Overview

File tboot-signature-segfault.patch of Package tboot

changeset:   506:09fae64a7515
user:        Ning Sun <ning.sun@intel.com>
date:        Sat Sep 02 01:40:15 2017 -0700
summary:     Fix openssl-1.0.2 double frees

Index: tboot-1.9.6/lcptools-v2/crtpollist.c
===================================================================
--- tboot-1.9.6.orig/lcptools-v2/crtpollist.c
+++ tboot-1.9.6/lcptools-v2/crtpollist.c
@@ -160,15 +160,14 @@ static lcp_signature_t2 *read_rsa_pubkey
 
     memset(sig, 0, sizeof(lcp_rsa_signature_t) + 2*keysize);
     sig->rsa_signature.pubkey_size = keysize;
-   
-    BIGNUM *modulus = BN_new();
-    
+
     /* OpenSSL Version 1.1.0 and later don't allow direct access to RSA 
        stuct */    
     #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+        BIGNUM *modulus = BN_new();
         RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL); 
     #else
-        modulus = pubkey->n;
+        BIGNUM *modulus = BN_dup(pubkey->n);
     #endif
 
     unsigned char key[keysize];
Index: tboot-1.9.6/lcptools-v2/lcputils.c
===================================================================
--- tboot-1.9.6.orig/lcptools-v2/lcputils.c
+++ tboot-1.9.6/lcptools-v2/lcputils.c
@@ -384,8 +384,8 @@ bool verify_signature(const uint8_t *dat
     #if OPENSSL_VERSION_NUMBER >= 0x10100000L
         RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); 
     #else
-        rsa_pubkey->n = modulus;
-        rsa_pubkey->e = exponent;
+        rsa_pubkey->n = BN_dup(modulus);
+        rsa_pubkey->e = BN_dup(exponent);
         rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
     #endif
 
Index: tboot-1.9.6/lcptools/crtpollist.c
===================================================================
--- tboot-1.9.6.orig/lcptools/crtpollist.c
+++ tboot-1.9.6/lcptools/crtpollist.c
@@ -155,14 +155,14 @@ static lcp_signature_t *read_pubkey_file
 
     memset(sig, 0, sizeof(*sig) + 2*keysize);
     sig->pubkey_size = keysize;
-   
-    BIGNUM *modulus = BN_new();
+
     /* OpenSSL Version 1.1.0 and later don't allow direct access to RSA 
        stuct */ 
     #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+        BIGNUM *modulus = BN_new();
         RSA_get0_key(pubkey, (const BIGNUM **)&modulus, NULL, NULL); 
     #else
-    	modulus = pubkey->n;
+        BIGNUM *modulus = BN_dup(pubkey->n);
     #endif
     unsigned char key[keysize];
     BN_bn2bin(modulus, key);
Index: tboot-1.9.6/lcptools/lcputils2.c
===================================================================
--- tboot-1.9.6.orig/lcptools/lcputils2.c
+++ tboot-1.9.6/lcptools/lcputils2.c
@@ -288,8 +288,8 @@ bool verify_signature(const uint8_t *dat
     #if OPENSSL_VERSION_NUMBER >= 0x10100000L
         RSA_set0_key(rsa_pubkey, modulus, exponent, NULL); 
     #else
-      	rsa_pubkey->n = modulus;
-    	rsa_pubkey->e = exponent;
+      	rsa_pubkey->n = BN_dup(modulus);
+    	rsa_pubkey->e = BN_dup(exponent);
   	rsa_pubkey->d = rsa_pubkey->p = rsa_pubkey->q = NULL;
     #endif
openSUSE Build Service is sponsored by
Places