From: Stas Cymbalov Date: Tue, 21 Jan 2025 13:42:19 +0000 (+0300) Subject: Fix data race in asn1_str2tag() on tntmp which was accidentally made static X-Git-Tag: openssl-3.5.0-alpha1~694 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7262c0bcc468ab8e43ba96ca219acdb4667e45e0;p=thirdparty%2Fopenssl.git Fix data race in asn1_str2tag() on tntmp which was accidentally made static Variables tntmp and tnst are declared in the same declaration and thus share storage class specifiers (static). This is unfortunate as tntmp is used during iteration through tnst array and shouldn't be static. In particular this leads to two problems that may arise when multiple threads are executing asn1_str2tag() concurrently: 1. asn1_str2tag() might return value that doesn't correspond to tagstr parameter. This can happen if other thread modifies tntmp to point to a different tnst element right after a successful name check in the if statement. 2. asn1_str2tag() might perform an out-of-bounds read of tnst array. This can happen when multiple threads all first execute tntmp = tnst; line and then start executing the loop. If that case those threads can end up incrementing tntmp past the end of tnst array. CLA: trivial Reviewed-by: Paul Dale Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/26504) --- diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c index 6f73449cf40..3c3c8c971b9 100644 --- a/crypto/asn1/asn1_gen.c +++ b/crypto/asn1/asn1_gen.c @@ -499,7 +499,8 @@ static int append_exp(tag_exp_arg *arg, int exp_tag, int exp_class, static int asn1_str2tag(const char *tagstr, int len) { unsigned int i; - static const struct tag_name_st *tntmp, tnst[] = { + const struct tag_name_st *tntmp; + static const struct tag_name_st tnst[] = { ASN1_GEN_STR("BOOL", V_ASN1_BOOLEAN), ASN1_GEN_STR("BOOLEAN", V_ASN1_BOOLEAN), ASN1_GEN_STR("NULL", V_ASN1_NULL),