From 204dea8daeee9935b2b08da2c2dfe7b890ed36a7 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Tue, 3 May 2016 07:42:19 -0400 Subject: [PATCH] Fix encrypt overflow An overflow can occur in the EVP_EncryptUpdate function. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate with a partial block then a length check can overflow resulting in a heap corruption. Following an analysis of all OpenSSL internal usage of the EVP_EncryptUpdate function all usage is one of two forms. The first form is like this: EVP_EncryptInit() EVP_EncryptUpdate() i.e. where the EVP_EncryptUpdate() call is known to be the first called function after an EVP_EncryptInit(), and therefore that specific call must be safe. The second form is where the length passed to EVP_EncryptUpdate() can be seen from the code to be some small value and therefore there is no possibility of an overflow. [BoringSSL: We also have code that calls EVP_CIPHER functions by way of the TLS/SSL3 "AEADs". However, there we know the inputs are bounded by 2^16.] Since all instances are one of these two forms, I believe that there can be no overflows in internal code due to this problem. It should be noted that EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). Therefore I have checked all instances of these calls too, and came to the same conclusion, i.e. there are no instances in internal usage where an overflow could occur. This could still represent a security issue for end user code that calls this function directly. CVE-2016-2106 Issue reported by Guido Vranken. (Imported from upstream's 3ab937bc440371fbbe74318ce494ba95021f850a.) Change-Id: Iabde896555c39899c7f0f6baf7a163a7b3c2f3d6 Reviewed-on: https://boringssl-review.googlesource.com/7845 Reviewed-by: Adam Langley --- crypto/cipher/cipher.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/cipher/cipher.c b/crypto/cipher/cipher.c index 341516a7..f61c59f4 100644 --- a/crypto/cipher/cipher.c +++ b/crypto/cipher/cipher.c @@ -284,7 +284,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, bl = ctx->cipher->block_size; assert(bl <= (int)sizeof(ctx->buf)); if (i != 0) { - if (i + in_len < bl) { + if (bl - i > in_len) { memcpy(&ctx->buf[i], in, in_len); ctx->buf_len += in_len; *out_len = 0;