Fix a race in by_store_subject

When looking in the stack of objects in the store we need to ensure we
are holding a read lock for the store.

Issue detected via thread sanitizer after the test from the previous
commit was added.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28385)

diff --git a/crypto/x509/by_store.c b/crypto/x509/by_store.c
index c9ef0b6a4e4aa782bad1c97bd13b3174d6749763..a00fc2c7352f705dd0c69009f8a9673263938dd0 100644 (file)
--- a/crypto/x509/by_store.c
+++ b/crypto/x509/by_store.c
@@ -230,8 +230,14 @@ static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
 
     OSSL_STORE_SEARCH_free(criterion);
 
-    if (ok)
+    if (ok) {
+        X509_STORE *store = X509_LOOKUP_get_store(ctx);
+
+        if (!X509_STORE_lock(store))
+            return 0;
         tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);
+        X509_STORE_unlock(store);
+    }
 
     ok = 0;
     if (tmp != NULL) {