[Libreoffice-commits] core.git: xmlsecurity/source

Libreoffice Gerrit user logerrit at kemper.freedesktop.org
Mon Nov 5 20:45:53 UTC 2018


 xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

New commits:
commit 23874f86dd51386d98ef8e3d06a1ece05463ed3c
Author:     Stephan Bergmann <sbergman at redhat.com>
AuthorDate: Mon Nov 5 17:24:09 2018 +0100
Commit:     Stephan Bergmann <sbergman at redhat.com>
CommitDate: Mon Nov 5 21:44:48 2018 +0100

    xmlSecNssPKIAdoptKey apparently takes over ownership of keys
    
    (e.g., see xmlSecNssPKIKeyDataAdoptKey called from xmlSecNssPKIAdoptKey in
    workdir/UnpackedTarball/xmlsec/src/nss/pkikeys.c, which has
    
        if (ctx->privkey) {
            SECKEY_DestroyPrivateKey(ctx->privkey);
        }
        ctx->privkey = privkey;
    
    to install the passed in new privkey as ctx->privkey, which is apparently
    considered owned by ctx)
    
    Presumably since ab7fabd8b116d16def53772720f19fad4dbd6366 "lok: update the test
    for singing the document from LOK" changed the relevant test code,
    CppunitTest_desktop_lib fails in ASan builds with
    
    > ==16681==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d001a914a8 at pc 0x7f2af9afdf33 bp 0x7ffd59d3ccb0 sp 0x7ffd59d3cca8
    > READ of size 4 at 0x61d001a914a8 thread T0
    >  #0 in SECKEY_GetPrivateKeyType at workdir/UnpackedTarball/nss/nss/lib/cryptohi/seckey.c:1716:21 (instdir/program/libnss3.so +0x3c6f32)
    >  #1 in xmlSecNssPKIAdoptKey at workdir/UnpackedTarball/xmlsec/src/nss/pkikeys.c:208:19 (instdir/program/libxsec_xmlsec.so +0x4026bc)
    >  #2 in SecurityEnvironment_NssImpl::createKeysManager() at xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx:846:41 (instdir/program/libxsec_xmlsec.so +0x36a4ce)
    >  #3 in XMLSignature_NssImpl::validate(com::sun::star::uno::Reference<com::sun::star::xml::crypto::XXMLSignatureTemplate> const&, com::sun::star::uno::Reference<com::sun::star::xml::crypto::XXMLSecurityContext> const&) at xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx:231:56 (instdir/program/libxsec_xmlsec.so +0x3ca23e)
    >  #4 in non-virtual thunk to XMLSignature_NssImpl::validate(com::sun::star::uno::Reference<com::sun::star::xml::crypto::XXMLSignatureTemplate> const&, com::sun::star::uno::Reference<com::sun::star::xml::crypto::XXMLSecurityContext> const&) at xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx (instdir/program/libxsec_xmlsec.so +0x3cb1ca)
    >  #5 in SignatureVerifierImpl::startEngine(rtl::Reference<XMLSignatureTemplateImpl> const&) at xmlsecurity/source/framework/signatureverifierimpl.cxx:70:44 (instdir/program/libxmlsecurity.so +0x6da8a9)
    >  #6 in SignatureEngine::tryToPerform() at xmlsecurity/source/framework/signatureengine.cxx:112:9 (instdir/program/libxmlsecurity.so +0x6c9a4e)
    >  #7 in SecurityEngine::referenceResolved(int) at xmlsecurity/source/framework/securityengine.cxx:39:5 (instdir/program/libxmlsecurity.so +0x6ba84a)
    >  #8 in ElementCollector::doNotify() at xmlsecurity/source/framework/elementcollector.cxx:136:39 (instdir/program/libxmlsecurity.so +0x660853)
    >  #9 in ElementCollector::notifyListener() at xmlsecurity/source/framework/elementcollector.cxx:88:5 (instdir/program/libxmlsecurity.so +0x660006)
    >  #10 in BufferNode::elementCollectorNotify() at xmlsecurity/source/framework/buffernode.cxx:725:40 (instdir/program/libxmlsecurity.so +0x5fe591)
    >  #11 in BufferNode::setReceivedAll() at xmlsecurity/source/framework/buffernode.cxx:96:5 (instdir/program/libxmlsecurity.so +0x5fd61a)
    >  #12 in SAXEventKeeperImpl::endElement(rtl::OUString const&) at xmlsecurity/source/framework/saxeventkeeperimpl.cxx:1067:36 (instdir/program/libxmlsecurity.so +0x67694c)
    >  #13 in XSecParser::endElement(rtl::OUString const&) at xmlsecurity/source/helper/xsecparser.cxx:408:29 (instdir/program/libxmlsecurity.so +0x885bd6)
    >  #14 in (anonymous namespace)::SaxExpatParser_Impl::callbackEndElement(void*, char const*) at sax/source/expatwrap/sax_expat.cxx:731:9 (instdir/program/libexpwraplo.so +0x1a0817)
    >  #15 in (anonymous namespace)::call_callbackEndElement(void*, char const*) at sax/source/expatwrap/sax_expat.cxx:242:9 (instdir/program/libexpwraplo.so +0x199604)
    >  #16 in doContent at workdir/UnpackedTarball/expat/lib/xmlparse.c:2954:11 (instdir/program/libexpwraplo.so +0x32fdf9)
    >  #17 in contentProcessor at workdir/UnpackedTarball/expat/lib/xmlparse.c:2531:27 (instdir/program/libexpwraplo.so +0x319c93)
    >  #18 in doProlog at workdir/UnpackedTarball/expat/lib/xmlparse.c:4556:14 (instdir/program/libexpwraplo.so +0x313539)
    >  #19 in prologProcessor at workdir/UnpackedTarball/expat/lib/xmlparse.c:4270:10 (instdir/program/libexpwraplo.so +0x2ffcc8)
    >  #20 in XML_ParseBuffer at workdir/UnpackedTarball/expat/lib/xmlparse.c:1983:25 (instdir/program/libexpwraplo.so +0x2fafbf)
    >  #21 in (anonymous namespace)::SaxExpatParser_Impl::parse() at sax/source/expatwrap/sax_expat.cxx:654:27 (instdir/program/libexpwraplo.so +0x19a27e)
    >  #22 in (anonymous namespace)::SaxExpatParser::parseStream(com::sun::star::xml::sax::InputSource const&) at sax/source/expatwrap/sax_expat.cxx:484:14 (instdir/program/libexpwraplo.so +0x192774)
    >  #23 in XMLSignatureHelper::ReadAndVerifySignature(com::sun::star::uno::Reference<com::sun::star::io::XInputStream> const&) at xmlsecurity/source/helper/xmlsignaturehelper.cxx:278:18 (instdir/program/libxmlsecurity.so +0x7dd825)
    >  #24 in DocumentSignatureManager::read(bool, bool) at xmlsecurity/source/helper/documentsignaturemanager.cxx:549:31 (instdir/program/libxmlsecurity.so +0x743aaa)
    >  #25 in DocumentDigitalSignatures::signDocumentWithCertificate(com::sun::star::uno::Reference<com::sun::star::security::XCertificate> const&, com::sun::star::uno::Reference<com::sun::star::embed::XStorage> const&, com::sun::star::uno::Reference<com::sun::star::io::XStream> const&) at xmlsecurity/source/component/documentdigitalsignatures.cxx:781:23 (instdir/program/libxmlsecurity.so +0x4855fc)
    >  #26 in SfxMedium::SignDocumentContentUsingCertificate(bool, com::sun::star::uno::Reference<com::sun::star::security::XCertificate> const&) at sfx2/source/doc/docfile.cxx:3709:42 (instdir/program/libsfxlo.so +0x3577abe)
    >  #27 in SfxObjectShell::SignDocumentContentUsingCertificate(com::sun::star::uno::Reference<com::sun::star::security::XCertificate> const&) at sfx2/source/doc/objserv.cxx:1659:38 (instdir/program/libsfxlo.so +0x37e1aab)
    >  #28 in doc_insertCertificate(_LibreOfficeKitDocument*, unsigned char const*, int, unsigned char const*, int) at desktop/source/lib/init.cxx:3690:26 (instdir/program/libsofficeapp.so +0x7a40af)
    >  #29 in DesktopLOKTest::testInsertCertificate() at desktop/qa/desktop_lib/test_desktop_lib.cxx:2322:24 (workdir/LinkTarget/CppunitTest/libtest_desktop_lib.so +0x187439)
    >
    > 0x61d001a914a8 is located 40 bytes inside of 2048-byte region [0x61d001a91480,0x61d001a91c80)
    > freed by thread T0 here:
    >  #0 in free at /home/sbergman/github.com/llvm-project/llvm-project-20170507/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3 (workdir/LinkTarget/Executable/cppunittester +0x4feda8)
    >  #1 in PR_Free at workdir/UnpackedTarball/nss/nspr/out/pr/src/malloc/../../../../pr/src/malloc/prmem.c:458:9 (instdir/program/libnspr4.so +0x12c5af)
    >  #2 in FreeArenaList at workdir/UnpackedTarball/nss/nspr/out/lib/ds/../../../lib/ds/plarena.c:195:9 (instdir/program/libplds4.so +0xcc36)
    >  #3 in PL_FreeArenaPool at workdir/UnpackedTarball/nss/nspr/out/lib/ds/../../../lib/ds/plarena.c:216:5 (instdir/program/libplds4.so +0xcd9d)
    >  #4 in PORT_FreeArena_Util at workdir/UnpackedTarball/nss/nss/lib/util/secport.c:383:9 (instdir/program/libnssutil3.so +0x103381)
    >  #5 in SECKEY_DestroyPrivateKey at workdir/UnpackedTarball/nss/nss/lib/cryptohi/seckey.c:250:13 (instdir/program/libnss3.so +0x3baa05)
    >  #6 in xmlSecNSSPKIKeyDataCtxFree at workdir/UnpackedTarball/xmlsec/src/nss/pkikeys.c:109:9 (instdir/program/libxsec_xmlsec.so +0x4093a3)
    >  #7 in xmlSecNssPKIKeyDataFinalize at workdir/UnpackedTarball/xmlsec/src/nss/pkikeys.c:99:5 (instdir/program/libxsec_xmlsec.so +0x417a61)
    >  #8 in xmlSecNssKeyDataRsaFinalize at workdir/UnpackedTarball/xmlsec/src/nss/pkikeys.c:1086:5 (instdir/program/libxsec_xmlsec.so +0x419214)
    >  #9 in xmlSecKeyDataDestroy at workdir/UnpackedTarball/xmlsec/src/keysdata.c:248:9 (instdir/program/libxsec_xmlsec.so +0x5213f4)
    >  #10 in xmlSecKeyEmpty at workdir/UnpackedTarball/xmlsec/src/keys.c:533:9 (instdir/program/libxsec_xmlsec.so +0x518026)
    >  #11 in xmlSecKeyDestroy at workdir/UnpackedTarball/xmlsec/src/keys.c:555:5 (instdir/program/libxsec_xmlsec.so +0x51838a)
    >  #12 in xmlSecPtrListEmpty at workdir/UnpackedTarball/xmlsec/src/list.c:149:17 (instdir/program/libxsec_xmlsec.so +0x54943a)
    >  #13 in xmlSecPtrListFinalize at workdir/UnpackedTarball/xmlsec/src/list.c:129:5 (instdir/program/libxsec_xmlsec.so +0x548b87)
    >  #14 in xmlSecSimpleKeysStoreFinalize at workdir/UnpackedTarball/xmlsec/src/keysmngr.c:663:5 (instdir/program/libxsec_xmlsec.so +0x5432b0)
    >  #15 in xmlSecKeyStoreDestroy at workdir/UnpackedTarball/xmlsec/src/keysmngr.c:274:9 (instdir/program/libxsec_xmlsec.so +0x53a03c)
    >  #16 in xmlSecNssKeysStoreFinalize at workdir/UnpackedTarball/xmlsec/src/nss/keysstore.c:276:5 (instdir/program/libxsec_xmlsec.so +0x485f76)
    >  #17 in xmlSecKeyStoreDestroy at workdir/UnpackedTarball/xmlsec/src/keysmngr.c:274:9 (instdir/program/libxsec_xmlsec.so +0x53a03c)
    >  #18 in xmlSecKeysMngrDestroy at workdir/UnpackedTarball/xmlsec/src/keysmngr.c:84:9 (instdir/program/libxsec_xmlsec.so +0x539a79)
    >  #19 in SecurityEnvironment_NssImpl::destroyKeysManager(_xmlSecKeysMngr*) at xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx:862:9 (instdir/program/libxsec_xmlsec.so +0x36a817)
    >  #20 in std::default_delete<_xmlSecKeysMngr>::operator()(_xmlSecKeysMngr*) at xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx:52:46 (instdir/program/libxsec_xmlsec.so +0x3cd05d)
    >  #21 in std::unique_ptr<_xmlSecKeysMngr, std::default_delete<_xmlSecKeysMngr> >::~unique_ptr() at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/unique_ptr.h:274:4 (instdir/program/libxsec_xmlsec.so +0x3cc759)
    >  #22 in XMLSignature_NssImpl::generate(com::sun::star::uno::Reference<com::sun::star::xml::crypto::XXMLSignatureTemplate> const&, com::sun::star::uno::Reference<com::sun::star::xml::crypto::XSecurityEnvironment> const&) at xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx:173:1 (instdir/program/libxsec_xmlsec.so +0x3c8934)
    >  #23 in non-virtual thunk to XMLSignature_NssImpl::generate(com::sun::star::uno::Reference<com::sun::star::xml::crypto::XXMLSignatureTemplate> const&, com::sun::star::uno::Reference<com::sun::star::xml::crypto::XSecurityEnvironment> const&) at xmlsecurity/source/xmlsec/nss/xmlsignature_nssimpl.cxx (instdir/program/libxsec_xmlsec.so +0x3c8b9a)
    >  #24 in SignatureCreatorImpl::startEngine(rtl::Reference<XMLSignatureTemplateImpl> const&) at xmlsecurity/source/framework/signaturecreatorimpl.cxx:78:44 (instdir/program/libxmlsecurity.so +0x6be738)
    >  #25 in SignatureEngine::tryToPerform() at xmlsecurity/source/framework/signatureengine.cxx:112:9 (instdir/program/libxmlsecurity.so +0x6c9a4e)
    >  #26 in SecurityEngine::referenceResolved(int) at xmlsecurity/source/framework/securityengine.cxx:39:5 (instdir/program/libxmlsecurity.so +0x6ba84a)
    >  #27 in ElementCollector::doNotify() at xmlsecurity/source/framework/elementcollector.cxx:136:39 (instdir/program/libxmlsecurity.so +0x660853)
    >  #28 in ElementCollector::notifyListener() at xmlsecurity/source/framework/elementcollector.cxx:88:5 (instdir/program/libxmlsecurity.so +0x660006)
    >  #29 in BufferNode::elementCollectorNotify() at xmlsecurity/source/framework/buffernode.cxx:725:40 (instdir/program/libxmlsecurity.so +0x5fe591)
    >  #30 in BufferNode::setReceivedAll() at xmlsecurity/source/framework/buffernode.cxx:96:5 (instdir/program/libxmlsecurity.so +0x5fd61a)
    >  #31 in SAXEventKeeperImpl::endElement(rtl::OUString const&) at xmlsecurity/source/framework/saxeventkeeperimpl.cxx:1067:36 (instdir/program/libxmlsecurity.so +0x67694c)
    >  #32 in XSecController::exportSignature(com::sun::star::uno::Reference<com::sun::star::xml::sax::XDocumentHandler> const&, SignatureInformation const&, bool) at xmlsecurity/source/helper/xsecctl.cxx:916:23 (instdir/program/libxmlsecurity.so +0x868894)
    >  #33 in XSecController::WriteSignature(com::sun::star::uno::Reference<com::sun::star::xml::sax::XDocumentHandler> const&, bool) at xmlsecurity/source/helper/xsecsign.cxx:393:17 (instdir/program/libxmlsecurity.so +0x894df1)
    >  #34 in XMLSignatureHelper::CreateAndWriteSignature(com::sun::star::uno::Reference<com::sun::star::xml::sax::XDocumentHandler> const&, bool) at xmlsecurity/source/helper/xmlsignaturehelper.cxx:248:29 (instdir/program/libxmlsecurity.so +0x7dcebe)
    >  #35 in DocumentSignatureManager::add(com::sun::star::uno::Reference<com::sun::star::security::XCertificate> const&, com::sun::star::uno::Reference<com::sun::star::xml::crypto::XXMLSecurityContext> const&, rtl::OUString const&, int&, bool, rtl::OUString const&, com::sun::star::uno::Reference<com::sun::star::graphic::XGraphic> const&, com::sun::star::uno::Reference<com::sun::star::graphic::XGraphic> const&) at xmlsecurity/source/helper/documentsignaturemanager.cxx:422:27 (instdir/program/libxmlsecurity.so +0x74032e)
    >  #36 in DocumentDigitalSignatures::signDocumentWithCertificate(com::sun::star::uno::Reference<com::sun::star::security::XCertificate> const&, com::sun::star::uno::Reference<com::sun::star::embed::XStorage> const&, com::sun::star::uno::Reference<com::sun::star::io::XStream> const&) at xmlsecurity/source/component/documentdigitalsignatures.cxx:777:39 (instdir/program/libxmlsecurity.so +0x48541a)
    >  #37 in SfxMedium::SignDocumentContentUsingCertificate(bool, com::sun::star::uno::Reference<com::sun::star::security::XCertificate> const&) at sfx2/source/doc/docfile.cxx:3709:42 (instdir/program/libsfxlo.so +0x3577abe)
    >  #38 in SfxObjectShell::SignDocumentContentUsingCertificate(com::sun::star::uno::Reference<com::sun::star::security::XCertificate> const&) at sfx2/source/doc/objserv.cxx:1659:38 (instdir/program/libsfxlo.so +0x37e1aab)
    >  #39 in doc_insertCertificate(_LibreOfficeKitDocument*, unsigned char const*, int, unsigned char const*, int) at desktop/source/lib/init.cxx:3690:26 (instdir/program/libsofficeapp.so +0x7a40af)
    >  #40 in DesktopLOKTest::testInsertCertificate() at desktop/qa/desktop_lib/test_desktop_lib.cxx:2322:24 (workdir/LinkTarget/CppunitTest/libtest_desktop_lib.so +0x187439)
    >
    > previously allocated by thread T0 here:
    >  #0 in __interceptor_malloc at /home/sbergman/github.com/llvm-project/llvm-project-20170507/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3 (workdir/LinkTarget/Executable/cppunittester +0x4ff187)
    >  #1 in PR_Malloc at workdir/UnpackedTarball/nss/nspr/out/pr/src/malloc/../../../../pr/src/malloc/prmem.c:435:55 (instdir/program/libnspr4.so +0x12892c)
    >  #2 in PL_ArenaAllocate at workdir/UnpackedTarball/nss/nspr/out/lib/ds/../../../lib/ds/plarena.c:127:27 (instdir/program/libplds4.so +0x9c8f)
    >  #3 in PORT_ArenaAlloc_Util at workdir/UnpackedTarball/nss/nss/lib/util/secport.c:321:9 (instdir/program/libnssutil3.so +0x1028c3)
    >  #4 in PORT_ArenaZAlloc_Util at workdir/UnpackedTarball/nss/nss/lib/util/secport.c:342:9 (instdir/program/libnssutil3.so +0x10311f)
    >  #5 in PK11_MakePrivKey at workdir/UnpackedTarball/nss/nss/lib/pk11wrap/pk11akey.c:865:9 (instdir/program/libnss3.so +0x3f6529)
    >  #6 in PK11_ImportAndReturnPrivateKey at workdir/UnpackedTarball/nss/nss/lib/pk11wrap/pk11pk12.c:538:18 (instdir/program/libnss3.so +0x4ebcac)
    >  #7 in PK11_ImportPrivateKeyInfoAndReturnKey at workdir/UnpackedTarball/nss/nss/lib/pk11wrap/pk11pk12.c:645:10 (instdir/program/libnss3.so +0x4dea0c)
    >  #8 in PK11_ImportDERPrivateKeyInfoAndReturnKey at workdir/UnpackedTarball/nss/nss/lib/pk11wrap/pk11pk12.c:299:10 (instdir/program/libnss3.so +0x4ddba8)
    >  #9 in SecurityEnvironment_NssImpl::insertPrivateKey(com::sun::star::uno::Sequence<signed char> const&) at xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx:883:25 (instdir/program/libxsec_xmlsec.so +0x36ac38)
    >  #10 in SecurityEnvironment_NssImpl::createDERCertificateWithPrivateKey(com::sun::star::uno::Sequence<signed char> const&, com::sun::star::uno::Sequence<signed char> const&) at xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx:897:37 (instdir/program/libxsec_xmlsec.so +0x36afe6)
    >  #11 in non-virtual thunk to SecurityEnvironment_NssImpl::createDERCertificateWithPrivateKey(com::sun::star::uno::Sequence<signed char> const&, com::sun::star::uno::Sequence<signed char> const&) at xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx (instdir/program/libxsec_xmlsec.so +0x36b49a)
    >  #12 in doc_insertCertificate(_LibreOfficeKitDocument*, unsigned char const*, int, unsigned char const*, int) at desktop/source/lib/init.cxx:3685:41 (instdir/program/libsofficeapp.so +0x7a3ea3)
    >  #13 in DesktopLOKTest::testInsertCertificate() at desktop/qa/desktop_lib/test_desktop_lib.cxx:2322:24 (workdir/LinkTarget/CppunitTest/libtest_desktop_lib.so +0x187439)
    
    Change-Id: Id54bdea78affbf3aa24a1e9bb565c46f48f512e6
    Reviewed-on: https://gerrit.libreoffice.org/62914
    Tested-by: Jenkins
    Reviewed-by: Stephan Bergmann <sbergman at redhat.com>

diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
index 0abcc363dd18..0da6276551af 100644
--- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
+++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
@@ -841,9 +841,11 @@ xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
     if (auto pCertificate = dynamic_cast<X509Certificate_NssImpl*>(m_xSigningCertificate.get()))
     {
         SECKEYPrivateKey* pPrivateKey = pCertificate->getPrivateKey();
-        if (pPrivateKey)
+        SECKEYPrivateKey* copy
+            = pPrivateKey == nullptr ? nullptr : SECKEY_CopyPrivateKey(pPrivateKey);
+        if (copy)
         {
-            xmlSecKeyDataPtr pKeyData = xmlSecNssPKIAdoptKey(pPrivateKey, nullptr);
+            xmlSecKeyDataPtr pKeyData = xmlSecNssPKIAdoptKey(copy, nullptr);
             xmlSecKeyPtr pKey = xmlSecKeyCreate();
             xmlSecKeySetValue(pKey, pKeyData);
             xmlSecNssAppDefaultKeysMngrAdoptKey(pKeysMngr, pKey);


More information about the Libreoffice-commits mailing list