Skip to content

Fix crash in openssl_pkcs12_read() when BIO_new() fails#21022

Closed
ndossche wants to merge 1 commit intophp:PHP-8.4from
ndossche:clesss-16
Closed

Fix crash in openssl_pkcs12_read() when BIO_new() fails#21022
ndossche wants to merge 1 commit intophp:PHP-8.4from
ndossche:clesss-16

Conversation

@ndossche
Copy link
Copy Markdown
Member

@ndossche ndossche commented Jan 23, 2026

Example ASAN report:

==55442==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7f73a6413b69 bp 0x7ffe666f6010 sp 0x7ffe666f5ff8 T0)
==55442==The signal is caused by a WRITE memory access.
==55442==Hint: address points to the zero page.
    #0 0x7f73a6413b69 in BIO_up_ref (/lib/x86_64-linux-gnu/libcrypto.so.3+0xedb69) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #1 0x7f73a641eac2  (/lib/x86_64-linux-gnu/libcrypto.so.3+0xf8ac2) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #2 0x7f73a64f26f0  (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1cc6f0) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #3 0x7f73a64f2aa6 in OSSL_ENCODER_to_bio (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1ccaa6) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #4 0x7f73a6618adf in PEM_write_bio_PrivateKey_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2adf) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #5 0x7f73a6618bc7 in PEM_write_bio_PrivateKey (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2bc7) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #6 0x559b16af882b in zif_openssl_pkcs12_read /work/php-src/ext/openssl/openssl.c:1520
    #7 0x559b178b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #8 0x559b17be024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #9 0x559b17d40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #10 0x559b17d558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #11 0x559b17eba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #12 0x559b178ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #13 0x559b178ecccb in php_execute_script /work/php-src/main/main.c:2685
    #14 0x559b17ebfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #15 0x559b17ec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #16 0x7f73a5fa81c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #17 0x7f73a5fa828a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #18 0x559b16a09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)

This was found by a hybrid static-dynamic analyser that looks for inconsistent handling of error checks in bindings.

@ndossche
Fix crash in openssl_pkcs12_read() when BIO_new() fails
3fbae2f 
Example ASAN report:
```
==55442==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7f73a6413b69 bp 0x7ffe666f6010 sp 0x7ffe666f5ff8 T0)
==55442==The signal is caused by a WRITE memory access.
==55442==Hint: address points to the zero page.
    #0 0x7f73a6413b69 in BIO_up_ref (/lib/x86_64-linux-gnu/libcrypto.so.3+0xedb69) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #1 0x7f73a641eac2  (/lib/x86_64-linux-gnu/libcrypto.so.3+0xf8ac2) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #2 0x7f73a64f26f0  (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1cc6f0) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #3 0x7f73a64f2aa6 in OSSL_ENCODER_to_bio (/lib/x86_64-linux-gnu/libcrypto.so.3+0x1ccaa6) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #4 0x7f73a6618adf in PEM_write_bio_PrivateKey_ex (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2adf) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #5 0x7f73a6618bc7 in PEM_write_bio_PrivateKey (/lib/x86_64-linux-gnu/libcrypto.so.3+0x2f2bc7) (BuildId: 0698e1ff610cb3c6993dccbd82c1281b1b4c5ade)
    #6 0x559b16af882b in zif_openssl_pkcs12_read /work/php-src/ext/openssl/openssl.c:1520
    #7 0x559b178b7ed2 in zend_test_execute_internal /work/php-src/ext/zend_test/observer.c:306
    #8 0x559b17be024a in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /work/php-src/Zend/zend_vm_execute.h:2154
    #9 0x559b17d40995 in execute_ex /work/php-src/Zend/zend_vm_execute.h:116519
    #10 0x559b17d558b0 in zend_execute /work/php-src/Zend/zend_vm_execute.h:121962
    #11 0x559b17eba0ab in zend_execute_script /work/php-src/Zend/zend.c:1980
    #12 0x559b178ec8bb in php_execute_script_ex /work/php-src/main/main.c:2645
    #13 0x559b178ecccb in php_execute_script /work/php-src/main/main.c:2685
    #14 0x559b17ebfc16 in do_cli /work/php-src/sapi/cli/php_cli.c:951
    #15 0x559b17ec21e3 in main /work/php-src/sapi/cli/php_cli.c:1362
    #16 0x7f73a5fa81c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #17 0x7f73a5fa828a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #18 0x559b16a09b34 in _start (/work/php-src/build-dbg-asan/sapi/cli/php+0x609b34) (BuildId: aa149f943514fff0c491e1f199e30fed0e977f7c)
```
@ndossche ndossche requested a review from bukka as a code owner January 23, 2026 21:42
bukka
bukka approved these changes Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@bukka bukka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PEM_write_bio_X509 has actually a check (down in BIO_gets) so it wouldn't a be a bug but makes sense to cover it all.

@ndossche ndossche closed this in 5f9b6ed Apr 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bukka bukka bukka approved these changes

Assignees

No one assigned

Labels

Extension: openssl

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ndossche @bukka @iluuu1994