mirror of
https://github.com/OpenVPN/openvpn.git
synced 2026-05-28 04:03:29 -04:00
Fix construction of invalid pointer in tls_pre_decrypt
Some checks failed
Build / Check code style with Uncrustify (push) Has been cancelled
Build / gcc-mingw - x64 - OSSL (push) Has been cancelled
Build / gcc-mingw - x86 - OSSL (push) Has been cancelled
Build / gcc - ubuntu-24.04 - OpenSSL 3.0.13 --enable-pkcs11 (push) Has been cancelled
Build / gcc - ubuntu-22.04 - OpenSSL 3.0.2 --enable-pkcs11 (push) Has been cancelled
Build / gcc - ubuntu-22.04 - mbed TLS 2.28.0 (push) Has been cancelled
Build / clang-asan - ubuntu-22.04 - mbedtls (push) Has been cancelled
Build / clang-asan - ubuntu-22.04 - openssl (push) Has been cancelled
Build / clang-asan - ubuntu-24.04 - mbedtls (push) Has been cancelled
Build / clang-asan - ubuntu-24.04 - openssl (push) Has been cancelled
Build / macos-13 - libressl - asan (push) Has been cancelled
Build / macos-13 - openssl@1.1 - asan (push) Has been cancelled
Build / macos-13 - openssl@3 - asan (push) Has been cancelled
Build / macos-14 - libressl - asan (push) Has been cancelled
Build / macos-14 - openssl@1.1 - asan (push) Has been cancelled
Build / macos-14 - openssl@3 - asan (push) Has been cancelled
Build / macos-15 - libressl - asan (push) Has been cancelled
Build / macos-15 - openssl@1.1 - asan (push) Has been cancelled
Build / macos-15 - openssl@3 - asan (push) Has been cancelled
Build / macos-13 - libressl - normal (push) Has been cancelled
Build / macos-13 - openssl@1.1 - normal (push) Has been cancelled
Build / macos-13 - openssl@3 - normal (push) Has been cancelled
Build / macos-14 - libressl - normal (push) Has been cancelled
Build / macos-14 - openssl@1.1 - normal (push) Has been cancelled
Build / macos-14 - openssl@3 - normal (push) Has been cancelled
Build / macos-15 - libressl - normal (push) Has been cancelled
Build / macos-15 - openssl@1.1 - normal (push) Has been cancelled
Build / macos-15 - openssl@3 - normal (push) Has been cancelled
Build / msbuild - amd64 - openssl (push) Has been cancelled
Build / msbuild - arm64 - openssl (push) Has been cancelled
Build / msbuild - x86 - openssl (push) Has been cancelled
Build / clang asan - ubuntu-22.04 - libressl (push) Has been cancelled
Build / gcc normal - ubuntu-22.04 - libressl (push) Has been cancelled
Build / mingw unittest argv - x64 - OSSL (push) Has been cancelled
Build / mingw unittest auth_token - x64 - OSSL (push) Has been cancelled
Build / mingw unittest buffer - x64 - OSSL (push) Has been cancelled
Build / mingw unittest crypto - x64 - OSSL (push) Has been cancelled
Build / mingw unittest cryptoapi - x64 - OSSL (push) Has been cancelled
Build / mingw unittest misc - x64 - OSSL (push) Has been cancelled
Build / mingw unittest ncp - x64 - OSSL (push) Has been cancelled
Build / mingw unittest packet_id - x64 - OSSL (push) Has been cancelled
Build / mingw unittest pkt - x64 - OSSL (push) Has been cancelled
Build / mingw unittest provider - x64 - OSSL (push) Has been cancelled
Build / mingw unittest tls_crypt - x64 - OSSL (push) Has been cancelled
Build / mingw unittest argv - x86 - OSSL (push) Has been cancelled
Build / mingw unittest auth_token - x86 - OSSL (push) Has been cancelled
Build / mingw unittest buffer - x86 - OSSL (push) Has been cancelled
Build / mingw unittest crypto - x86 - OSSL (push) Has been cancelled
Build / mingw unittest cryptoapi - x86 - OSSL (push) Has been cancelled
Build / mingw unittest misc - x86 - OSSL (push) Has been cancelled
Build / mingw unittest ncp - x86 - OSSL (push) Has been cancelled
Build / mingw unittest packet_id - x86 - OSSL (push) Has been cancelled
Build / mingw unittest pkt - x86 - OSSL (push) Has been cancelled
Build / mingw unittest provider - x86 - OSSL (push) Has been cancelled
Build / mingw unittest tls_crypt - x86 - OSSL (push) Has been cancelled
Some checks failed
Build / Check code style with Uncrustify (push) Has been cancelled
Build / gcc-mingw - x64 - OSSL (push) Has been cancelled
Build / gcc-mingw - x86 - OSSL (push) Has been cancelled
Build / gcc - ubuntu-24.04 - OpenSSL 3.0.13 --enable-pkcs11 (push) Has been cancelled
Build / gcc - ubuntu-22.04 - OpenSSL 3.0.2 --enable-pkcs11 (push) Has been cancelled
Build / gcc - ubuntu-22.04 - mbed TLS 2.28.0 (push) Has been cancelled
Build / clang-asan - ubuntu-22.04 - mbedtls (push) Has been cancelled
Build / clang-asan - ubuntu-22.04 - openssl (push) Has been cancelled
Build / clang-asan - ubuntu-24.04 - mbedtls (push) Has been cancelled
Build / clang-asan - ubuntu-24.04 - openssl (push) Has been cancelled
Build / macos-13 - libressl - asan (push) Has been cancelled
Build / macos-13 - openssl@1.1 - asan (push) Has been cancelled
Build / macos-13 - openssl@3 - asan (push) Has been cancelled
Build / macos-14 - libressl - asan (push) Has been cancelled
Build / macos-14 - openssl@1.1 - asan (push) Has been cancelled
Build / macos-14 - openssl@3 - asan (push) Has been cancelled
Build / macos-15 - libressl - asan (push) Has been cancelled
Build / macos-15 - openssl@1.1 - asan (push) Has been cancelled
Build / macos-15 - openssl@3 - asan (push) Has been cancelled
Build / macos-13 - libressl - normal (push) Has been cancelled
Build / macos-13 - openssl@1.1 - normal (push) Has been cancelled
Build / macos-13 - openssl@3 - normal (push) Has been cancelled
Build / macos-14 - libressl - normal (push) Has been cancelled
Build / macos-14 - openssl@1.1 - normal (push) Has been cancelled
Build / macos-14 - openssl@3 - normal (push) Has been cancelled
Build / macos-15 - libressl - normal (push) Has been cancelled
Build / macos-15 - openssl@1.1 - normal (push) Has been cancelled
Build / macos-15 - openssl@3 - normal (push) Has been cancelled
Build / msbuild - amd64 - openssl (push) Has been cancelled
Build / msbuild - arm64 - openssl (push) Has been cancelled
Build / msbuild - x86 - openssl (push) Has been cancelled
Build / clang asan - ubuntu-22.04 - libressl (push) Has been cancelled
Build / gcc normal - ubuntu-22.04 - libressl (push) Has been cancelled
Build / mingw unittest argv - x64 - OSSL (push) Has been cancelled
Build / mingw unittest auth_token - x64 - OSSL (push) Has been cancelled
Build / mingw unittest buffer - x64 - OSSL (push) Has been cancelled
Build / mingw unittest crypto - x64 - OSSL (push) Has been cancelled
Build / mingw unittest cryptoapi - x64 - OSSL (push) Has been cancelled
Build / mingw unittest misc - x64 - OSSL (push) Has been cancelled
Build / mingw unittest ncp - x64 - OSSL (push) Has been cancelled
Build / mingw unittest packet_id - x64 - OSSL (push) Has been cancelled
Build / mingw unittest pkt - x64 - OSSL (push) Has been cancelled
Build / mingw unittest provider - x64 - OSSL (push) Has been cancelled
Build / mingw unittest tls_crypt - x64 - OSSL (push) Has been cancelled
Build / mingw unittest argv - x86 - OSSL (push) Has been cancelled
Build / mingw unittest auth_token - x86 - OSSL (push) Has been cancelled
Build / mingw unittest buffer - x86 - OSSL (push) Has been cancelled
Build / mingw unittest crypto - x86 - OSSL (push) Has been cancelled
Build / mingw unittest cryptoapi - x86 - OSSL (push) Has been cancelled
Build / mingw unittest misc - x86 - OSSL (push) Has been cancelled
Build / mingw unittest ncp - x86 - OSSL (push) Has been cancelled
Build / mingw unittest packet_id - x86 - OSSL (push) Has been cancelled
Build / mingw unittest pkt - x86 - OSSL (push) Has been cancelled
Build / mingw unittest provider - x86 - OSSL (push) Has been cancelled
Build / mingw unittest tls_crypt - x86 - OSSL (push) Has been cancelled
In tls_pre_decrypt we construct a pointer ks with an invalid i if
i is TM_SIZE, doing a out-of-bounds read in multi->session.
This is a something that exists at least since 2.3.0 (I didn't go further
back but probalby exists in earlier version as well as the commits date
back to SVN beta21 branch).
So we construct the pointer but do not do anything with it if it is
invalid as we check i *after* we construct the pointer `ks`.
I suspect that the compiler optimises the bug away in any higher
optimisation level.
Assuming there is no optimisation, let's check what is possible.
Since we never use the value `ks` if it is invalid, we do not have
worry if it ends up invalid or not. The only thing that we have to
worry about is whether
`session + offsetof(struct tls_session, key[KS_PRIMARY])` is pointing
to memory that is valid to read to construct the `ks` pointer.
This is outside the tls_multi struct, so this is not guaranteed to be
allocated memory but at the same time it is also only few bytes (or few
tens/hundred) after the struct, so it the propability is very high that
it will be be in a memory region that will not cause a segfault on read.
Every time this condition is hit and we construct the invalid pointer,
the log message "TLS Error: Unroutable control packet received" is
printed at `verb 1` or higher. And this is a quite common log message,
which serves as indication as well that a crash is not something that
typically happens but either the optimisation fixes or the memory
region of the invalid access is valid to read from.
Based on this this was categorized as "bug, but no way to exploit
this, thus no CVE".
Change-Id: Ided1ac7c804487055b175d8766535bead257b7d5
Reported-By: Jon Chiappetta <root@fossjon.com>
Reported-By: Joshua Rogers <contact@joshua.hu>
Found-by: ZeroPath (https://zeropath.com/)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1373
Message-Id: <20251112141335.17417-1-gert@greenie.muc.de>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5cdf3f9724)
This commit is contained in:
Arne Schwabe
Gert Doering
parent
21d6b663d3
commit
4e31670b1e
1 changed files with 2 additions and 3 deletions
|
|
@ -3840,9 +3840,6 @@ tls_pre_decrypt(struct tls_multi *multi,
|
|||
}
|
||||
else
|
||||
{
|
||||
struct tls_session *session = &multi->session[i];
|
||||
struct key_state *ks = &session->key[KS_PRIMARY];
|
||||
|
||||
/*
|
||||
* Packet must belong to an existing session.
|
||||
*/
|
||||
|
|
@ -3856,6 +3853,8 @@ tls_pre_decrypt(struct tls_multi *multi,
|
|||
goto error;
|
||||
}
|
||||
|
||||
struct tls_session *session = &multi->session[i];
|
||||
struct key_state *ks = &session->key[KS_PRIMARY];
|
||||
/*
|
||||
* Verify remote IP address
|
||||
*/
|
||||
|
|
|
|||
Loading…
Reference in a new issue