Skip to content

Fix use-after-free of error strings on BoringSSL/aws-lc#2572

Merged
alex merged 1 commit intorust-openssl:masterfrom
alex:fix-boringssl-error-lifetime
Mar 2, 2026
Merged

Fix use-after-free of error strings on BoringSSL/aws-lc#2572
alex merged 1 commit intorust-openssl:masterfrom
alex:fix-boringssl-error-lifetime

Conversation

@alex
Copy link
Copy Markdown
Collaborator

@alex alex commented Feb 15, 2026

The boringssl/awslc cfg gate unconditionally used Cow::Borrowed for error data, treating it as 'static. However, BoringSSL and aws-lc dynamically allocate error strings and may free them on the next error queue operation. Both libraries set ERR_TXT_MALLOCED as a workaround to signal that the string should be copied, but the cfg gate bypassed that check entirely.

Remove the cfg gates and use the same ERR_TXT_MALLOCED check for all backends.

Fixes #2470

@alex @claude
Fix use-after-free of error strings on BoringSSL/aws-lc
cc08b77 
The boringssl/awslc cfg gate unconditionally used Cow::Borrowed for
error data, treating it as 'static. However, BoringSSL and aws-lc
dynamically allocate error strings and may free them on the next error
queue operation. Both libraries set ERR_TXT_MALLOCED as a workaround
to signal that the string should be copied, but the cfg gate bypassed
that check entirely.

Remove the cfg gates and use the same ERR_TXT_MALLOCED check for all
backends.

Fixes rust-openssl#2470

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@alex alex force-pushed the fix-boringssl-error-lifetime branch from a0d751e to cc08b77 Compare February 15, 2026 02:30
@alex alex requested a review from botovq February 20, 2026 02:31
@botovq
Copy link
Copy Markdown
Contributor

botovq commented Mar 2, 2026

I am really confused about the evolution of this problem.

The cfg and code this PR removes was added for BoringSSL support in rust-openssl in e610c0f and then a few months later BoringSSL added a workaround for a flag check that could not be reached in https://boringssl-review.googlesource.com/c/boringssl/+/57045 in the first place? And how did c3b714e break this as is claimed in #2470? As far as I can see, the latter commit only extends the logic to make BoringSSL and aws-lc use the same paths?

It kind of feels like rust-openssl and boringssl/aws-lc are adding workarounds on top of workarounds for workarounds.

@alex
Copy link
Copy Markdown
Collaborator Author

alex commented Mar 2, 2026

Yeah, the chronology confuses me. I like this PR bcause it just deletes special cases :-)

botovq
botovq approved these changes Mar 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@botovq botovq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Be all that as it may, this seems correct to me.

@alex alex merged commit c38b028 into rust-openssl:master Mar 2, 2026
81 checks passed
@alex alex deleted the fix-boringssl-error-lifetime branch March 2, 2026 14:12
@weihanglo weihanglo mentioned this pull request Mar 11, 2026
Merged
@doubleword-code doubleword-code Bot mentioned this pull request May 6, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@botovq botovq botovq approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Incorrect lifetime of error strings when awslc or boringssl features are enabled

2 participants

@alex @botovq