Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110)

[Solar Designer <solar () openwall com>]

On Sun, Apr 22, 2012 at 04:23:11PM +0400, Solar Designer wrote:
> Tavis posted a followup to my message, where he attached a testcase that
> was unfortunately above oss-security's message size limit - so the
> message did not make it to the list.  I've gzip-compressed the file and
> have re-attached it to this message now (it's only 3 KB when compressed).

Turns out that file was mangled in transit.  Tavis has posted the
correct one on this URL:

http://lock.cmpxchg8b.com/openssl-1.0.1-testcase-32bit.crt.gz

SHA-256: ac7acb168a6bfd65375eeec072acbf904f0f10e3bc5588c020aed4df4712d066

$ gzip -vl openssl-1.0.1-testcase-32bit.crt.gz
method  crc     date  time           compressed        uncompressed  ratio uncompressed_name
defla 879c374f Apr 22 18:57             1389433          1431655797  99.9% openssl-1.0.1-testcase-32bit.crt

With this one, I am able to trigger a problem on 32-bit (OpenSSL 1.0.0d
with unrelated patches):

$ zcat openssl-1.0.1-testcase-32bit.crt.gz | openssl x509 -inform DER
*** glibc detected *** free(): invalid pointer: 0x45ff0008 ***
Aborted

That's in an OpenVZ container with privvmpages barrier at 3 GB.
With 2 GB, I was getting:

$ zcat openssl-1.0.1-testcase-32bit.crt.gz | openssl x509 -inform DER
unable to load certificate
3083651232:error:07069041:memory buffer routines:BUF_MEM_grow_clean:malloc failure:buffer.c:152:
3083651232:error:0D06B041:asn1 encoding routines:ASN1_D2I_READ_BIO:malloc failure:a_d2i_fp.c:229:

Alexander