Fix use-after-free at exit cleanup

mtrojnar · mtrojnar · commit a61c216e2749 · 2025-05-07T11:54:32.000+02:00
diff --git a/src/libp11-int.h b/src/libp11-int.h
@@ -121,6 +121,8 @@ struct pkcs11_object_ops {
 extern PKCS11_OBJECT_ops pkcs11_rsa_ops;
 extern PKCS11_OBJECT_ops pkcs11_ec_ops;
 
+extern int pkcs11_global_data_refs;
+
 /*
  * Internal functions
  */
diff --git a/src/p11_ec.c b/src/p11_ec.c
@@ -811,7 +811,7 @@ EC_KEY_METHOD *PKCS11_get_ec_key_method(void)
 
 void pkcs11_ec_key_method_free(void)
 {
-	if (pkcs11_ec_key_method) {
+	if (pkcs11_global_data_refs == 0 && pkcs11_ec_key_method) {
 		free_ec_ex_index();
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 		if (meth->pkcs11_ecdh_method & EC_KEY_METHOD_DYNAMIC)
@@ -855,7 +855,7 @@ ECDSA_METHOD *PKCS11_get_ecdsa_method(void)
 
 void pkcs11_ecdsa_method_free(void)
 {
-	if (pkcs11_ecdsa_method) {
+	if (pkcs11_global_data_refs == 0 && pkcs11_ecdsa_method) {
 		free_ec_ex_index();
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 		if (pkcs11_ecdsa_method->flags & EC_KEY_METHOD_DYNAMIC)
@@ -881,7 +881,7 @@ ECDH_METHOD *PKCS11_get_ecdh_method(void)
 
 void pkcs11_ecdh_method_free(void)
 {
-	if (pkcs11_ecdh_method) {
+	if (pkcs11_global_data_refs == 0 && pkcs11_ecdh_method) {
 		free_ec_ex_index();
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 		if (pkcs11_ecdh_method->flags & EC_KEY_METHOD_DYNAMIC)
diff --git a/src/p11_load.c b/src/p11_load.c
@@ -20,9 +20,7 @@
 #include <string.h>
 
 /* Global number of active PKCS11_CTX objects */
-static int pkcs11_global_data_refs = 0;
-
-static void pkcs11_global_data_free(void);
+int pkcs11_global_data_refs = 0;
 
 /*
  * Create a new context
@@ -177,12 +175,7 @@ void pkcs11_CTX_free(PKCS11_CTX *ctx)
 	OPENSSL_free(ctx->_private);
 	OPENSSL_free(ctx);
 
-	if (--pkcs11_global_data_refs == 0)
-		pkcs11_global_data_free();
-}
-
-static void pkcs11_global_data_free(void)
-{
+	pkcs11_global_data_refs--;
 #ifndef OPENSSL_NO_RSA
 	pkcs11_rsa_method_free();
 #endif
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
@@ -545,7 +545,7 @@ RSA_METHOD *PKCS11_get_rsa_method(void)
 
 void pkcs11_rsa_method_free(void)
 {
-	if (pkcs11_rsa_method) {
+	if (pkcs11_global_data_refs == 0 && pkcs11_rsa_method) {
 		free_rsa_ex_index();
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 		RSA_meth_free(pkcs11_rsa_method);

Original file line number	Diff line number	Diff line change
`@@ -545,7 +545,7 @@ RSA_METHOD *PKCS11_get_rsa_method(void)`
`545`	`545`
`546`	`546`	`void pkcs11_rsa_method_free(void)`
`547`	`547`	`{`
`548`		`- if (pkcs11_rsa_method) {`
	`548`	`+ if (pkcs11_global_data_refs == 0 && pkcs11_rsa_method) {`
`549`	`549`	`free_rsa_ex_index();`
`550`	`550`	`#if OPENSSL_VERSION_NUMBER >= 0x10100000L`
`551`	`551`	`RSA_meth_free(pkcs11_rsa_method);`