OpenSSL内存分配失败导致的Use After Free漏洞分析

本文详细分析了在OpenSSL内存分配失败时触发的Use After Free漏洞,包括漏洞复现步骤、调用栈分析和修复方案,涉及curl和OpenSSL的交互问题。

报告 #3264469 - OpenSSL分配失败导致的Use After Free(或断言触发)

漏洞摘要

当某些内存分配失败时,可能触发堆的Use After Free(或断言失败)。我不确定您是否将分配失败视为安全问题的一部分,也不确定问题是出在curl还是OpenSSL,但我认为您可能希望修复此问题。

是否使用AI

我没有使用AI。

受影响版本

使用提交48c6927f3b708fc6b6c0cd65d7971380798c8696。

复现步骤

使用 https://github.com/curl/curl-fuzzer/pull/173 并查看失败的运行。

运行 FUZZ_VERBOSE=1 /out/curl_fuzzer_http repro,其中repro为 echo AJ4AAAACfkIAAQAAAAVAMT86PQ== | base64 -d > repro。我看到以下堆栈跟踪:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

failed malloc(32) 
    #0 0x561a08afee21 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x561a08b33df2 in nalloc_backtrace_exclude(unsigned long, char const*) /src/curl_fuzzer/nallocinc.c:250:9
    #2 0x561a08b33df2 in nalloc_fail(unsigned long, char const*) /src/curl_fuzzer/nallocinc.c:278:13
    #3 0x561a08b3416e in malloc /src/curl_fuzzer/nallocinc.c:342:9
    #4 0x561a090ff417 in CRYPTO_malloc /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/mem.c:211:11
    #5 0x561a090ff417 in CRYPTO_zalloc /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/mem.c:231:11
    #6 0x561a09192f2a in sk_reserve /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/stack/stack.c:199:25
    #7 0x561a091934a8 in OPENSSL_sk_insert /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/stack/stack.c:269:10
    #8 0x561a090f75da in numname_insert /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:237:10
    #9 0x561a090f75da in namemap_add_name /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:267:19
    #10 0x561a090f8716 in ossl_namemap_add_name /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:302:18
    #11 0x561a090f8716 in get_legacy_evp_names /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:406:15
    #12 0x561a090efb56 in doall_util_fn /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/lhash/lhash.c:208:17
    #13 0x561a090efb56 in OPENSSL_LH_doall_arg_thunk /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/lhash/lhash.c:239:5
    #14 0x561a091290b9 in lh_OBJ_NAME_doall_OBJ_DOALL /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/objects/o_names.c:289:1
    #15 0x561a091290b9 in OBJ_NAME_do_all /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/objects/o_names.c:300:5
    #16 0x561a090f686f in ossl_namemap_stored /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:507:9
    #17 0x561a090a485a in inner_evp_generic_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/evp_fetch.c:261:29
    #18 0x561a090a4679 in evp_generic_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/evp_fetch.c:403:14
    #19 0x561a090922a2 in EVP_MD_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/digest.c:1166:9
    #20 0x561a090922a2 in evp_md_init_internal /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/digest.c:266:26
    #21 0x561a08cfa599 in my_sha256_init /src/curl/lib/sha256.c:87:7
    #22 0x561a08cfa599 in Curl_sha256it /src/curl/lib/sha256.c:497:12
    #23 0x561a08ccbee8 in calc_payload_hash /src/curl/lib/http_aws_sigv4.c:455:12
    #24 0x561a08ccaaca in Curl_output_aws_sigv4 /src/curl/lib/http_aws_sigv4.c:795:16
    #25 0x561a08c9c7ce in output_auth_headers /src/curl/lib/http.c:639:14
    #26 0x561a08c9c366 in Curl_http_output_auth /src/curl/lib/http.c:819:14
    #27 0x561a08c95db2 in Curl_http /src/curl/lib/http.c:2736:14
    #28 0x561a08b89613 in multi_do /src/curl/lib/multi.c:1649:14
    #29 0x561a08b89613 in state_do /src/curl/lib/multi.c:2042:14
    #30 0x561a08b89613 in multi_runsingle /src/curl/lib/multi.c:2476:12
    #31 0x561a08b867b4 in curl_multi_perform /src/curl/lib/multi.c:2739:18
    #32 0x561a08b35543 in fuzz_handle_transfer(fuzz_data*) /src/curl_fuzzer/curl_fuzzer.cc:348:3
    #33 0x561a08b3491d in LLVMFuzzerTestOneInput /src/curl_fuzzer/curl_fuzzer.cc:103:3
    #34 0x561a089e8660 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #35 0x561a089d38d5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #36 0x561a089d936f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #37 0x561a08a04612 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #38 0x7fb95db7e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
    #39 0x561a089cbabd in _start (/out/curl_fuzzer_http+0x60cabd)

failed malloc(14) 
    #0 0x561a08afee21 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x561a08b33df2 in nalloc_backtrace_exclude(unsigned long, char const*) /src/curl_fuzzer/nallocinc.c:250:9
    #2 0x561a08b33df2 in nalloc_fail(unsigned long, char const*) /src/curl_fuzzer/nallocinc.c:278:13
    #3 0x561a08b3416e in malloc /src/curl_fuzzer/nallocinc.c:342:9
    #4 0x561a090ff2be in CRYPTO_malloc /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/mem.c:211:11
    #5 0x561a091034f5 in CRYPTO_strdup /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/o_str.c:28:11
    #6 0x561a090f75c7 in numname_insert /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:234:20
    #7 0x561a090f75c7 in namemap_add_name /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:267:19
    #8 0x561a090f8716 in ossl_namemap_add_name /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:302:18
    #9 0x561a090f8716 in get_legacy_evp_names /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:406:15
    #10 0x561a090efb56 in doall_util_fn /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/lhash/lhash.c:208:17
    #11 0x561a090efb56 in OPENSSL_LH_doall_arg_thunk /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/lhash/lhash.c:239:5
    #12 0x561a091290b9 in lh_OBJ_NAME_doall_OBJ_DOALL /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/objects/o_names.c:289:1
    #13 0x561a091290b9 in OBJ_NAME_do_all /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/objects/o_names.c:300:5
    #14 0x561a090f686f in ossl_namemap_stored /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:507:9
    #15 0x561a090a485a in inner_evp_generic_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/evp_fetch.c:261:29
    #16 0x561a090a4679 in evp_generic_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/evp_fetch.c:403:14
    #17 0x561a090922a2 in EVP_MD_fetch /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/digest.c:1166:9
    #18 0x561a090922a2 in evp_md_init_internal /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/evp/digest.c:266:26
    #19 0x561a08cfa599 in my_sha256_init /src/curl/lib/sha256.c:87:7
    #20 0x561a08cfa599 in Curl_sha256it /src/curl/lib/sha256.c:497:12
    #21 0x561a08ccbee8 in calc_payload_hash /src/curl/lib/http_aws_sigv4.c:455:12
    #22 0x561a08ccaaca in Curl_output_aws_sigv4 /src/curl/lib/http_aws_sigv4.c:795:16
    #23 0x561a08c9c7ce in output_auth_headers /src/curl/lib/http.c:639:14
    #24 0x561a08c9c366 in Curl_http_output_auth /src/curl/lib/http.c:819:14
    #25 0x561a08c95db2 in Curl_http /src/curl/lib/http.c:2736:14
    #26 0x561a08b89613 in multi_do /src/curl/lib/multi.c:1649:14
    #27 0x561a08b89613 in state_do /src/curl/lib/multi.c:2042:14
    #28 0x561a08b89613 in multi_runsingle /src/curl/lib/multi.c:2476:12
    #29 0x561a08b867b4 in curl_multi_perform /src/curl/lib/multi.c:2739:18
    #30 0x561a08b35543 in fuzz_handle_transfer(fuzz_data*) /src/curl_fuzzer/curl_fuzzer.cc:348:3
    #31 0x561a08b3491d in LLVMFuzzerTestOneInput /src/curl_fuzzer/curl_fuzzer.cc:103:3
    #32 0x561a089e8660 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #33 0x561a089d38d5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #34 0x561a089d936f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #35 0x561a08a04612 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #36 0x7fb95db7e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
    #37 0x561a089cbabd in _start (/out/curl_fuzzer_http+0x60cabd)

failed malloc(104) 
    #0 0x561a08afee21 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x561a08b33df2 in nalloc_backtrace_exclude(unsigned long, char const*) /src/curl_fuzzer/nallocinc.c:250:9
    #2 0x561a08b33df2 in nalloc_fail(unsigned long, char const*) /src/curl_fuzzer/nallocinc.c:278:13
    #3 0x561a08b3416e in malloc /src/curl_fuzzer/nallocinc.c:342:9
    #4 0x561a090ff2be in CRYPTO_malloc /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/mem.c:211:11
    #5 0x561a0943477e in alloc_new_value /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/hashtable/hashtable.c:604:11
    #6 0x561a0943477e in ossl_ht_insert /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/hashtable/hashtable.c:638:14
    #7 0x561a090f7812 in namemap_add_name /src/curl_fuzzer/build/openssl/src/openssl_external/crypto/core_namemap.c:276:11
    #8 0x
comments powered by Disqus
© 2020 - 2025 qife
使用 Hugo 构建
主题 StackJimmy 设计
本站总访问量 本站访客数人次