Lack of nullptr check in src/crypto/crypto_ec.cc GroupOrderSize

[wooffie]

Version

20.18.0

Platform

any

Subsystem

crypto

What steps will reproduce the bug?

In function GroupOrderSize call of BignumPointer::New() can return nullptr pointer (yes its can raise error via ERR_raise).

node/src/crypto/crypto_ec.cc

Line 939 in bf59539

auto order = BignumPointer::New();

After this ptr passed to EC_GROUP_get_order

node/src/crypto/crypto_ec.cc

Line 940 in bf59539

CHECK(EC_GROUP_get_order(ECKeyPointer::GetGroup(ec), order.get(), nullptr));

But this function don't expect that second param can be NULL

node/deps/openssl/openssl/crypto/ec/ec_lib.c

Line 443 in bf59539

int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)

After nullptr can be dereferenced here:

node/deps/openssl/openssl/crypto/bn/bn_lib.c

Line 1062 in bf59539

return (words <= a->dmax) ? a : bn_expand2(a, words);

And in another places

How often does it reproduce? Is there a required condition?

If BignumPointer::New() return pointer that stores nullptr

What is the expected behavior? Why is that the expected behavior?

Check BignumPointer::New() for nullptr

What do you see instead?

Lack of nullptr check

Additional information

Additional information
Found by Linux Verification Center (linuxtesting.org) with SVACE.

Reporter: Burkov Egor ([email protected]).

Organization: R-Vision ([email protected]).