diff options
| author | Stephan Bergmann <sbergman@redhat.com> | 2018-11-05 17:24:09 +0100 |
|---|---|---|
| committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2018-11-08 15:19:16 +0100 |
| commit | a34f1c382309a17bd06e4ac555f063e8a314ea52 (patch) | |
| tree | e7f914fb0c75a0a90f888f92605a79241e6ec729 /xmlsecurity | |
| parent | 7cfec914bb86c300e901f0fd0877af95a8d082c7 (diff) | |
xmlSecNssPKIAdoptKey apparently takes over ownership of keys
(e.g., see xmlSecNssPKIKeyDataAdoptKey called from xmlSecNssPKIAdoptKey in
workdir/UnpackedTarball/xmlsec/src/nss/pkikeys.c, which has
if (ctx->privkey) {
SECKEY_DestroyPrivateKey(ctx->privkey);
}
ctx->privkey = privkey;
to install the passed in new privkey as ctx->privkey, which is apparently
considered owned by ctx)
Presumably since ab7fabd8b116d16def53772720f19fad4dbd6366 "lok: update the test
for singing the document from LOK" changed the relevant test code,
CppunitTest_desktop_lib fails in ASan builds with
> ==16681==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d001a914a8 at pc 0x7f2af9afdf33 bp 0x7ffd59d3ccb0 sp 0x7ffd59d3cca8
> READ of size 4 at 0x61d001a914a8 thread T0
> #0 in SECKEY_GetPrivateKeyType at workdir/UnpackedTarball/nss/nss/lib/cryptohi/seckey.c:1716:21 (instdir/program/libnss3.so +0x3c6f32)
> #1 in xmlSecNssPKIAdoptKey at workdir/UnpackedTarball/xmlsec/src/nss/pkikeys.c:208:19 (instdir/program/libxsec_xmlsec.so +0x4026bc)
> #2 in SecurityEnvironment_NssImpl::createKeysManager() at xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx:846:41 (instdir/program/libxsec_xmlsec.so +0x36a4ce)
> #3 in XMLSignature_NssImpl::validate(com::sun::star::uno::Reference<com::sun::star::xml::crypto::XXMLSignatureTemplate> const&, com::sun::star::uno::Reference<com::sun::star::xml::crypto::XXMLSecurityContext> const&) at xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx:231:56 (instdir/program/libxsec_xmlsec.so +0x3ca23e)
> #4 in non-virtual thunk to XMLSignature_NssImpl::validate(com::sun::star::uno::Reference<com::sun::star::xml::crypto::XXMLSignatureTemplate> const&, com::sun::star::uno::Reference<com::sun::star::xml::crypto::XXMLSecurityContext> const&) at xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx (instdir/program/libxsec_xmlsec.so +0x3cb1ca)
> #5 in SignatureVerifierImpl::startEngine(rtl::Reference<XMLSignatureTemplateImpl> const&) at xmlsecurity/source/framework/signatureverifierimpl.cxx:70:44 (instdir/program/libxmlsecurity.so +0x6da8a9)
> #6 in SignatureEngine::tryToPerform() at xmlsecurity/source/framework/signatureengine.cxx:112:9 (instdir/program/libxmlsecurity.so +0x6c9a4e)
> #7 in SecurityEngine::referenceResolved(int) at xmlsecurity/source/framework/securityengine.cxx:39:5 (instdir/program/libxmlsecurity.so +0x6ba84a)
> #8 in ElementCollector::doNotify() at xmlsecurity/source/framework/elementcollector.cxx:136:39 (instdir/program/libxmlsecurity.so +0x660853)
> #9 in ElementCollector::notifyListener() at xmlsecurity/source/framework/elementcollector.cxx:88:5 (instdir/program/libxmlsecurity.so +0x660006)
> #10 in BufferNode::elementCollectorNotify() at xmlsecurity/source/framework/buffernode.cxx:725:40 (instdir/program/libxmlsecurity.so +0x5fe591)
> #11 in BufferNode::setReceivedAll() at xmlsecurity/source/framework/buffernode.cxx:96:5 (instdir/program/libxmlsecurity.so +0x5fd61a)
> #12 in SAXEventKeeperImpl::endElement(rtl::OUString const&) at xmlsecurity/source/framework/saxeventkeeperimpl.cxx:1067:36 (instdir/program/libxmlsecurity.so +0x67694c)
> #13 in XSecParser::endElement(rtl::OUString const&) at xmlsecurity/source/helper/xsecparser.cxx:408:29 (instdir/program/libxmlsecurity.so +0x885bd6)
> #14 in (anonymous namespace)::SaxExpatParser_Impl::callbackEndElement(void*, char const*) at sax/source/expatwrap/sax_expat.cxx:731:9 (instdir/program/libexpwraplo.so +0x1a0817)
> #15 in (anonymous namespace)::call_callbackEndElement(void*, char const*) at sax/source/expatwrap/sax_expat.cxx:242:9 (instdir/program/libexpwraplo.so +0x199604)
> #16 in doContent at workdir/UnpackedTarball/expat/lib/xmlparse.c:2954:11 (instdir/program/libexpwraplo.so +0x32fdf9)
> #17 in contentProcessor at workdir/UnpackedTarball/expat/lib/xmlparse.c:2531:27 (instdir/program/libexpwraplo.so +0x319c93)
> #18 in doProlog at workdir/UnpackedTarball/expat/lib/xmlparse.c:4556:14 (instdir/program/libexpwraplo.so +0x313539)
> #19 in prologProcessor at workdir/UnpackedTarball/expat/lib/xmlparse.c:4270:10 (instdir/program/libexpwraplo.so +0x2ffcc8)
> #20 in XML_ParseBuffer at workdir/UnpackedTarball/expat/lib/xmlparse.c:1983:25 (instdir/program/libexpwraplo.so +0x2fafbf)
> #21 in (anonymous namespace)::SaxExpatParser_Impl::parse() at sax/source/expatwrap/sax_expat.cxx:654:27 (instdir/program/libexpwraplo.so +0x19a27e)
> #22 in (anonymous namespace)::SaxExpatParser::parseStream(com::sun::star::xml::sax::InputSource const&) at sax/source/expatwrap/sax_expat.cxx:484:14 (instdir/program/libexpwraplo.so +0x192774)
> #23 in XMLSignatureHelper::ReadAndVerifySignature(com::sun::star::uno::Reference<com::sun::star::io::XInputStream> const&) at xmlsecurity/source/helper/xmlsignaturehelper.cxx:278:18 (instdir/program/libxmlsecurity.so +0x7dd825)
> #24 in DocumentSignatureManager::read(bool, bool) at xmlsecurity/source/helper/documentsignaturemanager.cxx:549:31 (instdir/program/libxmlsecurity.so +0x743aaa)
> #25 in DocumentDigitalSignatures::signDocumentWithCertificate(com::sun::star::uno::Reference<com::sun::star::security::XCertificate> const&, com::sun::star::uno::Reference<com::sun::star::embed::XStorage> const&, com::sun::star::uno::Reference<com::sun::star::io::XStream> const&) at xmlsecurity/source/component/documentdigitalsignatures.cxx:781:23 (instdir/program/libxmlsecurity.so +0x4855fc)
> #26 in SfxMedium::SignDocumentContentUsingCertificate(bool, com::sun::star::uno::Reference<com::sun::star::security::XCertificate> const&) at sfx2/source/doc/docfile.cxx:3709:42 (instdir/program/libsfxlo.so +0x3577abe)
> #27 in SfxObjectShell::SignDocumentContentUsingCertificate(com::sun::star::uno::Reference<com::sun::star::security::XCertificate> const&) at sfx2/source/doc/objserv.cxx:1659:38 (instdir/program/libsfxlo.so +0x37e1aab)
> #28 in doc_insertCertificate(_LibreOfficeKitDocument*, unsigned char const*, int, unsigned char const*, int) at desktop/source/lib/init.cxx:3690:26 (instdir/program/libsofficeapp.so +0x7a40af)
> #29 in DesktopLOKTest::testInsertCertificate() at desktop/qa/desktop_lib/test_desktop_lib.cxx:2322:24 (workdir/LinkTarget/CppunitTest/libtest_desktop_lib.so +0x187439)
>
> 0x61d001a914a8 is located 40 bytes inside of 2048-byte region [0x61d001a91480,0x61d001a91c80)
> freed by thread T0 here:
> #0 in free at /home/sbergman/github.com/llvm-project/llvm-project-20170507/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3 (workdir/LinkTarget/Executable/cppunittester +0x4feda8)
> #1 in PR_Free at workdir/UnpackedTarball/nss/nspr/out/pr/src/malloc/../../../../pr/src/malloc/prmem.c:458:9 (instdir/program/libnspr4.so +0x12c5af)
> #2 in FreeArenaList at workdir/UnpackedTarball/nss/nspr/out/lib/ds/../../../lib/ds/plarena.c:195:9 (instdir/program/libplds4.so +0xcc36)
> #3 in PL_FreeArenaPool at workdir/UnpackedTarball/nss/nspr/out/lib/ds/../../../lib/ds/plarena.c:216:5 (instdir/program/libplds4.so +0xcd9d)
> #4 in PORT_FreeArena_Util at workdir/UnpackedTarball/nss/nss/lib/util/secport.c:383:9 (instdir/program/libnssutil3.so +0x103381)
> #5 in SECKEY_DestroyPrivateKey at workdir/UnpackedTarball/nss/nss/lib/cryptohi/seckey.c:250:13 (instdir/program/libnss3.so +0x3baa05)
> #6 in xmlSecNSSPKIKeyDataCtxFree at workdir/UnpackedTarball/xmlsec/src/nss/pkikeys.c:109:9 (instdir/program/libxsec_xmlsec.so +0x4093a3)
> #7 in xmlSecNssPKIKeyDataFinalize at workdir/UnpackedTarball/xmlsec/src/nss/pkikeys.c:99:5 (instdir/program/libxsec_xmlsec.so +0x417a61)
> #8 in xmlSecNssKeyDataRsaFinalize at workdir/UnpackedTarball/xmlsec/src/nss/pkikeys.c:1086:5 (instdir/program/libxsec_xmlsec.so +0x419214)
> #9 in xmlSecKeyDataDestroy at workdir/UnpackedTarball/xmlsec/src/keysdata.c:248:9 (instdir/program/libxsec_xmlsec.so +0x5213f4)
> #10 in xmlSecKeyEmpty at workdir/UnpackedTarball/xmlsec/src/keys.c:533:9 (instdir/program/libxsec_xmlsec.so +0x518026)
> #11 in xmlSecKeyDestroy at workdir/UnpackedTarball/xmlsec/src/keys.c:555:5 (instdir/program/libxsec_xmlsec.so +0x51838a)
> #12 in xmlSecPtrListEmpty at workdir/UnpackedTarball/xmlsec/src/list.c:149:17 (instdir/program/libxsec_xmlsec.so +0x54943a)
> #13 in xmlSecPtrListFinalize at workdir/UnpackedTarball/xmlsec/src/list.c:129:5 (instdir/program/libxsec_xmlsec.so +0x548b87)
> #14 in xmlSecSimpleKeysStoreFinalize at workdir/UnpackedTarball/xmlsec/src/keysmngr.c:663:5 (instdir/program/libxsec_xmlsec.so +0x5432b0)
> #15 in xmlSecKeyStoreDestroy at workdir/UnpackedTarball/xmlsec/src/keysmngr.c:274:9 (instdir/program/libxsec_xmlsec.so +0x53a03c)
> #16 in xmlSecNssKeysStoreFinalize at workdir/UnpackedTarball/xmlsec/src/nss/keysstore.c:276:5 (instdir/program/libxsec_xmlsec.so +0x485f76)
> #17 in xmlSecKeyStoreDestroy at workdir/UnpackedTarball/xmlsec/src/keysmngr.c:274:9 (instdir/program/libxsec_xmlsec.so +0x53a03c)
> #18 in xmlSecKeysMngrDestroy at workdir/UnpackedTarball/xmlsec/src/keysmngr.c:84:9 (instdir/program/libxsec_xmlsec.so +0x539a79)
> #19 in SecurityEnvironment_NssImpl::destroyKeysManager(_xmlSecKeysMngr*) at xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx:862:9 (instdir/program/libxsec_xmlsec.so +0x36a817)
> #20 in std::default_delete<_xmlSecKeysMngr>::operator()(_xmlSecKeysMngr*) at xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx:52:46 (instdir/program/libxsec_xmlsec.so +0x3cd05d)
> #21 in std::unique_ptr<_xmlSecKeysMngr, std::default_delete<_xmlSecKeysMngr> >::~unique_ptr() at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/unique_ptr.h:274:4 (instdir/program/libxsec_xmlsec.so +0x3cc759)
> #22 in XMLSignature_NssImpl::generate(com::sun::star::uno::Reference<com::sun::star::xml::crypto::XXMLSignatureTemplate> const&, com::sun::star::uno::Reference<com::sun::star::xml::crypto::XSecurityEnvironment> const&) at xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx:173:1 (instdir/program/libxsec_xmlsec.so +0x3c8934)
> #23 in non-virtual thunk to XMLSignature_NssImpl::generate(com::sun::star::uno::Reference<com::sun::star::xml::crypto::XXMLSignatureTemplate> const&, com::sun::star::uno::Reference<com::sun::star::xml::crypto::XSecurityEnvironment> const&) at xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx (instdir/program/libxsec_xmlsec.so +0x3c8b9a)
> #24 in SignatureCreatorImpl::startEngine(rtl::Reference<XMLSignatureTemplateImpl> const&) at xmlsecurity/source/framework/signaturecreatorimpl.cxx:78:44 (instdir/program/libxmlsecurity.so +0x6be738)
> #25 in SignatureEngine::tryToPerform() at xmlsecurity/source/framework/signatureengine.cxx:112:9 (instdir/program/libxmlsecurity.so +0x6c9a4e)
> #26 in SecurityEngine::referenceResolved(int) at xmlsecurity/source/framework/securityengine.cxx:39:5 (instdir/program/libxmlsecurity.so +0x6ba84a)
> #27 in ElementCollector::doNotify() at xmlsecurity/source/framework/elementcollector.cxx:136:39 (instdir/program/libxmlsecurity.so +0x660853)
> #28 in ElementCollector::notifyListener() at xmlsecurity/source/framework/elementcollector.cxx:88:5 (instdir/program/libxmlsecurity.so +0x660006)
> #29 in BufferNode::elementCollectorNotify() at xmlsecurity/source/framework/buffernode.cxx:725:40 (instdir/program/libxmlsecurity.so +0x5fe591)
> #30 in BufferNode::setReceivedAll() at xmlsecurity/source/framework/buffernode.cxx:96:5 (instdir/program/libxmlsecurity.so +0x5fd61a)
> #31 in SAXEventKeeperImpl::endElement(rtl::OUString const&) at xmlsecurity/source/framework/saxeventkeeperimpl.cxx:1067:36 (instdir/program/libxmlsecurity.so +0x67694c)
> #32 in XSecController::exportSignature(com::sun::star::uno::Reference<com::sun::star::xml::sax::XDocumentHandler> const&, SignatureInformation const&, bool) at xmlsecurity/source/helper/xsecctl.cxx:916:23 (instdir/program/libxmlsecurity.so +0x868894)
> #33 in XSecController::WriteSignature(com::sun::star::uno::Reference<com::sun::star::xml::sax::XDocumentHandler> const&, bool) at xmlsecurity/source/helper/xsecsign.cxx:393:17 (instdir/program/libxmlsecurity.so +0x894df1)
> #34 in XMLSignatureHelper::CreateAndWriteSignature(com::sun::star::uno::Reference<com::sun::star::xml::sax::XDocumentHandler> const&, bool) at xmlsecurity/source/helper/xmlsignaturehelper.cxx:248:29 (instdir/program/libxmlsecurity.so +0x7dcebe)
> #35 in DocumentSignatureManager::add(com::sun::star::uno::Reference<com::sun::star::security::XCertificate> const&, com::sun::star::uno::Reference<com::sun::star::xml::crypto::XXMLSecurityContext> const&, rtl::OUString const&, int&, bool, rtl::OUString const&, com::sun::star::uno::Reference<com::sun::star::graphic::XGraphic> const&, com::sun::star::uno::Reference<com::sun::star::graphic::XGraphic> const&) at xmlsecurity/source/helper/documentsignaturemanager.cxx:422:27 (instdir/program/libxmlsecurity.so +0x74032e)
> #36 in DocumentDigitalSignatures::signDocumentWithCertificate(com::sun::star::uno::Reference<com::sun::star::security::XCertificate> const&, com::sun::star::uno::Reference<com::sun::star::embed::XStorage> const&, com::sun::star::uno::Reference<com::sun::star::io::XStream> const&) at xmlsecurity/source/component/documentdigitalsignatures.cxx:777:39 (instdir/program/libxmlsecurity.so +0x48541a)
> #37 in SfxMedium::SignDocumentContentUsingCertificate(bool, com::sun::star::uno::Reference<com::sun::star::security::XCertificate> const&) at sfx2/source/doc/docfile.cxx:3709:42 (instdir/program/libsfxlo.so +0x3577abe)
> #38 in SfxObjectShell::SignDocumentContentUsingCertificate(com::sun::star::uno::Reference<com::sun::star::security::XCertificate> const&) at sfx2/source/doc/objserv.cxx:1659:38 (instdir/program/libsfxlo.so +0x37e1aab)
> #39 in doc_insertCertificate(_LibreOfficeKitDocument*, unsigned char const*, int, unsigned char const*, int) at desktop/source/lib/init.cxx:3690:26 (instdir/program/libsofficeapp.so +0x7a40af)
> #40 in DesktopLOKTest::testInsertCertificate() at desktop/qa/desktop_lib/test_desktop_lib.cxx:2322:24 (workdir/LinkTarget/CppunitTest/libtest_desktop_lib.so +0x187439)
>
> previously allocated by thread T0 here:
> #0 in __interceptor_malloc at /home/sbergman/github.com/llvm-project/llvm-project-20170507/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3 (workdir/LinkTarget/Executable/cppunittester +0x4ff187)
> #1 in PR_Malloc at workdir/UnpackedTarball/nss/nspr/out/pr/src/malloc/../../../../pr/src/malloc/prmem.c:435:55 (instdir/program/libnspr4.so +0x12892c)
> #2 in PL_ArenaAllocate at workdir/UnpackedTarball/nss/nspr/out/lib/ds/../../../lib/ds/plarena.c:127:27 (instdir/program/libplds4.so +0x9c8f)
> #3 in PORT_ArenaAlloc_Util at workdir/UnpackedTarball/nss/nss/lib/util/secport.c:321:9 (instdir/program/libnssutil3.so +0x1028c3)
> #4 in PORT_ArenaZAlloc_Util at workdir/UnpackedTarball/nss/nss/lib/util/secport.c:342:9 (instdir/program/libnssutil3.so +0x10311f)
> #5 in PK11_MakePrivKey at workdir/UnpackedTarball/nss/nss/lib/pk11wrap/pk11akey.c:865:9 (instdir/program/libnss3.so +0x3f6529)
> #6 in PK11_ImportAndReturnPrivateKey at workdir/UnpackedTarball/nss/nss/lib/pk11wrap/pk11pk12.c:538:18 (instdir/program/libnss3.so +0x4ebcac)
> #7 in PK11_ImportPrivateKeyInfoAndReturnKey at workdir/UnpackedTarball/nss/nss/lib/pk11wrap/pk11pk12.c:645:10 (instdir/program/libnss3.so +0x4dea0c)
> #8 in PK11_ImportDERPrivateKeyInfoAndReturnKey at workdir/UnpackedTarball/nss/nss/lib/pk11wrap/pk11pk12.c:299:10 (instdir/program/libnss3.so +0x4ddba8)
> #9 in SecurityEnvironment_NssImpl::insertPrivateKey(com::sun::star::uno::Sequence<signed char> const&) at xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx:883:25 (instdir/program/libxsec_xmlsec.so +0x36ac38)
> #10 in SecurityEnvironment_NssImpl::createDERCertificateWithPrivateKey(com::sun::star::uno::Sequence<signed char> const&, com::sun::star::uno::Sequence<signed char> const&) at xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx:897:37 (instdir/program/libxsec_xmlsec.so +0x36afe6)
> #11 in non-virtual thunk to SecurityEnvironment_NssImpl::createDERCertificateWithPrivateKey(com::sun::star::uno::Sequence<signed char> const&, com::sun::star::uno::Sequence<signed char> const&) at xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx (instdir/program/libxsec_xmlsec.so +0x36b49a)
> #12 in doc_insertCertificate(_LibreOfficeKitDocument*, unsigned char const*, int, unsigned char const*, int) at desktop/source/lib/init.cxx:3685:41 (instdir/program/libsofficeapp.so +0x7a3ea3)
> #13 in DesktopLOKTest::testInsertCertificate() at desktop/qa/desktop_lib/test_desktop_lib.cxx:2322:24 (workdir/LinkTarget/CppunitTest/libtest_desktop_lib.so +0x187439)
Change-Id: Id54bdea78affbf3aa24a1e9bb565c46f48f512e6
Reviewed-on: https://gerrit.libreoffice.org/62914
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit 23874f86dd51386d98ef8e3d06a1ece05463ed3c)
Diffstat (limited to 'xmlsecurity')
| -rw-r--r-- | xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx index aa711d876b8f..0a03e5fd2bf9 100644 --- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx +++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx @@ -970,9 +970,11 @@ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() { if (auto pCertificate = dynamic_cast<X509Certificate_NssImpl*>(m_xSigningCertificate.get())) { SECKEYPrivateKey* pPrivateKey = pCertificate->getPrivateKey(); - if (pPrivateKey) + SECKEYPrivateKey* copy + = pPrivateKey == nullptr ? nullptr : SECKEY_CopyPrivateKey(pPrivateKey); + if (copy) { - xmlSecKeyDataPtr pKeyData = xmlSecNssPKIAdoptKey(pPrivateKey, nullptr); + xmlSecKeyDataPtr pKeyData = xmlSecNssPKIAdoptKey(copy, nullptr); xmlSecKeyPtr pKey = xmlSecKeyCreate(); xmlSecKeySetValue(pKey, pKeyData); xmlSecNssAppDefaultKeysMngrAdoptKey(pKeysMngr, pKey); |