Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / openssl / refs/heads/fp2-sibon^! / .
commitf17ebce12ec72b0e7ac5c565580c0d5c7799c569[log] [tgz]
authorKenny Root <kroot@google.com>Mon Dec 12 10:32:35 2016 -0800
committerJeron Susan <jeron.susan@hi-p.com>Fri Feb 17 14:28:03 2017 +0800
tree438daa81d9659773d8a28e089b0968feee20e444
parent4eca81a598406302c392fd61ad738a5c207934ec [diff]
FPII-2846 :Remote code execution vulnerability in OpenSSL & BoringSSL CVE-2016-2182 A-32096880

CVE-2016-2182 BN_bn2dec overflow fix

This is a combination of two patches from the OpenSSL repository:
07bed46f332fce8c1d157689a2cdf915a982ae34
099e2968ed3c7d256cda048995626664082b1b30

Here are the original patch descriptions:

-----
commit 07bed46f332fce8c1d157689a2cdf915a982ae34

author	Dr. Stephen Henson <steve@openssl.org>
Fri, 5 Aug 2016 05:26:03 -0800 (14:26 +0100)
committer	Dr. Stephen Henson <steve@openssl.org>
Mon, 15 Aug 2016 15:19:19 -0800 (00:19 +0100)

If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.

Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.

Thanks to Shi Lei for reporting this bug.

CVE-2016-2182

-----
commit	099e2968ed3c7d256cda048995626664082b1b30

author	Kazuki Yamaguchi <k@rhe.jp>
Sun, 21 Aug 2016 09:36:36 -0800 (02:36 +0900)
committer	Matt Caswell <matt@openssl.org>
Mon, 22 Aug 2016 04:38:48 -0800 (13:38 +0100)

Fix overflow check in BN_bn2dec()

Fix an off by one error in the overflow check added by 07bed46f332fc
("Check for errors in BN_bn2dec()").

Bug: 32096880
Change-Id: Ic08ada128ac910605b00f06658abcf3909134524
(cherry picked from commit 89c62410b6558d5ffc7c029fb7775d6e052a9ce5)

diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
index 1743b6a..ef5071b 100644
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c

@@ -107,6 +107,7 @@
 	char *p;
 	BIGNUM *t=NULL;
 	BN_ULONG *bn_data=NULL,*lp;
+	int bn_data_num;
 
 	/* get an upper bound for the length of the decimal integer
 	 * num <= (BN_num_bits(a) + 1) * log(2)
@@ -115,7 +116,8 @@
 	 */
 	i=BN_num_bits(a)*3;
 	num=(i/10+i/1000+1)+1;
-	bn_data=(BN_ULONG *)OPENSSL_malloc((num/BN_DEC_NUM+1)*sizeof(BN_ULONG));
+	bn_data_num=num/BN_DEC_NUM + 1;
+	bn_data=(BN_ULONG *)OPENSSL_malloc(bn_data_num*sizeof(BN_ULONG));
 	buf=(char *)OPENSSL_malloc(num+3);
 	if ((buf == NULL) || (bn_data == NULL))
 		{
@@ -137,10 +139,13 @@
 		if (BN_is_negative(t))
 			*p++ = '-';
 
-		i=0;
 		while (!BN_is_zero(t))
 			{
+			if (lp - bn_data >= bn_data_num)
+				goto err;
 			*lp=BN_div_word(t,BN_DEC_CONV);
+			if (*lp == (BN_ULONG)-1)
+				goto err;
 			lp++;
 			}
 		lp--;