Bug 1526523 - Undefined behaviour in u2f-server
Summary: Undefined behaviour in u2f-server
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libu2f-server
Version: 26
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Seth Jennings
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-15 17:41 UTC by Björn Esser (besser82)
Modified: 2017-12-24 21:17 UTC (History)
2 users (show)

Fixed In Version: libu2f-server-1.0.1-10.fc26
Clone Of:
Environment:
Last Closed: 2017-12-24 20:55:03 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Björn Esser (besser82) 2017-12-15 17:41:30 UTC 
Description of problem:

  The function `static int registration_challenge_json()` in u2f-server/core.c
  of the u2f-server binary frees an unowned pointer to a json_object, which
  gets added (an thus transfers the ownership of that object to the new
  parent object) to another json_object.


Version-Release number of selected component (if applicable):

  All built versions of libu2f-server are affected.


How reproducible:

  100%


Steps to Reproduce:

  1.  Just run a registration process with u2f-server.


Actual results:

  Triggers unknown behaviour and memory corruption.  Valgrind reports
  invalid reads to free'd memory regions at the end of the function.


Expected results:

  The co-ownership of the json_object must be kept properly by the instance,
  which gets created inside of the function so it doesn't get free'd when
  it's parent json_object is passed to json_object_put() at the end of
  the function call.


Additional info:

  I recently discovered this undefined behaviour when doing the rebuilds for
  json-c 0.13 and fixed it with a set upstream(ed) patches [1,2] in Rawhide.

  I strongly recommend to backport this to all supported releases of Fedora
  and EPEL, where libu2f-server has been built for.

  If you don't object within a week, I'll merge down the master branch and
  do the builds myself.

  [1]  https://github.com/Yubico/libu2f-server/commit/5d74f88b278ca1df6c69d7328be2a8035ca7976c
  [2]  https://github.com/Yubico/libu2f-server/pull/31
Comment 1 Seth Jennings 2017-12-15 18:03:26 UTC 
I was actually going to do some packaging work this afternoon.  Let you know when it is done.
Comment 2 Björn Esser (besser82) 2017-12-15 19:44:30 UTC 
Allrighty  =)

Everything needed is already done in the master branch:  https://src.fedoraproject.org/rpms/libu2f-server/commits/master

So a simple merge-down to the other branches should be fine.  ;)
Comment 3 Fedora Update System 2017-12-15 21:17:58 UTC 
libu2f-server-1.0.1-10.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d857a148d1
Comment 4 Fedora Update System 2017-12-15 21:18:51 UTC 
libu2f-server-1.0.1-10.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-3aa61b9479
Comment 5 Fedora Update System 2017-12-16 11:24:52 UTC 
libu2f-server-1.0.1-10.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d857a148d1
Comment 6 Fedora Update System 2017-12-16 14:39:05 UTC 
libu2f-server-1.0.1-10.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-3aa61b9479
Comment 7 Fedora Update System 2017-12-24 20:55:03 UTC 
libu2f-server-1.0.1-10.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2017-12-24 21:17:59 UTC 
libu2f-server-1.0.1-10.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.