From: Matt Caswell <matt@openssl.org>
Date: Tue, 19 Aug 2025 12:27:50 +0000 (+0100)
Subject: Fix a race in by_store_subject
X-Git-Tag: openssl-3.6.0-alpha1~74
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=07f65e16c209e06be9887c2d5f943f528e3f0139;p=thirdparty%2Fopenssl.git

Fix a race in by_store_subject

When looking in the stack of objects in the store we need to ensure we
are holding a read lock for the store.

Issue detected via thread sanitizer after the test from the previous
commit was added.

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28198)
---

diff --git a/crypto/x509/by_store.c b/crypto/x509/by_store.c
index 2e6f6713704..3fa34717873 100644
--- a/crypto/x509/by_store.c
+++ b/crypto/x509/by_store.c
@@ -221,8 +221,14 @@ static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
 
     OSSL_STORE_SEARCH_free(criterion);
 
-    if (ok)
+    if (ok) {
+        X509_STORE *store = X509_LOOKUP_get_store(ctx);
+
+        if (!ossl_x509_store_read_lock(store))
+            return 0;
         tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);
+        X509_STORE_unlock(store);
+    }
 
     ok = 0;
     if (tmp != NULL) {
diff --git a/crypto/x509/x509_local.h b/crypto/x509/x509_local.h
index 1393da20133..ca56f478874 100644
--- a/crypto/x509/x509_local.h
+++ b/crypto/x509/x509_local.h
@@ -159,3 +159,4 @@ int ossl_x509_likely_issued(X509 *issuer, X509 *subject);
 int ossl_x509_signing_allowed(const X509 *issuer, const X509 *subject);
 int ossl_x509_store_ctx_get_by_subject(const X509_STORE_CTX *ctx, X509_LOOKUP_TYPE type,
                                        const X509_NAME *name, X509_OBJECT *ret);
+int ossl_x509_store_read_lock(X509_STORE *xs);
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index 9270a0745fb..05ee7c8c6b5 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -44,7 +44,7 @@ int X509_STORE_lock(X509_STORE *xs)
     return CRYPTO_THREAD_write_lock(xs->lock);
 }
 
-static int x509_store_read_lock(X509_STORE *xs)
+int ossl_x509_store_read_lock(X509_STORE *xs)
 {
     return CRYPTO_THREAD_read_lock(xs->lock);
 }
@@ -331,7 +331,7 @@ int ossl_x509_store_ctx_get_by_subject(const X509_STORE_CTX *ctx, X509_LOOKUP_TY
     stmp.type = X509_LU_NONE;
     stmp.data.x509 = NULL;
 
-    if (!x509_store_read_lock(store))
+    if (!ossl_x509_store_read_lock(store))
         return 0;
     /* Should already be sorted...but just in case */
     if (!sk_X509_OBJECT_is_sorted(store->objs)) {
@@ -604,7 +604,7 @@ STACK_OF(X509_OBJECT) *X509_STORE_get1_objects(X509_STORE *store)
         return NULL;
     }
 
-    if (!x509_store_read_lock(store))
+    if (!ossl_x509_store_read_lock(store))
         return NULL;
 
     objs = sk_X509_OBJECT_deep_copy(store->objs, x509_object_dup,