512_256(), NULL))
{
fprintf(stderr, "EVP_DigestInit_ex() failed\n");
EVP_MD_CTX_destroy(ctx);
return 1;
}
if (!EVP_DigestUpdate(ctx, data, length))
{
fprintf(stderr, "EVP_DigestUpdate() failed\n");
EVP_MD_CTX_destroy(ctx);
return 1;
}
unsigned int digest_size = 0;
if (!EVP_DigestFinal_ex(ctx, digest, &digest_size))
{
fprintf(stderr, "EVP_DigestFinal_ex() failed\n");
EVP_MD_CTX_destroy(ctx);
return 1;
}
printf("digest size: %u\n", digest_size);
printf("%d\n", check_val);
EVP_MD_CTX_destroy(ctx);
return 0;
}
Output on NetBSD:
123
digest size: 32
1964291709
[1] Segmentation fault (core dumped) ./a.out
Output on Linux:
123
digest size: 32
123
>Fix:
Use an unpatched OpenSSL
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: lib-bug-people->riastradh
Responsible-Changed-By: riastradh@NetBSD.org
Responsible-Changed-When: Fri, 15 Mar 2024 14:34:06 +0000
Responsible-Changed-Why:
mine
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58039 CVS commit: src
Date: Fri, 15 Mar 2024 15:32:08 +0000
Module Name: src
Committed By: riastradh
Date: Fri Mar 15 15:32:07 UTC 2024
Modified Files:
src/distrib/sets/lists/debug: mi
src/distrib/sets/lists/tests: mi
src/tests/crypto/libcrypto: Makefile
Added Files:
src/tests/crypto/libcrypto: t_sha512trunc.c
Log Message:
libcrypto: Add some trivial tests for truncated SHA-512 variants.
These should use more of the test vectors from
https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Secure-Hashing#Testing
but this will do for now to detect the buffer overrun rake we left
lying around for ourselves.
PR lib/58039
To generate a diff of this commit:
cvs rdiff -u -r1.429 -r1.430 src/distrib/sets/lists/debug/mi
cvs rdiff -u -r1.1310 -r1.1311 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.15 -r1.16 src/tests/crypto/libcrypto/Makefile
cvs rdiff -u -r0 -r1.1 src/tests/crypto/libcrypto/t_sha512trunc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58039 CVS commit: src
Date: Fri, 15 Mar 2024 18:10:37 +0000
Module Name: src
Committed By: riastradh
Date: Fri Mar 15 18:10:37 UTC 2024
Modified Files:
src/crypto/external/bsd/openssl/dist/crypto/evp: legacy_sha.c
src/crypto/external/bsd/openssl/dist/include/crypto: sha.h
src/crypto/external/bsd/openssl/dist/providers/implementations/digests:
sha2_prov.c
src/crypto/external/bsd/openssl/lib/libcrypto: libc-sha2xx.c
src/tests/crypto/libcrypto: t_sha512trunc.c
Log Message:
libcrypto: Fix buffer overrun in truncated SHA-512 functions.
Further fallout from the libc/openssl sha2 symbol collision.
PR lib/58039
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.2 -r1.2 \
src/crypto/external/bsd/openssl/dist/crypto/evp/legacy_sha.c
cvs rdiff -u -r1.1.1.2 -r1.2 \
src/crypto/external/bsd/openssl/dist/include/crypto/sha.h
cvs rdiff -u -r1.1.1.1 -r1.2 \
src/crypto/external/bsd/openssl/dist/providers/implementations/digests/sha2_prov.c
cvs rdiff -u -r1.3 -r1.4 \
src/crypto/external/bsd/openssl/lib/libcrypto/libc-sha2xx.c
cvs rdiff -u -r1.1 -r1.2 src/tests/crypto/libcrypto/t_sha512trunc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Fri, 15 Mar 2024 18:56:02 +0000
State-Changed-Why:
fixed in HEAD
needs pullup-10, pullup-9
inapplicable <9, openssl is too old in netbsd-8 to be affected
State-Changed-From-To: needs-pullups->pending-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Fri, 15 Mar 2024 19:03:09 +0000
State-Changed-Why:
pullup-10 #637
pullup-9 #1819
inapplicable <9
From: Taylor R Campbell <riastradh@NetBSD.org>
To: Michael Kaufmann <netbsd-bugs@michael-kaufmann.ch>
Cc: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Subject: Re: lib/58039: Buffer overflow when writing a SHA512_224 or SHA512_256 digest
Date: Fri, 15 Mar 2024 19:57:30 +0000
Thanks for the report!
Obviously, the hole we've dug ourselves into with the OpenSSL SHA-2
API is a bad state of affairs.
Unfortunately, it is not as easy as simply not patching openssl.
There is a namespace collision between NetBSD's libc and (unpatched)
OpenSSL over names like `SHA512_Init' and `SHA512_Final', which are
declared with different SHA512_CTX types of different sizes.
And we have ABI compatibility requirements that prevent us from just
dropping the symbols from libc, or, worse, pulling the definitions out
of OpenSSL instead -- applications previously using the libc symbols
and NetBSD's SHA512_CTX would suddenly get buffer overruns, because
OpenSSL's SHA512_CTX is larger!
Perhaps we could patch OpenSSL _just to rename the symbols_, and make
sure OpenSSL's libcrypto is never using the libc symbols -- that way
_new_ programs which include <openssl/sha.h> will get the OpenSSL
symbols, and _old_ programs will still get the libc symbols, and
OpenSSL will use its own internal API internally. And maybe that will
reduce our maintenance burden.
But past attempts to dig out of this hole have met with various kinds
of gnarly failure, and OpenSSL is ditching the easy-to-use C APIs for
things like SHA-2 and AES anyway. So for now I've just put another
band-aid on the mess -- and added some automatic tests to catch the
problem later.
From: Michael Kaufmann <netbsd-bugs@michael-kaufmann.ch>
To: Taylor R Campbell <riastradh@netbsd.org>
Cc: gnats-bugs@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: lib/58039: Buffer overflow when writing a SHA512_224 or
SHA512_256 digest
Date: Fri, 15 Mar 2024 21:34:49 +0100
First I thought that the NetBSD developers just prefer their own
implementation of SHA512 for some reason, but now I understand...
thank you for the explanation, and thank you for the bugfix! It's
really great to get a response and even a bugfix in less than a day :-)
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58039 CVS commit: [netbsd-10] src
Date: Mon, 25 Mar 2024 14:14:56 +0000
Module Name: src
Committed By: martin
Date: Mon Mar 25 14:14:56 UTC 2024
Modified Files:
src/crypto/external/bsd/openssl/dist/crypto/evp [netbsd-10]:
legacy_sha.c
src/crypto/external/bsd/openssl/dist/include/crypto [netbsd-10]: sha.h
src/crypto/external/bsd/openssl/dist/providers/implementations/digests [netbsd-10]:
sha2_prov.c
src/crypto/external/bsd/openssl/lib/libcrypto [netbsd-10]:
libc-sha2xx.c
src/distrib/sets/lists/debug [netbsd-10]: mi
src/distrib/sets/lists/tests [netbsd-10]: mi
src/tests/crypto/libcrypto [netbsd-10]: Makefile
Added Files:
src/tests/crypto/libcrypto [netbsd-10]: t_sha512trunc.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #637):
crypto/external/bsd/openssl/dist/providers/implementations/digests/sha2_prov.c: revision 1.2
tests/crypto/libcrypto/t_sha512trunc.c: revision 1.1
tests/crypto/libcrypto/t_sha512trunc.c: revision 1.2
tests/crypto/libcrypto/Makefile: revision 1.16
distrib/sets/lists/tests/mi: revision 1.1311
crypto/external/bsd/openssl/dist/crypto/evp/legacy_sha.c: revision 1.2
distrib/sets/lists/debug/mi: revision 1.430
crypto/external/bsd/openssl/dist/include/crypto/sha.h: revision 1.2
crypto/external/bsd/openssl/lib/libcrypto/libc-sha2xx.c: revision 1.4
libcrypto: Add some trivial tests for truncated SHA-512 variants.
These should use more of the test vectors from
https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Secure-Hashing#Testing
but this will do for now to detect the buffer overrun rake we left
lying around for ourselves.
PR lib/58039
libcrypto: Fix buffer overrun in truncated SHA-512 functions.
Further fallout from the libc/openssl sha2 symbol collision.
PR lib/58039
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1.2.3 -r1.1.1.1.2.4 \
src/crypto/external/bsd/openssl/dist/crypto/evp/legacy_sha.c
cvs rdiff -u -r1.1.1.1.10.1 -r1.1.1.1.10.2 \
src/crypto/external/bsd/openssl/dist/include/crypto/sha.h
cvs rdiff -u -r1.1.1.1.2.2 -r1.1.1.1.2.3 \
src/crypto/external/bsd/openssl/dist/providers/implementations/digests/sha2_prov.c
cvs rdiff -u -r1.2.6.1 -r1.2.6.2 \
src/crypto/external/bsd/openssl/lib/libcrypto/libc-sha2xx.c
cvs rdiff -u -r1.394.2.5 -r1.394.2.6 src/distrib/sets/lists/debug/mi
cvs rdiff -u -r1.1238.2.5 -r1.1238.2.6 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.14.10.1 -r1.14.10.2 src/tests/crypto/libcrypto/Makefile
cvs rdiff -u -r0 -r1.2.2.2 src/tests/crypto/libcrypto/t_sha512trunc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58039 CVS commit: [netbsd-9] src
Date: Mon, 25 Mar 2024 14:26:16 +0000
Module Name: src
Committed By: martin
Date: Mon Mar 25 14:26:16 UTC 2024
Modified Files:
src/crypto/external/bsd/openssl/dist/crypto/evp [netbsd-9]: m_sha1.c
src/crypto/external/bsd/openssl/dist/include/crypto [netbsd-9]: sha.h
src/crypto/external/bsd/openssl/lib/libcrypto [netbsd-9]: libc-sha2xx.c
src/distrib/sets/lists/debug [netbsd-9]: mi
src/distrib/sets/lists/tests [netbsd-9]: mi
src/tests/crypto/libcrypto [netbsd-9]: Makefile
Added Files:
src/tests/crypto/libcrypto [netbsd-9]: t_sha512trunc.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1819):
crypto/external/bsd/openssl/dist/providers/implementations/digests/sha2_prov.c: revision 1.2
(applied to crypto/external/bsd/openssl/dist/crypto/evp/m_sha1.c)
tests/crypto/libcrypto/t_sha512trunc.c: revision 1.1
tests/crypto/libcrypto/t_sha512trunc.c: revision 1.2
tests/crypto/libcrypto/Makefile: revision 1.16
distrib/sets/lists/tests/mi: revision 1.1311
distrib/sets/lists/debug/mi: revision 1.430
crypto/external/bsd/openssl/dist/include/crypto/sha.h: revision 1.2
crypto/external/bsd/openssl/lib/libcrypto/libc-sha2xx.c: revision 1.4
(all via patch)
libcrypto: Add some trivial tests for truncated SHA-512 variants.
These should use more of the test vectors from
https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Secure-Hashing#Testing
but this will do for now to detect the buffer overrun rake we left
lying around for ourselves.
PR lib/58039
libcrypto: Fix buffer overrun in truncated SHA-512 functions.
Further fallout from the libc/openssl sha2 symbol collision.
PR lib/58039
To generate a diff of this commit:
cvs rdiff -u -r1.11.2.1 -r1.11.2.2 \
src/crypto/external/bsd/openssl/dist/crypto/evp/m_sha1.c
cvs rdiff -u -r1.1.1.1.4.2 -r1.1.1.1.4.3 \
src/crypto/external/bsd/openssl/dist/include/crypto/sha.h
cvs rdiff -u -r1.1.6.1 -r1.1.6.2 \
src/crypto/external/bsd/openssl/lib/libcrypto/libc-sha2xx.c
cvs rdiff -u -r1.285.2.6 -r1.285.2.7 src/distrib/sets/lists/debug/mi
cvs rdiff -u -r1.818.2.4 -r1.818.2.5 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.14 -r1.14.2.1 src/tests/crypto/libcrypto/Makefile
cvs rdiff -u -r0 -r1.2.4.2 src/tests/crypto/libcrypto/t_sha512trunc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 25 Mar 2024 17:56:17 +0000
State-Changed-Why:
fixed in head, pulled up to 10 and 9, inapplicable <9
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58039 CVS commit: src/crypto/external/bsd/openssl/lib/libcrypto
Date: Mon, 15 Jul 2024 06:34:17 +0000
Module Name: src
Committed By: riastradh
Date: Mon Jul 15 06:34:17 UTC 2024
Modified Files:
src/crypto/external/bsd/openssl/lib/libcrypto: Makefile
src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64: sha.inc
Log Message:
openssl: Revert openssl asm enabling, which must not used yet.
They appear to have been christos's local changes for PR 58414
inadvertently mixed up in the openssl man page changes.
This stuff ABSOLUTELY MUST NOT BE ENABLED until the SHA-2 symbol mess
is resolved; see PR 58039 and
https://mail-index.netbsd.org/tech-userlevel/2024/03/17/msg014265.html
for more details.
While here, leave a comment to avoid stepping on this rake again.
The explanation was previously only in the commit message that added
the `.if 0', but it needs to be much more obvious.
To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.37 \
src/crypto/external/bsd/openssl/lib/libcrypto/Makefile
cvs rdiff -u -r1.5 -r1.6 \
src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/sha.inc
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58039 CVS commit: src/crypto/external/bsd/openssl
Date: Tue, 15 Oct 2024 21:04:06 +0000
Module Name: src
Committed By: riastradh
Date: Tue Oct 15 21:04:06 UTC 2024
Modified Files:
src/crypto/external/bsd/openssl/dist/crypto/evp: legacy_sha.c
src/crypto/external/bsd/openssl/dist/include/openssl: sha.h
src/crypto/external/bsd/openssl/dist/providers/implementations/digests:
sha2_prov.c
src/crypto/external/bsd/openssl/lib/libcrypto: crypto.expsym crypto.map
sha.inc
Removed Files:
src/crypto/external/bsd/openssl/lib/libcrypto: libc-sha1.c
libc-sha256.c libc-sha2xx.c libc-sha512.c
Log Message:
openssl: Just rename the sha2 symbols.
Ditch all our other local changes related to them.
These symbols end up as private symbols in libcrypto, and our
libcrypto has never exported the sha2 symbols anyway so that can't
break existing applications. So this might even be safe to pull up
to branches.
This changes some libcrypto symbols listed in crypto.map -- but those
symbols weren't defined anyway! And ld apparently doesn't care if
they're not defined.
PR bin/51333
PR lib/58039
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 \
src/crypto/external/bsd/openssl/dist/crypto/evp/legacy_sha.c
cvs rdiff -u -r1.3 -r1.4 \
src/crypto/external/bsd/openssl/dist/include/openssl/sha.h
cvs rdiff -u -r1.2 -r1.3 \
src/crypto/external/bsd/openssl/dist/providers/implementations/digests/sha2_prov.c
cvs rdiff -u -r1.2 -r1.3 \
src/crypto/external/bsd/openssl/lib/libcrypto/crypto.expsym
cvs rdiff -u -r1.13 -r1.14 \
src/crypto/external/bsd/openssl/lib/libcrypto/crypto.map
cvs rdiff -u -r1.2 -r0 \
src/crypto/external/bsd/openssl/lib/libcrypto/libc-sha1.c
cvs rdiff -u -r1.4 -r0 \
src/crypto/external/bsd/openssl/lib/libcrypto/libc-sha256.c \
src/crypto/external/bsd/openssl/lib/libcrypto/libc-sha2xx.c
cvs rdiff -u -r1.5 -r0 \
src/crypto/external/bsd/openssl/lib/libcrypto/libc-sha512.c
cvs rdiff -u -r1.8 -r1.9 \
src/crypto/external/bsd/openssl/lib/libcrypto/sha.inc
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58039 CVS commit: src/crypto/external/bsd/openssl
Date: Tue, 15 Oct 2024 23:25:21 +0000
Module Name: src
Committed By: riastradh
Date: Tue Oct 15 23:25:21 UTC 2024
Modified Files:
src/crypto/external/bsd/openssl/dist/util: libcrypto.num
src/crypto/external/bsd/openssl/lib/libcrypto: crypto.map
Log Message:
libcrypto: Record the SHA-2 symbol renaming as a local patch.
By putting it under dist/, we keep it as a local patch from the
upstream vendor import, so it won't be lost on next import when
crypto.map is regenerated.
Update crypto.map to sort like OpenSSL does while here.
PR bin/51333
PR lib/58039
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.12 -r1.2 \
src/crypto/external/bsd/openssl/dist/util/libcrypto.num
cvs rdiff -u -r1.14 -r1.15 \
src/crypto/external/bsd/openssl/lib/libcrypto/crypto.map
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home