

Null pointer dereference – new security bug for OpenSSL - openbsddesktop
http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/005_openssl.patch.sig

======
agl
Good to note that this was found with KLEE[1]. KLEE is a good for symbolic
execution of code and is very cool[2].

This only triggers a crash if you use RELEASE_BUFFERS (not the default) and a
warning alert is written when the socket buffer is full. About the only case
where a warning alert is generated is when a client attempts a renegotiation
without the renegotiation extension (unless insecure renegotiation is allowed
by the app). I've not been able to trigger the bug in a test because code
generally stops reading once the socket buffer is full so you need the
application to exactly fill the socket buffer (so that it doesn't get EAGAIN),
then a warning alert can just exceed it.

[1] [http://marc.info/?l=openssl-
dev&m=139809493725682&w=2](http://marc.info/?l=openssl-
dev&m=139809493725682&w=2) [2]
[http://klee.github.io/klee/](http://klee.github.io/klee/)

~~~
duked
KLEE is ok on small programs but has a lot of limitation with real world
programs (using libraries mostly) at least according to a USENIX paper last
year: [https://www.usenix.org/conference/cset13/workshop-
program/pr...](https://www.usenix.org/conference/cset13/workshop-
program/presentation/benameur)

~~~
munin
How does what you say square with the evidence that klee found a bug in
OpenSSL which is about as real world as it gets?

------
eyeareque
Are there any write ups for this yet? I can't find a CVE or anything on this
one. No word from OpenSSL yet either.

~~~
Moral_
This shouldn't be exploitable on modern linux machines due to
[https://wiki.debian.org/mmap_min_addr](https://wiki.debian.org/mmap_min_addr)

Who knows for embedded devices.

~~~
lawnchair_larry
It wouldn't be exploitable even without that, due to it being a userland
dereference. The mmap 0 trick really only applies to kernel exploits. If
you're in a position to mmap anything, you can already execute code.

------
ams6110
That patch is set up for a later bug to be introduced: no brackets on the if
statements.

Instead of:

    
    
      +		if (wb->buf == NULL)
      +			if (!ssl3_setup_write_buffer(s))
      +				return -1;
    

Why not:

    
    
      +		if (wb->buf == NULL) {
      +			if (!ssl3_setup_write_buffer(s)) {
      +				return -1;
      +			}
      +		}

~~~
insaneirish
This is OpenBSD Kernel Normal Form ([http://www.openbsd.org/cgi-
bin/man.cgi?query=style&sektion=9](http://www.openbsd.org/cgi-
bin/man.cgi?query=style&sektion=9)).

Disagree you may, but it's consistent with their self-imposed guidelines.

~~~
codezero
Sort of. They say only if it's a single line that it's not allowed. If there
are multiple lines it's "permitted."

So technically, this is still OK, but they are allowed to use braces when
there are multiple lines. (the if and the return) They have an example in that
link that covers this as a permitted case, but as you say, it's OK and
consistent, but that doesn't make it good :)

------
protomyth
Like I said in the other thread on 5.5, make sure you update for the patches.
[http://www.openbsd.org/errata55.html](http://www.openbsd.org/errata55.html)

This one is listed on that page (bottom 005: SECURITY FIX: May 1, 2014).

~~~
openbsddesktop
I think they are sending out e-mails about new patches.

------
openbsddesktop
You can thank the people that found the bug here:

[http://www.openbsdfoundation.org/donations.html](http://www.openbsdfoundation.org/donations.html)

[http://www.openbsd.org/donations.html](http://www.openbsd.org/donations.html)

[http://www.openbsd.org/want.html](http://www.openbsd.org/want.html)

~~~
Dorian-Marie
Wow, all your comments are about donating to OpenBSD.

~~~
openbsddesktop
Then here is another type: a previous security bug:

Apr 12, 2014

[http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_op...](http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_openssl.patch.sig)

\-->>

2014-04-30

[http://www.freebsd.org/security/advisories/FreeBSD-
SA-14:09....](http://www.freebsd.org/security/advisories/FreeBSD-
SA-14:09.openssl.asc)

needed 18 days to reach other OSes, ex.: FreeBSD.. interesting lag..

------
Qantourisc
Is it me or should code that has to be secure be written in more manage
languages to prevent these mistake ? (But managed languages probably have
other security issues I don't know about ?)

~~~
akjj
Managed languages are very susceptible to timing attacks.

------
ticktocktick
Are we better off using decoder rings and snail mail at this point?

~~~
bottombutton
There's always Windows.

