Crash caused by double free in SSL and DTLS servers #2559
Description
WolfSSL example server in all versions starting from 3.12.0 (including current 4.2.0c) incorrectly handles error when server certificate cannot be read from a given path.
This vulnerability affects the server in both supported protocols: TLS and DTLS.
Crashing function:
examples/server/server.c:2165-2197
{ byte* rnd; byte* pt; size_t size; /* get size of buffer then print */ size = wolfSSL_get_server_random(NULL, NULL, 0); if (size == 0) { err_sys_ex(runWithErrors, "error getting server random buffer size"); } rnd = (byte*)XMALLOC(size, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (rnd == NULL) { err_sys_ex(runWithErrors, "error creating server random buffer"); } size = wolfSSL_get_server_random(ssl, rnd, size); if (size == 0) { 2183: XFREE(rnd, NULL, DYNAMIC_TYPE_TMP_BUFFER); err_sys_ex(runWithErrors, "error getting server random buffer"); } printf("Server Random : "); pt = rnd; if (pt != NULL) { for (pt = rnd; pt < rnd + size; pt++) printf("%02X", *pt); printf("\n"); } else { err_sys_ex(runWithErrors, "error: attempted to dereference null " "pointer"); } 2196:XFREE(rnd, NULL, DYNAMIC_TYPE_TMP_BUFFER); }
Buffer rnd is freed at line 2183 and then freed again on line 2196.
Crash message on SSL server (with ASAN):
./examples/server/server -p 4433 -b -x -c s
wolfSSL error: can't load server cert file, check file and run from wolfSSL home dir
Continuing server execution...wolfSSL error: unable to get SSL
Continuing server execution...wolfSSL error: unable to enable CRL
Continuing server execution...wolfSSL error: unable to load CRL
Continuing server execution...wolfSSL error: unable to set CRL callback url
Continuing server execution...wolfSSL error: error in setting fd
Continuing server execution...SSL_accept error -173, Bad function argument
wolfSSL error: SSL_accept failed
Continuing server execution...peer has no cert!
SSL version is unknown
SSL cipher suite is (null)
wolfSSL error: SSL in error state
Continuing server execution...wolfSSL error: error getting server random buffer
Continuing server execution...Server Random :
==1249==ERROR: AddressSanitizer: attempting double-free on 0x60300000e9e0 in thread T0:
#0 0x7f78a10822ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x40f47c in server_test examples/server/server.c:2196
#2 0x405851 in main examples/server/server.c:2434
#3 0x7f78a014882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x405a68 in _start (wolfssl-4.2.0c_ASAN/examples/server/.libs/lt-server+0x405a68)0x60300000e9e0 is located 0 bytes inside of 32-byte region [0x60300000e9e0,0x60300000ea00)
freed by thread T0 here:
#0 0x7f78a10822ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x411157 in server_test examples/server/server.c:2183previously allocated by thread T0 here:
#0 0x7f78a1082602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x40ef4e in server_test examples/server/server.c:2176SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_free
==1249==ABORTING
Crash message on SSL server (without ASAN):
./examples/server/server -p 4433 -b -x -c s
wolfSSL error: can't load server cert file, check file and run from wolfSSL home dir
Continuing server execution...wolfSSL error: unable to get SSL
Continuing server execution...wolfSSL error: unable to enable CRL
Continuing server execution...wolfSSL error: unable to load CRL
Continuing server execution...wolfSSL error: unable to set CRL callback url
Continuing server execution...wolfSSL error: error in setting fd
Continuing server execution...SSL_accept error -173, Bad function argument
wolfSSL error: SSL_accept failed
Continuing server execution...peer has no cert!
SSL version is unknown
SSL cipher suite is (null)
wolfSSL error: SSL in error state
Continuing server execution...wolfSSL error: error getting server random buffer
Continuing server execution...Server Random :
*** Error in `wolfssl-4.2.0c/examples/server/.libs/lt-server': double free or corruption (fasttop): 0x00000000006b8220 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ff807e5c7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7ff807e6537a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ff807e6953c]
wolfssl-4.2.0c/examples/server/.libs/lt-server[0x4076f1]
wolfssl-4.2.0c/examples/server/.libs/lt-server[0x404b31]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ff807e05830]
wolfssl-4.2.0c/examples/server/.libs/lt-server[0x404ba9]
======= Memory map: ========
00400000-0040d000 r-xp 00000000 fd:01 283903 wolfssl-4.2.0c/examples/server/.libs/lt-server
0060c000-0060d000 r--p 0000c000 fd:01 283903 wolfssl-4.2.0c/examples/server/.libs/lt-server
0060d000-0060e000 rw-p 0000d000 fd:01 283903 wolfssl-4.2.0c/examples/server/.libs/lt-server
006b5000-006d6000 rw-p 00000000 00:00 0 [heap]
7ff800000000-7ff800021000 rw-p 00000000 00:00 0
7ff800021000-7ff804000000 ---p 00000000 00:00 0
7ff8078c6000-7ff8078dc000 r-xp 00000000 fd:01 2039 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ff8078dc000-7ff807adb000 ---p 00016000 fd:01 2039 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ff807adb000-7ff807adc000 rw-p 00015000 fd:01 2039 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ff807adc000-7ff807be4000 r-xp 00000000 fd:01 28242 /lib/x86_64-linux-gnu/libm-2.23.so
7ff807be4000-7ff807de3000 ---p 00108000 fd:01 28242 /lib/x86_64-linux-gnu/libm-2.23.so
7ff807de3000-7ff807de4000 r--p 00107000 fd:01 28242 /lib/x86_64-linux-gnu/libm-2.23.so
7ff807de4000-7ff807de5000 rw-p 00108000 fd:01 28242 /lib/x86_64-linux-gnu/libm-2.23.so
7ff807de5000-7ff807fa5000 r-xp 00000000 fd:01 28237 /lib/x86_64-linux-gnu/libc-2.23.so
7ff807fa5000-7ff8081a5000 ---p 001c0000 fd:01 28237 /lib/x86_64-linux-gnu/libc-2.23.so
7ff8081a5000-7ff8081a9000 r--p 001c0000 fd:01 28237 /lib/x86_64-linux-gnu/libc-2.23.so
7ff8081a9000-7ff8081ab000 rw-p 001c4000 fd:01 28237 /lib/x86_64-linux-gnu/libc-2.23.so
7ff8081ab000-7ff8081af000 rw-p 00000000 00:00 0
7ff8081af000-7ff8081c7000 r-xp 00000000 fd:01 28170 /lib/x86_64-linux-gnu/libpthread-2.23.so
7ff8081c7000-7ff8083c6000 ---p 00018000 fd:01 28170 /lib/x86_64-linux-gnu/libpthread-2.23.so
7ff8083c6000-7ff8083c7000 r--p 00017000 fd:01 28170 /lib/x86_64-linux-gnu/libpthread-2.23.so
7ff8083c7000-7ff8083c8000 rw-p 00018000 fd:01 28170 /lib/x86_64-linux-gnu/libpthread-2.23.so
7ff8083c8000-7ff8083cc000 rw-p 00000000 00:00 0
7ff8083cc000-7ff808509000 r-xp 00000000 fd:01 283606 wolfssl-4.2.0c/src/.libs/libwolfssl.so.23.0.0
7ff808509000-7ff808709000 ---p 0013d000 fd:01 283606 wolfssl-4.2.0c/src/.libs/libwolfssl.so.23.0.0
7ff808709000-7ff80870c000 r--p 0013d000 fd:01 283606 wolfssl-4.2.0c/src/.libs/libwolfssl.so.23.0.0
7ff80870c000-7ff80870e000 rw-p 00140000 fd:01 283606 wolfssl-4.2.0c/src/.libs/libwolfssl.so.23.0.0
7ff80870e000-7ff8087a8000 rw-p 00000000 00:00 0
7ff8087a8000-7ff8087ce000 r-xp 00000000 fd:01 28169 /lib/x86_64-linux-gnu/ld-2.23.so
7ff8089a6000-7ff8089b5000 rw-p 00000000 00:00 0
7ff8089cb000-7ff8089cd000 rw-p 00000000 00:00 0
7ff8089cd000-7ff8089ce000 r--p 00025000 fd:01 28169 /lib/x86_64-linux-gnu/ld-2.23.so
7ff8089ce000-7ff8089cf000 rw-p 00026000 fd:01 28169 /lib/x86_64-linux-gnu/ld-2.23.so
7ff8089cf000-7ff8089d0000 rw-p 00000000 00:00 0
7fff3df08000-7fff3df29000 rw-p 00000000 00:00 0 [stack]
7fff3dfb6000-7fff3dfb9000 r--p 00000000 00:00 0 [vvar]
7fff3dfb9000-7fff3dfbb000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted
Crash message on DTLS server (with ASAN):
./examples/server/server -u -p 4433 -b -x -c s
wolfSSL error: can't load server cert file, check file and run from wolfSSL home dir
Continuing server execution...wolfSSL error: unable to get SSL
Continuing server execution...wolfSSL error: unable to enable CRL
Continuing server execution...wolfSSL error: unable to load CRL
Continuing server execution...wolfSSL error: unable to set CRL callback url
Continuing server execution...wolfSSL error: error in setting fd
Continuing server execution...SSL_accept error -173, Bad function argument
wolfSSL error: SSL_accept failed
Continuing server execution...peer has no cert!
SSL version is unknown
SSL cipher suite is (null)
wolfSSL error: SSL in error state
Continuing server execution...wolfSSL error: error getting server random buffer
Continuing server execution...Server Random :
==29445==ERROR: AddressSanitizer: attempting double-free on 0x60300000e9e0 in thread T0:
#0 0x7f5940ab72ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x40f47c in server_test examples/server/server.c:2196
#2 0x405851 in main examples/server/server.c:2434
#3 0x7f593fb7d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x405a68 in _start (wolfssl-4.2.0c_ASAN/examples/server/.libs/lt-server+0x405a68)0x60300000e9e0 is located 0 bytes inside of 32-byte region [0x60300000e9e0,0x60300000ea00)
freed by thread T0 here:
#0 0x7f5940ab72ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
#1 0x411157 in server_test examples/server/server.c:2183previously allocated by thread T0 here:
#0 0x7f5940ab7602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x40ef4e in server_test examples/server/server.c:2176SUMMARY: AddressSanitizer: double-free ??:0 __interceptor_free
==29445==ABORTING
Crash message on DTLS server (without ASAN):
./examples/server/server -u -p 4433 -b -x -c s
wolfSSL error: can't load server cert file, check file and run from wolfSSL home dir
Continuing server execution...wolfSSL error: unable to get SSL
Continuing server execution...wolfSSL error: unable to enable CRL
Continuing server execution...wolfSSL error: unable to load CRL
Continuing server execution...wolfSSL error: unable to set CRL callback url
Continuing server execution...wolfSSL error: error in setting fd
Continuing server execution...SSL_accept error -173, Bad function argument
wolfSSL error: SSL_accept failed
Continuing server execution...peer has no cert!
SSL version is unknown
SSL cipher suite is (null)
wolfSSL error: SSL in error state
Continuing server execution...wolfSSL error: error getting server random buffer
Continuing server execution...Server Random :
*** Error in `wolfssl-4.2.0c/examples/server/.libs/lt-server': double free or corruption (fasttop): 0x00000000009e0220 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f83210b77e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f83210c037a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f83210c453c]
wolfssl-4.2.0c/examples/server/.libs/lt-server[0x4076f1]
wolfssl-4.2.0c/examples/server/.libs/lt-server[0x404b31]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f8321060830]
wolfssl-4.2.0c/examples/server/.libs/lt-server[0x404ba9]
======= Memory map: ========
00400000-0040d000 r-xp 00000000 fd:01 283903 wolfssl-4.2.0c/examples/server/.libs/lt-server
0060c000-0060d000 r--p 0000c000 fd:01 283903 wolfssl-4.2.0c/examples/server/.libs/lt-server
0060d000-0060e000 rw-p 0000d000 fd:01 283903 wolfssl-4.2.0c/examples/server/.libs/lt-server
009dd000-009fe000 rw-p 00000000 00:00 0 [heap]
7f831c000000-7f831c021000 rw-p 00000000 00:00 0
7f831c021000-7f8320000000 ---p 00000000 00:00 0
7f8320b21000-7f8320b37000 r-xp 00000000 fd:01 2039 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f8320b37000-7f8320d36000 ---p 00016000 fd:01 2039 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f8320d36000-7f8320d37000 rw-p 00015000 fd:01 2039 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f8320d37000-7f8320e3f000 r-xp 00000000 fd:01 28242 /lib/x86_64-linux-gnu/libm-2.23.so
7f8320e3f000-7f832103e000 ---p 00108000 fd:01 28242 /lib/x86_64-linux-gnu/libm-2.23.so
7f832103e000-7f832103f000 r--p 00107000 fd:01 28242 /lib/x86_64-linux-gnu/libm-2.23.so
7f832103f000-7f8321040000 rw-p 00108000 fd:01 28242 /lib/x86_64-linux-gnu/libm-2.23.so
7f8321040000-7f8321200000 r-xp 00000000 fd:01 28237 /lib/x86_64-linux-gnu/libc-2.23.so
7f8321200000-7f8321400000 ---p 001c0000 fd:01 28237 /lib/x86_64-linux-gnu/libc-2.23.so
7f8321400000-7f8321404000 r--p 001c0000 fd:01 28237 /lib/x86_64-linux-gnu/libc-2.23.so
7f8321404000-7f8321406000 rw-p 001c4000 fd:01 28237 /lib/x86_64-linux-gnu/libc-2.23.so
7f8321406000-7f832140a000 rw-p 00000000 00:00 0
7f832140a000-7f8321422000 r-xp 00000000 fd:01 28170 /lib/x86_64-linux-gnu/libpthread-2.23.so
7f8321422000-7f8321621000 ---p 00018000 fd:01 28170 /lib/x86_64-linux-gnu/libpthread-2.23.so
7f8321621000-7f8321622000 r--p 00017000 fd:01 28170 /lib/x86_64-linux-gnu/libpthread-2.23.so
7f8321622000-7f8321623000 rw-p 00018000 fd:01 28170 /lib/x86_64-linux-gnu/libpthread-2.23.so
7f8321623000-7f8321627000 rw-p 00000000 00:00 0
7f8321627000-7f8321764000 r-xp 00000000 fd:01 283606 wolfssl-4.2.0c/src/.libs/libwolfssl.so.23.0.0
7f8321764000-7f8321964000 ---p 0013d000 fd:01 283606 wolfssl-4.2.0c/src/.libs/libwolfssl.so.23.0.0
7f8321964000-7f8321967000 r--p 0013d000 fd:01 283606 wolfssl-4.2.0c/src/.libs/libwolfssl.so.23.0.0
7f8321967000-7f8321969000 rw-p 00140000 fd:01 283606 wolfssl-4.2.0c/src/.libs/libwolfssl.so.23.0.0
7f8321969000-7f8321a03000 rw-p 00000000 00:00 0
7f8321a03000-7f8321a29000 r-xp 00000000 fd:01 28169 /lib/x86_64-linux-gnu/ld-2.23.so
7f8321c01000-7f8321c10000 rw-p 00000000 00:00 0
7f8321c26000-7f8321c28000 rw-p 00000000 00:00 0
7f8321c28000-7f8321c29000 r--p 00025000 fd:01 28169 /lib/x86_64-linux-gnu/ld-2.23.so
7f8321c29000-7f8321c2a000 rw-p 00026000 fd:01 28169 /lib/x86_64-linux-gnu/ld-2.23.so
7f8321c2a000-7f8321c2b000 rw-p 00000000 00:00 0
7ffc81616000-7ffc81637000 rw-p 00000000 00:00 0 [stack]
7ffc817b5000-7ffc817b8000 r--p 00000000 00:00 0 [vvar]
7ffc817b8000-7ffc817ba000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted
Reproduction:
- Download and compile WolfSSL in version 3.12.0 or later.
- Execute one of following commands (there should be no file cert.pem in the current directory):
(for SSL server)
./examples/server/server -p 4433 -b -x -c cert.pem
(for DTLS server)
./examples/server/server -u -p 4433 -b -x -c cert.pem
- Connect to SSL or DTLS server from another device