CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (3.0)

Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
author: Hugo Landau <hlandau@openssl.org> 2023-01-17 17:45:42 +0000
committer: Tomas Mraz <tomas@openssl.org> 2023-02-07 17:02:47 +0100
commit: 84d85fcabd6d8f3740ad015bda329512630799df (patch)
tree: 51d2937b088af81792139df1cc51d75aea02629b
parent: de4e3868de2de12fb799a1cdbba87c44b61cf3e2 (diff)
4 files changed, 29 insertions, 2 deletions
diff --git a/CHANGES.md b/CHANGES.md
index 2f5d1b6337..192c5c32ff 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -118,6 +118,24 @@ breaking changes, and mappings for the large list of deprecated functions.
 
    *Nicola Tuveri*
 
+ * Fixed a type confusion vulnerability relating to X.400 address processing
+   inside an X.509 GeneralName. X.400 addresses were parsed as an `ASN1_STRING`
+   but subsequently interpreted by `GENERAL_NAME_cmp` as an `ASN1_TYPE`. This
+   vulnerability may allow an attacker who can provide a certificate chain and
+   CRL (neither of which need have a valid signature) to pass arbitrary pointers
+   to a `memcmp` call, creating a possible read primitive, subject to some
+   constraints. Refer to the advisory for more information. Thanks to David
+   Benjamin for discovering this issue. ([CVE-2023-0286])
+
+   This issue has been fixed by changing the public header file definition of
+   `GENERAL_NAME` so that `x400Address` reflects the implementation. It was not
+   possible for any existing application to successfully use the existing
+   definition; however, if any application references the `x400Address` field
+   (e.g. in dead code), note that the type of this field has changed. There is
+   no ABI change.
+
+   *Hugo Landau*
+
 ### Changes between 3.0.6 and 3.0.7 [1 Nov 2022]
 
  * Fixed two buffer overflows in punycode decoding functions.
@@ -19505,6 +19523,7 @@ ndif
 
 <!-- Links -->
 
+[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
 [CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
diff --git a/crypto/x509/v3_genn.c b/crypto/x509/v3_genn.c
index c0a7166cd0..1741c2d2f6 100644
--- a/crypto/x509/v3_genn.c
+++ b/crypto/x509/v3_genn.c
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
         return -1;
     switch (a->type) {
     case GEN_X400:
-        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
         break;
 
     case GEN_EDIPARTY:
diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in
index 455a997d06..96066884f8 100644
--- a/include/openssl/x509v3.h.in
+++ b/include/openssl/x509v3.h.in
@@ -157,7 +157,7 @@ typedef struct GENERAL_NAME_st {
         OTHERNAME *otherName;   /* otherName */
         ASN1_IA5STRING *rfc822Name;
         ASN1_IA5STRING *dNSName;
-        ASN1_TYPE *x400Address;
+        ASN1_STRING *x400Address;
         X509_NAME *directoryName;
         EDIPARTYNAME *ediPartyName;
         ASN1_IA5STRING *uniformResourceIdentifier;
diff --git a/test/v3nametest.c b/test/v3nametest.c
index 6d2e2f8e27..0341995dde 100644
--- a/test/v3nametest.c
+++ b/test/v3nametest.c
@@ -644,6 +644,14 @@ static struct gennamedata {
             0xb7, 0x09, 0x02, 0x02
         },
         15
+    }, {
+        /*
+         * Regression test for CVE-2023-0286.
+         */
+        {
+            0xa3, 0x00
+        },
+        2
     }
 };
author	Hugo Landau <hlandau@openssl.org>	2023-01-17 17:45:42 +0000
committer	Tomas Mraz <tomas@openssl.org>	2023-02-07 17:02:47 +0100
commit	84d85fcabd6d8f3740ad015bda329512630799df (patch)
tree	51d2937b088af81792139df1cc51d75aea02629b
parent	de4e3868de2de12fb799a1cdbba87c44b61cf3e2 (diff)