Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of nullptr check in src/crypto/crypto_ec.cc GroupOrderSize #56692

Closed
wooffie opened this issue Jan 22, 2025 · 0 comments · Fixed by #56702
Closed

Lack of nullptr check in src/crypto/crypto_ec.cc GroupOrderSize #56692

wooffie opened this issue Jan 22, 2025 · 0 comments · Fixed by #56702

Comments

@wooffie
Copy link
Contributor

wooffie commented Jan 22, 2025

Version

20.18.0

Platform

any

Subsystem

crypto

What steps will reproduce the bug?

In function GroupOrderSize call of BignumPointer::New() can return nullptr pointer (yes its can raise error via ERR_raise).

node/src/crypto/crypto_ec.cc

Line 939 in bf59539

auto order = BignumPointer::New();

After this ptr passed to EC_GROUP_get_order

node/src/crypto/crypto_ec.cc

Line 940 in bf59539

CHECK(EC_GROUP_get_order(ECKeyPointer::GetGroup(ec), order.get(), nullptr));

But this function don't expect that second param can be NULL

node/deps/openssl/openssl/crypto/ec/ec_lib.c

Line 443 in bf59539

int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)

After nullptr can be dereferenced here:

node/deps/openssl/openssl/crypto/bn/bn_lib.c

Line 1062 in bf59539

return (words <= a->dmax) ? a : bn_expand2(a, words);

And in another places

How often does it reproduce? Is there a required condition?

If BignumPointer::New() return pointer that stores nullptr

What is the expected behavior? Why is that the expected behavior?

Check BignumPointer::New() for nullptr

What do you see instead?

Lack of nullptr check

Additional information

Additional information
Found by Linux Verification Center (linuxtesting.org) with SVACE.

Reporter: Burkov Egor (eburkov@rvision.ru).

Organization: R-Vision (support@rvision.ru).
wooffie added a commit to wooffie/node that referenced this issue Jan 22, 2025
@wooffie
src: add check for Bignum in GroupOrderSize
d456db7 
I think it's missed, cause in this file we have example of checking
result of BignumPointer::new

Refs: nodejs#56692
@wooffie wooffie mentioned this issue Jan 22, 2025
Merged
wooffie added a commit to wooffie/node that referenced this issue Jan 24, 2025
@wooffie
src: add check for Bignum in GroupOrderSize
ab67bb9 
I think it's missed, cause in this file we have example of checking
result of BignumPointer::new

Refs: nodejs#56692
targos pushed a commit that referenced this issue Feb 2, 2025
@wooffie @targos
src: add check for Bignum in GroupOrderSize
b240ca6 
I think it's missed, cause in this file we have example of checking
result of BignumPointer::new

Refs: #56692
PR-URL: #56702
Fixes: #56692
Reviewed-By: James M Snell <jasnell@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

src: add check for Bignum in GroupOrderSize wooffie/node
1 participant
@wooffie