Skip to content
  1. May 13, 2015
    • Gunnar Kudrjavets's avatar
      Fix the heap corruption in libeay32!OBJ_add_object. · 56d88027
      Gunnar Kudrjavets authored
      
      
      Original 'sizeof(ADDED_OBJ)' was replaced with 'sizeof(*ao)'. However,
      they return different sizes. Therefore as the result heap gets corrupted
      and at some point later debug version of malloc() detects the corruption.
      
      On x86 we can observe that as follows:
      
      sizeof(*ao) == 4
      sizeof(*ao[0]) == sizeof(ADDED_OBJ) == 8
      
      Issue reproduces with either enabling CRT debug heap or Application
      Verifier's full-page heap.
      
      Basic debugging data from the moment the corruption is first detected:
      
      0:000:x86> |
      .  0    id: 283c        create  name: openssl.exe
      0:000:x86> kcn
       #
      00 MSVCR120D!_heap_alloc_dbg_impl
      01 MSVCR120D!_nh_malloc_dbg_impl
      02 MSVCR120D!_nh_malloc_dbg
      03 MSVCR120D!malloc
      04 LIBEAY32!default_malloc_ex
      05 LIBEAY32!CRYPTO_malloc
      06 LIBEAY32!lh_insert
      07 LIBEAY32!OBJ_add_object
      08 LIBEAY32!OBJ_create
      09 openssl!add_oid_section
      0a openssl!req_main
      0b openssl!do_cmd
      0c openssl!main
      0d openssl!__tmainCRTStartup
      0e openssl!mainCRTStartup
      0f KERNEL32!BaseThreadInitThunk
      10 ntdll_77d60000!__RtlUserThreadStart
      11 ntdll_77d60000!_RtlUserThreadStart
      
      Signed-off-by: default avatarMatt Caswell <matt@openssl.org>
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      56d88027
  2. May 12, 2015
  3. May 11, 2015
  4. May 08, 2015
  5. May 07, 2015
  6. May 06, 2015
  7. May 05, 2015
  8. May 04, 2015