1From 09015a582baa980dc04f635504b16fe95dc3790b Mon Sep 17 00:00:00 2001 2From: l00511027 <liwei3013@126.com> 3Date: Fri, 26 Jan 2024 18:45:28 +0800 4Subject: [PATCH 1/2] fix CVE-2024-0727 5 6Add NULL checks where ContentInfo data can be NULL 7--- 8 crypto/pkcs12/p12_add.c | 16 ++++++++++++++ 9 crypto/pkcs12/p12_mutl.c | 5 +++++ 10 crypto/pkcs12/p12_npas.c | 5 +++-- 11 crypto/pkcs7/pk7_mime.c | 8 +++++-- 12 4 files changed, 53 insertions(+), 6 deletions(-) 13 14diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c 15index af184c86af..9b40e5384e 100644 16--- a/crypto/pkcs12/p12_add.c 17+++ b/crypto/pkcs12/p12_add.c 18@@ -76,6 +76,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) 19 PKCS12_R_CONTENT_TYPE_NOT_DATA); 20 return NULL; 21 } 22+ 23+ if (p7->d.data == NULL) { 24+ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR); 25+ return NULL; 26+ } 27+ 28 return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); 29 } 30 31@@ -132,6 +138,11 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, 32 { 33 if (!PKCS7_type_is_encrypted(p7)) 34 return NULL; 35+ 36+ if (p7->d.encrypted == NULL) { 37+ return NULL; 38+ } 39+ 40 return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm, 41 ASN1_ITEM_rptr(PKCS12_SAFEBAGS), 42 pass, passlen, 43@@ -159,6 +170,11 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12) 44 PKCS12_R_CONTENT_TYPE_NOT_DATA); 45 return NULL; 46 } 47+ if (p12->authsafes->d.data == NULL) { 48+ PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, PKCS12_R_DECODE_ERROR); 49+ return NULL; 50+ } 51+ 52 return ASN1_item_unpack(p12->authsafes->d.data, 53 ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); 54 } 55diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c 56index 3658003fe5..766c9c1e9d 100644 57--- a/crypto/pkcs12/p12_mutl.c 58+++ b/crypto/pkcs12/p12_mutl.c 59@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, 60 return 0; 61 } 62 63+ if (p12->authsafes->d.data == NULL) { 64+ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR); 65+ return 0; 66+ } 67+ 68 salt = p12->mac->salt->data; 69 saltlen = p12->mac->salt->length; 70 if (!p12->mac->iter) 71diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c 72index 0334289a89..130337638d 100644 73--- a/crypto/pkcs12/p12_npas.c 74+++ b/crypto/pkcs12/p12_npas.c 75@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) 76 bags = PKCS12_unpack_p7data(p7); 77 } else if (bagnid == NID_pkcs7_encrypted) { 78 bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); 79- if (!alg_get(p7->d.encrypted->enc_data->algorithm, 80- &pbe_nid, &pbe_iter, &pbe_saltlen)) 81+ if (p7->d.encrypted == NULL 82+ || !alg_get(p7->d.encrypted->enc_data->algorithm, 83+ &pbe_nid, &pbe_iter, &pbe_saltlen)) 84 goto err; 85 } else { 86 continue; 87diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c 88index 19e6868148..b457108c94 100644 89--- a/crypto/pkcs7/pk7_mime.c 90+++ b/crypto/pkcs7/pk7_mime.c 91@@ -30,10 +30,14 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) 92 { 93 STACK_OF(X509_ALGOR) *mdalgs; 94 int ctype_nid = OBJ_obj2nid(p7->type); 95- if (ctype_nid == NID_pkcs7_signed) 96+ 97+ if (ctype_nid == NID_pkcs7_signed) { 98+ if (p7->d.sign == NULL) 99+ return 0; 100 mdalgs = p7->d.sign->md_algs; 101- else 102+ } else { 103 mdalgs = NULL; 104+ } 105 106 flags ^= SMIME_OLDMIME; 107 108-- 1092.17.1 110