[openssl.org #2211] Segfault running 'openssl cms -decrypt', version 1.0.0

Tue, 30 Mar 2010 07:50:42 -0700 

Hello,

I think I've found a bug in openssl. When I run the following command
to decrypt a file in CMS format (DER encoded), openssl crashes with a
segmentation fault:

>openssl cms -decrypt -binary -inform der -in inputfile -recip 
>certs/enc.crt-nopass -out outputfile

The inputfile is attached (and doesn't contain any secrets), the
certificate/private key is available on request. When I run the same
command in 'valgrind', it does complete and I get a successfully
decrypted file. I have also tried using other versions of openssl
(openssl-0.9.8n, openssl-1.0.0-beta4, openssl-1.0.0-beta5) and they
all fail in the same way.
The backtrace is as follows:

[New Thread 0xb7d5f6b0 (LWP 14207)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7d5f6b0 (LWP 14207)]
0x08129638 in asn1_template_clear (pval=0xb3468004, tt=0x8202cc0) at
tasn_new.c:315
315                     *pval = NULL;
(gdb) bt
#0  0x08129638 in asn1_template_clear (pval=0xb3468004, tt=0x8202cc0)
at tasn_new.c:315
#1  0x0812953e in ASN1_template_new (pval=0xb3468004, tt=0x8202cc0) at
tasn_new.c:272
#2  0x0812939b in asn1_item_ex_combine_new (pval=0xb367fff0,
it=0x8202cfc, combine=0) at tasn_new.c:201
#3  0x0812905d in ASN1_item_ex_new (pval=0xb367fff0, it=0x8202cfc) at
tasn_new.c:85
#4  0x0812b41d in ASN1_item_ex_d2i (pval=0xb367fff0, in=0xbfffd484,
len=871, it=0x8202cfc, tag=0, aclass=128, opt=1 '\001',
ctx=0xbfffd730)
    at tasn_dec.c:401
#5  0x0812bca4 in asn1_template_noexp_d2i (val=0xb367fff0,
in=0xbfffd544, len=2536, tt=0x82035d4, opt=1 '\001', ctx=0xbfffd730)
at tasn_dec.c:733
#6  0x0812b983 in asn1_template_ex_d2i (val=0xb367fff0, in=0xbfffd544,
inlen=2536, tt=0x82035d4, opt=1 '\001', ctx=0xbfffd730) at
tasn_dec.c:608
#7  0x0812b55a in ASN1_item_ex_d2i (pval=0xb3656ffc, in=0xbfffd5e4,
len=2536, it=0x8203638, tag=16, aclass=0, opt=0 '\0', ctx=0xbfffd730)
at tasn_dec.c:449
#8  0x0812bd08 in asn1_template_noexp_d2i (val=0xb3656ffc,
in=0xbfffd640, len=2541, tt=0x82039b4, opt=0 '\0', ctx=0xbfffd730) at
tasn_dec.c:747
#9  0x0812b8a7 in asn1_template_ex_d2i (val=0xb3656ffc, in=0xbfffd6a4,
inlen=2543, tt=0x82039b4, opt=0 '\0', ctx=0xbfffd730) at
tasn_dec.c:576
#10 0x0812b55a in ASN1_item_ex_d2i (pval=0xbfffd72c, in=0xbfffd768,
len=2543, it=0x8203aa8, tag=16, aclass=0, opt=0 '\0', ctx=0xbfffd730)
at tasn_dec.c:449
#11 0x0812ad9d in ASN1_item_d2i (pval=0xbfffd72c, in=0xbfffd768,
len=2556, it=0x8203aa8) at tasn_dec.c:136
#12 0x08121a29 in ASN1_item_d2i_bio (it=0x8203aa8, in=0xb3591fc0,
x=0x0) at a_d2i_fp.c:116
#13 0x081649a4 in d2i_CMS_bio (bp=0xb3591fc0, cms=0x0) at cms_io.c:82
#14 0x08087eb0 in cms_main (argc=11, argv=0xbfffde58) at cms.c:793
#15 0x0804a7ad in do_cmd (prog=0xb3d59fa0, argc=11, argv=0xbfffde58)
at openssl.c:413
#16 0x0804a47d in main (Argc=11, Argv=0xbfffde58) at openssl.c:312

openssl was configured with: ./config enable-cms -d (to obtain a
proper backtrace).

The output of 'make report' without the '-d' flag is:
OpenSSL self-test report:

OpenSSL version:  1.0.0
Last change:      Add "missing" function EVP_CIPHER_CTX_copy(). This copi...
Options:          enable-cms no-gmp no-jpake no-krb5 no-md2 no-rc5
no-rfc3779 no-shared no-store no-zlib no-zlib-dynamic static-engine
OS (uname):       Linux sdb-test 2.6.26-2-686 #1 SMP Wed Feb 10
08:59:21 UTC 2010 i686 GNU/Linux
OS (config):      i686-whatever-linux2
Target (default): linux-elf
Target:           linux-elf
Compiler:         Using built-in specs.
Target: i486-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian
4.3.2-1.1' --with-bugurl=file:///usr/share/doc/gcc-4.3/README.Bugs
--enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr
--enable-shared --with-system-zlib --libexecdir=/usr/lib
--without-included-gettext --enable-threads=posix --enable-nls
--with-gxx-include-dir=/usr/include/c++/4.3 --program-suffix=-4.3
--enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc
--enable-mpfr --enable-targets=all --enable-cld
--enable-checking=release --build=i486-linux-gnu --host=i486-linux-gnu
--target=i486-linux-gnu
Thread model: posix
gcc version 4.3.2 (Debian 4.3.2-1.1)

Test passed.

If I can do anything to aid in debugging this, let me know.

Best Regards,
Ronald.

Attachment: inputfile
Description: Binary data

Reply via email to