Backport 2.1: Fix corner case uses of memory_buffer_alloc.c #1009
Conversation
|
@RonEld: It seems that overtime, more tests have been added to memory_buffer_alloc module. However, these were never backported to mbed TLS 2.1 and 1.3. So I backported the tests and also some changes to the generate_code.pl script as the tests were not working correctly because changes to the script werent backported either. I tried to do a similar operation in mbed TLS 1.3, but there are too many changes introduced in the API meaning that it was very difficult to backport the tests, so I did not do that. |
|
@andresag01 Thanks for the clarification. In this case, we should have a task to write the tests for 1.3 |
Patater
added
the
needs-review
|
Ok - the backporting of additional test cases is worthwhile, but it would have been better to do it in a separate PR. PR's should be as simple as they can be, self-contained and aim to change only one feature or function, whether big or small. However, I'm less keen on backporting test framework changes. You've done that work now, and I see little risk in it, but it's not something I would have planned. These are mainly observations, and otherwise I approved the PR. |
simonbutcher
added
needs-design-approval
and removed
needs-review
|
@sbutcher-arm @RonEld: Thanks for the reviews! With regards to:
I agree that backporting large infrastructure changes is, perhaps, not ideal as it increases the risk of breaking something. However, I like to backport simple changes like this one because in future PRs it is much easier to backport other changes around this area as the development and the maintenance branch has not diverged so much. Just a thought... |
|
Failure in |
library/x509_crl.c
Outdated
| @@ -294,7 +294,7 @@ int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain, | |||
| /* | |||
| * Copy raw DER-encoded CRL | |||
| */ | |||
| if( ( p = mbedtls_calloc( 1, buflen ) ) == NULL ) | |||
| if( buflen != 0 && ( ( p = mbedtls_calloc( 1, buflen ) ) == NULL ) ) | |||
| return( MBEDTLS_ERR_X509_ALLOC_FAILED ); | |||
|
|
|||
| memcpy( p, buf, buflen ); | |||
There was a problem hiding this comment.
The test suite test_suite_x509parse fails in the clang-asan build (https://jenkins-internal.mbed.com/job/mbedtls-pr/425/execution/node/192/log/). I can reproduce this locally and identified the culprit as the change above.
X509 CRL ASN1 (Incorrect first tag) ............................... /home/gilpes01/z/dev/mbedtls/gate/library/x509_crl.c:300:13: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
SUMMARY: AddressSanitizer: undefined-behavior /home/gilpes01/z/dev/mbedtls/gate/library/x509_crl.c:300:13 in
This test case calls mbedtls_x509_crl_parse with buflen = 0. This in turn calls mbedtls_x509_crl_parse_der with buflen = 0, and this PR changed the way the function behaves in this case.
It's good that we don't rely on the behavior of calloc with a size of 0, but the way this was fixed, we're now calling memcpy with a size of 0. Calling memcpy with a null pointer and a size of 0 probably works on most platforms, but it's technically undefined behavior, and Clang-Asan rejects it.
I think that memcpy(NULL, buf, 0) is poor practice even if it works, and a rejection from Asan is not good, so I am not merging this PR.
Technically this is a pre-existing bug, since we returned MBEDTLS_ERR_X509_ALLOC_FAILED instead of MBEDTLS_ERR_X509_INVALID_FORMAT on platforms where calloc(…, 0) returns NULL. But I think the best solution would be to add
if( buflen == 0 )
return( MBEDTLS_ERR_X509_INVALID_FORMAT );
near the top of this function and remove the check for buflen != 0 here.
There was a problem hiding this comment.
I am rejecting this PR because it causes the Asan check to fail and highlights a bug on exotic platforms. Please fix as described here or however you see fit.
|
@gilles-peskine-arm: Thanks for pointing this out. I have now fixed the issue. |
There was a problem hiding this comment.
Approved, but with the same suggested improvement as the main PR: #778 (comment)
|
Changed the code in x509_crl.c according to the latest review comments. |
|
Automatic CI run picked an old version. Running manually: https://jenkins-internal.mbed.com/job/mbedtls-commit-tests/45/ → only failed due to known issues (timing tests on FreeBSD, compat.sh slow start), ok to merge. |
There was a problem hiding this comment.
PR held due to a test failure after merging into mbedtls-2.1. See #778 (review)
The corner cases fixed include:
* Allocating a buffer of size 0. With this change, the allocator now
returns a NULL pointer in this case. Note that changes in pem.c and
x509_crl.c were required to fix tests that did not work under this
assumption.
* Initialising the allocator with less memory than required for headers.
* Fix header chain checks for uninitialised allocator.
Adds additional tests to the test suite for memory_buffer_alloc.c
Added comments to explain purpose and usage of generate_code.pl
Added to generate_code.pl:
- support for per test suite helper functions
- description of the structure of the files the script uses to construct
the test suite file
- delimiters through the source code to make the machine generated code
easier to understand
Restructed test suite helper and main code to support tests suite helper functions, changed C++ comments to C-style, and made the generated source code more navigable.
andresag01
force-pushed
the
mbedtls-2.1-iotssl-1033-memory-buffer-alloc
branch
from
ede3f1b to
133ab2c
Compare
|
@gilles-peskine-arm: Rebased and fixed reported issue in pkparse.c |
There was a problem hiding this comment.
- I approve the rebasing from my previous approval (
pr_1009-1) to af77213 based on the output ofinterdiff <(git diff mbedtls-2.1...af77213) <(git diff mbedtls-2.1...pr_1009-1)which shows only benign differences. - I approve the one additional commit 133ab2c.
- This fixes the build failure Fix corner case uses of memory_buffer_alloc.c #778 (review).
gilles-peskine-arm
added
needs-review
gilles-peskine-arm
added
approved
Mbedtls 2.28.3rc0 pr - DO NOT MERGE
This change fixes the following corner cases in memory_buffer_alloc.c:
verify_chain()on an uninitialized chain. Would previously cause aNULLdereference.This PR is based on the information recorded in #639.
NOTES: