search

tpm2-software / tpm2-tss-engine

OpenSSL Engine for TPM2 devices
https://tpm2-software.github.io
BSD 3-Clause "New" or "Revised" License
148 stars 97 forks source link

Crash with EC BN_P256 curve #29

Closed dwmw2 closed 5 years ago

dwmw2 commented 5 years ago

Using a PEM file created with openssl_tpm2_engine and create_tpm2_key -e bnp256.

Starting program: /usr/bin/openssl req -x509 -engine tpm2tss -keyform engine -key ../openssl_tpm2_engine/ecc-bnp256.tss
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Initializing
engine "tpm2tss" set.
Loading private key ../openssl_tpm2_engine/ecc-bnp256.tss
get_auth called for object user key with ui_method 0x55555580ddc0
Enter password for user key:
password is 
Loaded key uses alg-id 23
Creating ECC key object.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff77e0ca3 in EC_KEY_free ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
(gdb) up
#1  0x00007ffff6cda52a in tpm2tss_ecc_makekey (tpm2Data=0x555555815dd0)
    at src/tpm2-tss-engine-ecc.c:345
345     EC_KEY_free(eckey);
(gdb) bt
#0  0x00007ffff77e0ca3 in EC_KEY_free ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#1  0x00007ffff6cda52a in tpm2tss_ecc_makekey (tpm2Data=0x555555815dd0)
    at src/tpm2-tss-engine-ecc.c:345
#2  0x00007ffff6cd853c in loadkey (e=0x555555809a40, 
    key_id=0x7fffffffe10e "../openssl_tpm2_engine/ecc-bnp256.tss", 
    ui=0x55555580ddc0, cb_data=0x7fffffffd010) at src/tpm2-tss-engine.c:185
#3  0x00007ffff782992f in ENGINE_load_private_key ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#4  0x000055555558569f in ?? ()
#5  0x00005555555a4c4b in ?? ()
#6  0x000055555558316d in ?? ()
#7  0x0000555555583601 in ?? ()
#8  0x00007ffff7104b97 in __libc_start_main (main=0x5555555832f0, argc=9, 
    argv=0x7fffffffdc58, init=<optimised out>, fini=<optimised out>, 
    rtld_fini=<optimised out>, stack_end=0x7fffffffdc48)
    at ../csu/libc-start.c:310
#9  0x000055555558376a in ?? ()
dwmw2 commented 5 years ago 
Loaded key uses alg-id 23
Creating ECC key object.
==14657== Invalid read of size 8
==14657==    at 0x5193C5A: EC_KEY_free (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x6137529: tpm2tss_ecc_makekey (tpm2-tss-engine-ecc.c:345)
==14657==    by 0x613553B: loadkey (tpm2-tss-engine.c:185)
==14657==    by 0x51DC92E: ENGINE_load_private_key (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x13969E: ??? (in /usr/bin/openssl)
==14657==    by 0x158C4A: ??? (in /usr/bin/openssl)
==14657==    by 0x13716C: ??? (in /usr/bin/openssl)
==14657==    by 0x137600: ??? (in /usr/bin/openssl)
==14657==    by 0x575EB96: (below main) (libc-start.c:310)
==14657==  Address 0x5d9b6e8 is 72 bytes inside a block of size 80 free'd
==14657==    at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14657==    by 0x5193D24: EC_KEY_free (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x51F478A: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x51F519F: EVP_PKEY_free (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x613751D: tpm2tss_ecc_makekey (tpm2-tss-engine-ecc.c:344)
==14657==    by 0x613553B: loadkey (tpm2-tss-engine.c:185)
==14657==    by 0x51DC92E: ENGINE_load_private_key (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x13969E: ??? (in /usr/bin/openssl)
==14657==    by 0x158C4A: ??? (in /usr/bin/openssl)
==14657==    by 0x13716C: ??? (in /usr/bin/openssl)
==14657==    by 0x137600: ??? (in /usr/bin/openssl)
==14657==    by 0x575EB96: (below main) (libc-start.c:310)
==14657==  Block was alloc'd at
==14657==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14657==    by 0x51FD318: CRYPTO_zalloc (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x5194E1E: EC_KEY_new_method (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x61373F4: tpm2tss_ecc_makekey (tpm2-tss-engine-ecc.c:312)
==14657==    by 0x613553B: loadkey (tpm2-tss-engine.c:185)
==14657==    by 0x51DC92E: ENGINE_load_private_key (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x13969E: ??? (in /usr/bin/openssl)
==14657==    by 0x158C4A: ??? (in /usr/bin/openssl)
==14657==    by 0x13716C: ??? (in /usr/bin/openssl)
==14657==    by 0x137600: ??? (in /usr/bin/openssl)
==14657==    by 0x575EB96: (below main) (libc-start.c:310)
==14657== 
==14657== Invalid read of size 4
==14657==    at 0x524F8E2: CRYPTO_atomic_add (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x5193C73: EC_KEY_free (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x6137529: tpm2tss_ecc_makekey (tpm2-tss-engine-ecc.c:345)
==14657==    by 0x613553B: loadkey (tpm2-tss-engine.c:185)
==14657==    by 0x51DC92E: ENGINE_load_private_key (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x13969E: ??? (in /usr/bin/openssl)
==14657==    by 0x158C4A: ??? (in /usr/bin/openssl)
==14657==    by 0x13716C: ??? (in /usr/bin/openssl)
==14657==    by 0x137600: ??? (in /usr/bin/openssl)
==14657==    by 0x575EB96: (below main) (libc-start.c:310)
==14657==  Address 0x5d9b6d8 is 56 bytes inside a block of size 80 free'd
==14657==    at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14657==    by 0x5193D24: EC_KEY_free (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x51F478A: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x51F519F: EVP_PKEY_free (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x613751D: tpm2tss_ecc_makekey (tpm2-tss-engine-ecc.c:344)
==14657==    by 0x613553B: loadkey (tpm2-tss-engine.c:185)
==14657==    by 0x51DC92E: ENGINE_load_private_key (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x13969E: ??? (in /usr/bin/openssl)
==14657==    by 0x158C4A: ??? (in /usr/bin/openssl)
==14657==    by 0x13716C: ??? (in /usr/bin/openssl)
==14657==    by 0x137600: ??? (in /usr/bin/openssl)
==14657==    by 0x575EB96: (below main) (libc-start.c:310)
==14657==  Block was alloc'd at
==14657==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14657==    by 0x51FD318: CRYPTO_zalloc (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x5194E1E: EC_KEY_new_method (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x61373F4: tpm2tss_ecc_makekey (tpm2-tss-engine-ecc.c:312)
==14657==    by 0x613553B: loadkey (tpm2-tss-engine.c:185)
==14657==    by 0x51DC92E: ENGINE_load_private_key (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x13969E: ??? (in /usr/bin/openssl)
==14657==    by 0x158C4A: ??? (in /usr/bin/openssl)
==14657==    by 0x13716C: ??? (in /usr/bin/openssl)
==14657==    by 0x137600: ??? (in /usr/bin/openssl)
==14657==    by 0x575EB96: (below main) (libc-start.c:310)
==14657== 
==14657== Invalid read of size 8
==14657==    at 0x5193CA0: EC_KEY_free (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x6137529: tpm2tss_ecc_makekey (tpm2-tss-engine-ecc.c:345)
==14657==    by 0x613553B: loadkey (tpm2-tss-engine.c:185)
==14657==    by 0x51DC92E: ENGINE_load_private_key (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x13969E: ??? (in /usr/bin/openssl)
==14657==    by 0x158C4A: ??? (in /usr/bin/openssl)
==14657==    by 0x13716C: ??? (in /usr/bin/openssl)
==14657==    by 0x137600: ??? (in /usr/bin/openssl)
==14657==    by 0x575EB96: (below main) (libc-start.c:310)
==14657==  Address 0x5d9b6a0 is 0 bytes inside a block of size 80 free'd
==14657==    at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14657==    by 0x5193D24: EC_KEY_free (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x51F478A: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x51F519F: EVP_PKEY_free (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x613751D: tpm2tss_ecc_makekey (tpm2-tss-engine-ecc.c:344)
==14657==    by 0x613553B: loadkey (tpm2-tss-engine.c:185)
==14657==    by 0x51DC92E: ENGINE_load_private_key (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x13969E: ??? (in /usr/bin/openssl)
==14657==    by 0x158C4A: ??? (in /usr/bin/openssl)
==14657==    by 0x13716C: ??? (in /usr/bin/openssl)
==14657==    by 0x137600: ??? (in /usr/bin/openssl)
==14657==    by 0x575EB96: (below main) (libc-start.c:310)
==14657==  Block was alloc'd at
==14657==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14657==    by 0x51FD318: CRYPTO_zalloc (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x5194E1E: EC_KEY_new_method (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x61373F4: tpm2tss_ecc_makekey (tpm2-tss-engine-ecc.c:312)
==14657==    by 0x613553B: loadkey (tpm2-tss-engine.c:185)
==14657==    by 0x51DC92E: ENGINE_load_private_key (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x13969E: ??? (in /usr/bin/openssl)
==14657==    by 0x158C4A: ??? (in /usr/bin/openssl)
==14657==    by 0x13716C: ??? (in /usr/bin/openssl)
==14657==    by 0x137600: ??? (in /usr/bin/openssl)
==14657==    by 0x575EB96: (below main) (libc-start.c:310)
==14657== 
==14657== Invalid read of size 8
==14657==    at 0x5193CA3: EC_KEY_free (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x6137529: tpm2tss_ecc_makekey (tpm2-tss-engine-ecc.c:345)
==14657==    by 0x613553B: loadkey (tpm2-tss-engine.c:185)
==14657==    by 0x51DC92E: ENGINE_load_private_key (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x13969E: ??? (in /usr/bin/openssl)
==14657==    by 0x158C4A: ??? (in /usr/bin/openssl)
==14657==    by 0x13716C: ??? (in /usr/bin/openssl)
==14657==    by 0x137600: ??? (in /usr/bin/openssl)
==14657==    by 0x575EB96: (below main) (libc-start.c:310)
==14657==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==14657== 
==14657== 
==14657== Process terminating with default action of signal 11 (SIGSEGV)
==14657==  Access not within mapped region at address 0x18
==14657==    at 0x5193CA3: EC_KEY_free (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x6137529: tpm2tss_ecc_makekey (tpm2-tss-engine-ecc.c:345)
==14657==    by 0x613553B: loadkey (tpm2-tss-engine.c:185)
==14657==    by 0x51DC92E: ENGINE_load_private_key (in /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
==14657==    by 0x13969E: ??? (in /usr/bin/openssl)
==14657==    by 0x158C4A: ??? (in /usr/bin/openssl)
==14657==    by 0x13716C: ??? (in /usr/bin/openssl)
==14657==    by 0x137600: ??? (in /usr/bin/openssl)
==14657==    by 0x575EB96: (below main) (libc-start.c:310)
==14657==  If you believe this happened as a result of a stack
==14657==  overflow in your program's main thread (unlikely but
==14657==  possible), you can try to increase the size of the
==14657==  main thread stack using the --main-stacksize= flag.
==14657==  The main thread stack size used in this run was 8388608.
==14657== 
==14657== HEAP SUMMARY:
==14657==     in use at exit: 100,466 bytes in 2,804 blocks
==14657==   total heap usage: 3,665 allocs, 861 frees, 171,814 bytes allocated
==14657== 
==14657== LEAK SUMMARY:
==14657==    definitely lost: 0 bytes in 0 blocks
==14657==    indirectly lost: 0 bytes in 0 blocks
==14657==      possibly lost: 0 bytes in 0 blocks
==14657==    still reachable: 100,466 bytes in 2,804 blocks
==14657==         suppressed: 0 bytes in 0 blocks
==14657== Rerun with --leak-check=full to see details of leaked memory
==14657== 
==14657== For counts of detected and suppressed errors, rerun with: -v
==14657== ERROR SUMMARY: 6 errors from 4 contexts (suppressed: 0 from 0)
Segmentation fault
AndreasFuchsTPM commented 5 years ago

Could it be that EVP_PKEY_free frees the assigned EC_KEY and with EC_KEY_free we have a double-free here ? Which makes sense I guess.