Ubuntu
softhsm2 package

crash in libsofthsm2 on armhf after time_t transition

Bug #2059340 reported by Steve Langasek
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
softhsm2 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

fixed one time_t bug in this library already, now there's another.

Found via the libp11 autopkgtests.

reproducer:

OPENSSL_CONF=/tmp/tmp.AHeazS4ed8/ssl.cnf openssl req -engine pkcs11 -new -key 'pkcs11:model=SoftHSM%20v2;object=test-key;pin-value=1234' -keyform engine -out /tmp/tmp.AHeazS4ed8/req.pem -text -x509 -subj /CN=libp11

Snippet of gdb output:

Program received signal SIGSEGV, Segmentation fault.
Downloading source file /usr/src/softhsm2-2.6.1-2.2ubuntu1/src/lib/slot_mgr/SlotManager.cpp
SlotManager::getSlot (this=0x0, slotID=slotID@entry=1150801720)
    at SlotManager.cpp:174
174 return slots.at(slotID);
(gdb) bt
#0 SlotManager::getSlot (this=0x0, slotID=slotID@entry=1150801720)
    at SlotManager.cpp:174
#1 0xf7b61b3c in SoftHSM::C_CloseAllSessions (this=0x4b6020,
    slotID=slotID@entry=1150801720) at SoftHSM.cpp:1386
#2 0xf7b4a522 in C_CloseAllSessions (slotID=1150801720) at main.cpp:347
#3 0xf7bc7ffe in pkcs11_slot_unref (slot=slot@entry=0x4d7610)
    at p11_slot.c:433
<snip>

'slotManager' is NULL.

Tags: time-t

Related branches

~liushuyu-011/ubuntu/+source/softhsm2:ubuntu/devel
Steve Langasek: Pending requested
Diff: 50 lines (+28/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/0004-fix-uaf-in-softhsm-dtor.patch (+20/-0)
debian/patches/series (+1/-0)

CVE References

Steve Langasek (vorlon)
tags: added: time-t
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package softhsm2 - 2.6.1-2.2ubuntu3

---------------
softhsm2 (2.6.1-2.2ubuntu3) noble; urgency=medium

  * No-change rebuild for CVE-2024-3094

 -- William Grant <email address hidden> Mon, 01 Apr 2024 15:47:06 +1100

Changed in softhsm2 (Ubuntu):
status: New → Fix Released
Revision history for this message
Stefan Berger (stefanberger) wrote :

I have encountered a similar problem when running test case of ima-evm-utils with softhsm used as engine on Ubuntu 24.04 (Noble). In this case I am also crashing in pkcs11_slot_unref when this line here is called:

 CRYPTOKI_call(slot->ctx, C_CloseAllSessions(slot->id));

https://github.com/OpenSC/libp11/blob/libp11-0.4.12/src/p11_slot.c#L433

ima-evm-utils: https://github.com/mimizohar/ima-evm-utils-test/

The evmctl utility has left main() when the crash occurs. So this function is called via some OpenSSL destructor code path. When OPENSSL_cleanup() is called before main() exits then this crash does NOT occur.
When single stepping through the crash then it seems that C_CloseAllSessions() does not get called anymore but the crash occurs when it seems like it was trying to call this function.

   0x00007ffff7fb3530 <+96>: call 0x7ffff7fae110 <OPENSSL_cleanse@plt>
   0x00007ffff7fb3535 <+101>: mov 0x98(%rbx),%rdi
   0x00007ffff7fb353c <+108>: mov $0x1af,%edx
   0x00007ffff7fb3541 <+113>: mov %r13,%rsi
   0x00007ffff7fb3544 <+116>: call 0x7ffff7fadea0 <CRYPTO_free@plt>
=> 0x00007ffff7fb3549 <+121>: mov 0x8(%rbx),%rax
   0x00007ffff7fb354d <+125>: mov 0x70(%rbx),%rdi
   0x00007ffff7fb3551 <+129>: mov (%rax),%rax
   0x00007ffff7fb3554 <+132>: call *0x78(%rax) <----- crash occurs here
   0x00007ffff7fb3557 <+135>: mov 0x78(%rbx),%rdi

Notes:
- When SoftHSM is used in a test case via an OpenSSL provider, this same crash does NOT occur.
- The same test passes on Fedora (latest) when using SoftHSM either via engine or provider interfaces.
- Another problem is that I cannot use OPENSSL_cleanup before main() exit since tests on AltLinux and Debian end up failing then for some unknown reason.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.