[gnutls-devel] GnuTLS | Heap Use-After-Free in `gnutls_pkcs7_get_signature_info()` Error Cleanup (#1896)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu Jun 4 20:28:14 CEST 2026 


Issue created by 齐柯宇 (Qi Kery): https://gitlab.com/gnutls/gnutls/-/work_items/1896



This report was generated with AI assistance and manually verified.

## Description of problem:

`gnutls_pkcs7_get_signature_info()` can use a freed PKCS#7 attribute list during error cleanup.

While copying signed attributes, `gnutls_pkcs7_get_signature_info()` calls:

```c
ret = gnutls_pkcs7_add_attr(&info->signed_attrs, oid, &tmp, 0);
```

If `gnutls_pkcs7_add_attr()` fails after `*list` already contains entries, its failure path calls `gnutls_pkcs7_attrs_deinit(*list)` but does not set `*list` to `NULL`. Control then returns to `gnutls_pkcs7_get_signature_info()`, which reaches its `fail:` label and calls `gnutls_pkcs7_signature_info_deinit(info)`. That cleanup path traverses `info->signed_attrs`, which still points to freed memory.

Affected code:

```text
lib/x509/pkcs7.c:702   gnutls_pkcs7_add_attr(&info->signed_attrs, ...)
lib/x509/pkcs7.c:751   gnutls_pkcs7_signature_info_deinit(info)
lib/x509/pkcs7-attrs.c:86   gnutls_pkcs7_attrs_deinit(*list)
```

## Version of gnutls used:

```text
Upstream origin/master
Commit: 0b9fcb47c734191695b7b7812a0ba30a5c712b9f
Commit date: 2026-06-02 10:05:44 +0900
Configure summary version: 3.8.13 shared 72:0:42
```

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

```text
Upstream source build, not a distribution package.
Built locally on Ubuntu with glibc 2.39.
```

## How reproducible:

```text
Always reproducible with the attached/local harness and FAIL_AFTER=9.
The same harness exits successfully when FAIL_AFTER is not set.
```

Steps to Reproduce:

 * Build GnuTLS from the commit above with hardening and sanitizers:

```text
CPPFLAGS=-D_FORTIFY_SOURCE=3
CFLAGS=-O2 -g -fno-omit-frame-pointer -fsanitize=address,undefined -fstack-protector-strong -fPIE
LDFLAGS=-fsanitize=address,undefined -Wl,-z,relro -Wl,-z,now -pie
```

The verified library was:

```text
<build-dir>/lib/.libs/libgnutls.so.30.42.0
SHA-256: 224c60682088ac07680c1eba04acd159b51bd8995bedcbc1fc288fe248a1058b
```

 * Compile the reproducer:

Reproducer source: [pkcs7_siginfo_fail_harness.c](https://github.com/Bin-infinite/vuln-validations/blob/f47f650ccab29d5be069fe5418a8ae2a7ec23d51/gnutls/latest/%63%61%73%65%2D002/pocs/pkcs7_siginfo_fail_harness.c)

This harness builds a valid PKCS#7 object with signed attributes using GnuTLS APIs, imports it, and installs allocator wrappers only for the target call.

 * Run the reproducer:

```bash
ASAN_OPTIONS='abort_on_error=1:symbolize=1:detect_leaks=0:allocator_may_return_null=1' \
UBSAN_OPTIONS='halt_on_error=0:print_stacktrace=1' \
LSAN_OPTIONS='detect_leaks=0' \
FAIL_AFTER=9 \
./pkcs7_siginfo_fail_harness
```

## Actual results:

ASan reports a heap-use-after-free:

```text
ERROR: AddressSanitizer: heap-use-after-free
READ of size 8
#0 gnutls_pkcs7_attrs_deinit lib/x509/pkcs7-attrs.c:152
#1 gnutls_pkcs7_signature_info_deinit lib/x509/pkcs7.c:483
#2 gnutls_pkcs7_get_signature_info lib/x509/pkcs7.c:751

freed by thread T0 here:
#1 gnutls_pkcs7_attrs_deinit lib/x509/pkcs7-attrs.c:156
#2 gnutls_pkcs7_add_attr lib/x509/pkcs7-attrs.c:86
#3 gnutls_pkcs7_get_signature_info lib/x509/pkcs7.c:702

previously allocated by thread T0 here:
#1 gnutls_pkcs7_add_attr lib/x509/pkcs7-attrs.c:59
#2 gnutls_pkcs7_get_signature_info lib/x509/pkcs7.c:702
```

Full log: [fail_after_9_run1.stderr.txt](https://github.com/Bin-infinite/vuln-validations/blob/f47f650ccab29d5be069fe5418a8ae2a7ec23d51/gnutls/latest/%63%61%73%65%2D002/runs/fail_after_9_run1.stderr.txt)

## Expected results:

`gnutls_pkcs7_get_signature_info()` should return a negative error code without using a freed attribute list. The ownership contract should be made consistent. For example, `gnutls_pkcs7_add_attr()` could set `*list = NULL` after freeing the existing list, or avoid destructively freeing the caller's existing list on failure.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1896
You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/5-4v51n0fhb6dh4c278kxr883vj-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260604/fd0e37ce/attachment-0001.html>

More information about the Gnutls-devel mailing list