[Bug 1884265] [NEW] [fips] Not fully initialized digest segfaulting some client applications

Fri, 19 Jun 2020 08:01:19 -0700 

*** This bug is a security vulnerability ***

Public security bug reported:

In FIPS mode on Bionic MD5 is semi-disabled causing some applications to
segfault.

Test case:
sudo apt install ntp
ntpq -p
Segmentation fault (core dumped)

What happens there is ntpq wants to iterate all available digests
(list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
task.

EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
For FIPS mode it adds:
EVP_add_digest(EVP_md5());

What happens later in ntpq is (list_md_fn function inside ntpq.c):
ctx = EVP_MD_CTX_new();
EVP_DigestInit(ctx, EVP_get_digestbyname(name));
EVP_DigestFinal(ctx, digest, &digest_len);

First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point:
#ifdef OPENSSL_FIPS
        if (FIPS_mode()) {
            if (!(type->flags & EVP_MD_FLAG_FIPS)
                && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
                EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
                return 0;
            }
        }
#endif

Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
After getting back to ntpq.c:
ctx->engine and ctx->digest are not set (due to the mentioned error), hence

inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
causes a segfault (ctx->digest is NULL).

So either MD5 shouldn't be added in FIPS mode or it should have the
EVP_MD_FLAG_FIPS to be properly initialized.

** Affects: openssl (Ubuntu)
     Importance: Medium
         Status: New

** Affects: openssl (Ubuntu Bionic)
     Importance: Medium
         Status: New


** Tags: sts

** Also affects: openssl (Ubuntu Bionic)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to