Null pointer dereference – new security bug for OpenSSL (opens in new tab)

(ftp.openbsd.org)

99 pointsopenbsddesktop12y ago29 comments

29 comments

29 comments · 7 top-level

ams611012y ago· 5 in thread

That patch is set up for a later bug to be introduced: no brackets on the if statements.

Instead of:

  +		if (wb->buf == NULL)
  +			if (!ssl3_setup_write_buffer(s))
  +				return -1;

Why not:

  +		if (wb->buf == NULL) {
  +			if (!ssl3_setup_write_buffer(s)) {
  +				return -1;
  +			}
  +		}

insaneirish12y ago

This is OpenBSD Kernel Normal Form (http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9).

Disagree you may, but it's consistent with their self-imposed guidelines.

codezero12y ago

Sort of. They say only if it's a single line that it's not allowed. If there are multiple lines it's "permitted."

So technically, this is still OK, but they are allowed to use braces when there are multiple lines. (the if and the return) They have an example in that link that covers this as a permitted case, but as you say, it's OK and consistent, but that doesn't make it good :)

codezero12y ago

  if ((wb->buf == NULL) && !ssl3_setup_write_buffer(s)) {
     return -1;
  }

ibotty12y ago

this is getting boring. ever time a patch using no parentheses shows up there is that comment. if all your code uses that style you get used to it. feel free to show evidence of openbsd making that mistake once! (there might have been those, but i am sure it's going to be very hard to find).

nextw33k12y ago

Perhaps you need to consider the bigger picture. The biggest part of being a programmer is not in how many characters we write but in how we are able to know and understand abstract concepts.

If writing defensively by always putting braces around if statements means we no longer have to consider the possibility of a fall through error, then that saves mental processing for you and more importantly for lesser programmers.

Qantourisc12y ago· 4 in thread

Is it me or should code that has to be secure be written in more manage languages to prevent these mistake ? (But managed languages probably have other security issues I don't know about ?)

pslam12y ago

If OpenSSL was written in a managed language, someone would need it in an environment a managed language wasn't suitable for, and end up porting it to C.

1 more reply

dcsommer12y ago

Managed languages is one way to go, but they are not really appropriate for performance critical libraries like OpenSSL in my book. You can get safety without being managed in modern languages if the compiler does the safety proving for you (e.g. rustlang).

1 more reply

akjj12y ago

Managed languages are very susceptible to timing attacks.

2 more replies

Qantourisc12y ago

For all clarity I meant like C++, ObjC, or others; any language that allows you to create things that enforce consistency during compile or runtime. (Like shared pointer and array containers.) Probably used the wrong terminology here.

ticktocktick12y ago· 4 in thread

Are we better off using decoder rings and snail mail at this point?

im3w1l12y ago

It is probably safer yes. But quite inconvenient.

cratermoon12y ago

http://en.wikipedia.org/wiki/Quipu maybe.

bottombutton12y ago

There's always Windows.

1 more reply

devNoise12y ago

Don't forget to drink your Ovaltine!

agl12y ago· 3 in thread

Good to note that this was found with KLEE[1]. KLEE is a good for symbolic execution of code and is very cool[2].

This only triggers a crash if you use RELEASE_BUFFERS (not the default) and a warning alert is written when the socket buffer is full. About the only case where a warning alert is generated is when a client attempts a renegotiation without the renegotiation extension (unless insecure renegotiation is allowed by the app). I've not been able to trigger the bug in a test because code generally stops reading once the socket buffer is full so you need the application to exactly fill the socket buffer (so that it doesn't get EAGAIN), then a warning alert can just exceed it.

[1] http://marc.info/?l=openssl-dev&m=139809493725682&w=2 [2] http://klee.github.io/klee/

duked12y ago

KLEE is ok on small programs but has a lot of limitation with real world programs (using libraries mostly) at least according to a USENIX paper last year: https://www.usenix.org/conference/cset13/workshop-program/pr...

munin12y ago

How does what you say square with the evidence that klee found a bug in OpenSSL which is about as real world as it gets?

jevinskie12y ago

KLEE is very interesting! I am looking into it for improving tests on some of my company's small-but-tricky functions.

Here is an example of its power and how to use it: http://feliam.wordpress.com/2010/10/07/the-symbolic-maze/

openbsddesktopOP12y ago· 3 in thread

You can thank the people that found the bug here:

http://www.openbsdfoundation.org/donations.html

http://www.openbsd.org/donations.html

http://www.openbsd.org/want.html

dang12y ago

It's a worthy cause, but please don't repeatedly post these comments. Neither fundraising campaigns nor single-purpose accounts are appropriate in HN threads.

Dorian-Marie12y ago

Wow, all your comments are about donating to OpenBSD.

openbsddesktopOP12y ago

Then here is another type: a previous security bug:

Apr 12, 2014

http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_op...

-->>

2014-04-30

http://www.freebsd.org/security/advisories/FreeBSD-SA-14:09....

needed 18 days to reach other OSes, ex.: FreeBSD.. interesting lag..

eyeareque12y ago· 2 in thread

Are there any write ups for this yet? I can't find a CVE or anything on this one. No word from OpenSSL yet either.

Moral_12y ago

This shouldn't be exploitable on modern linux machines due to https://wiki.debian.org/mmap_min_addr

Who knows for embedded devices.

lawnchair_larry12y ago

It wouldn't be exploitable even without that, due to it being a userland dereference. The mmap 0 trick really only applies to kernel exploits. If you're in a position to mmap anything, you can already execute code.

protomyth12y ago· 1 in thread

Like I said in the other thread on 5.5, make sure you update for the patches. http://www.openbsd.org/errata55.html

This one is listed on that page (bottom 005: SECURITY FIX: May 1, 2014).

openbsddesktopOP12y ago

I think they are sending out e-mails about new patches.

j / k navigate · click thread line to collapse

29 comments

29 comments · 7 top-level

ams611012y ago· 5 in thread

That patch is set up for a later bug to be introduced: no brackets on the if statements.

Instead of:

  +		if (wb->buf == NULL)
  +			if (!ssl3_setup_write_buffer(s))
  +				return -1;

Why not:

  +		if (wb->buf == NULL) {
  +			if (!ssl3_setup_write_buffer(s)) {
  +				return -1;
  +			}
  +		}

insaneirish12y ago

This is OpenBSD Kernel Normal Form (http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9).

Disagree you may, but it's consistent with their self-imposed guidelines.

codezero12y ago

Sort of. They say only if it's a single line that it's not allowed. If there are multiple lines it's "permitted."

codezero12y ago

  if ((wb->buf == NULL) && !ssl3_setup_write_buffer(s)) {
     return -1;
  }

ibotty12y ago

nextw33k12y ago

Perhaps you need to consider the bigger picture. The biggest part of being a programmer is not in how many characters we write but in how we are able to know and understand abstract concepts.

Qantourisc12y ago· 4 in thread

Is it me or should code that has to be secure be written in more manage languages to prevent these mistake ? (But managed languages probably have other security issues I don't know about ?)

pslam12y ago

If OpenSSL was written in a managed language, someone would need it in an environment a managed language wasn't suitable for, and end up porting it to C.

1 more reply

dcsommer12y ago

1 more reply

akjj12y ago

Managed languages are very susceptible to timing attacks.

2 more replies

Qantourisc12y ago

ticktocktick12y ago· 4 in thread

Are we better off using decoder rings and snail mail at this point?

im3w1l12y ago

It is probably safer yes. But quite inconvenient.

cratermoon12y ago

http://en.wikipedia.org/wiki/Quipu maybe.

bottombutton12y ago

There's always Windows.

1 more reply

devNoise12y ago

Don't forget to drink your Ovaltine!

agl12y ago· 3 in thread

Good to note that this was found with KLEE[1]. KLEE is a good for symbolic execution of code and is very cool[2].

[1] http://marc.info/?l=openssl-dev&m=139809493725682&w=2 [2] http://klee.github.io/klee/

duked12y ago

munin12y ago

How does what you say square with the evidence that klee found a bug in OpenSSL which is about as real world as it gets?

jevinskie12y ago

KLEE is very interesting! I am looking into it for improving tests on some of my company's small-but-tricky functions.

Here is an example of its power and how to use it: http://feliam.wordpress.com/2010/10/07/the-symbolic-maze/

openbsddesktopOP12y ago· 3 in thread

You can thank the people that found the bug here:

http://www.openbsdfoundation.org/donations.html

http://www.openbsd.org/donations.html

http://www.openbsd.org/want.html

dang12y ago

It's a worthy cause, but please don't repeatedly post these comments. Neither fundraising campaigns nor single-purpose accounts are appropriate in HN threads.

Dorian-Marie12y ago

Wow, all your comments are about donating to OpenBSD.

openbsddesktopOP12y ago

Then here is another type: a previous security bug:

Apr 12, 2014

http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_op...

-->>

2014-04-30

http://www.freebsd.org/security/advisories/FreeBSD-SA-14:09....

needed 18 days to reach other OSes, ex.: FreeBSD.. interesting lag..

eyeareque12y ago· 2 in thread

Are there any write ups for this yet? I can't find a CVE or anything on this one. No word from OpenSSL yet either.