Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LibCrypto: Read buffer overflow in Crypto::der_decode_sequence #5317

Closed
Lubrsi opened this issue Feb 13, 2021 · 1 comment · Fixed by #5344
Closed

LibCrypto: Read buffer overflow in Crypto::der_decode_sequence #5317

Lubrsi opened this issue Feb 13, 2021 · 1 comment · Fixed by #5344
Labels
bug Something isn't working

Comments

@Lubrsi
Copy link
Member

Lubrsi commented Feb 13, 2021

Found with FuzzRSAKeyParsing.

File: crash-f944dcd635f9801f7ac90a407fbc479964dec024.txt (with txt extension to allow uploading to GH)

Trace:

==157609==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000008d92 at pc 0x00000056a24e bp 0x7fffa1e21750 sp 0x7fffa1e21748
READ of size 1 at 0x602000008d92 thread T0
    #0 0x56a24d in Crypto::der_decode_sequence(unsigned char const*, unsigned long, Crypto::ASN1::List*, unsigned long, bool) /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibCrypto/ASN1/DER.h:345:18
    #1 0x566ba4 in Crypto::PK::RSA::parse_rsa_key(AK::Span<unsigned char const>) /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibCrypto/PK/RSA.cpp:57:9
    #2 0x5623de in LLVMFuzzerTestOneInput /home/lukew/Desktop/serenity-project/serenity/build/../Meta/Lagom/Fuzzers/FuzzRSA.cpp:34:5
    #3 0x46a6d1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x46a6d1)
    #4 0x469e15 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x469e15)
    #5 0x46c0b7 in fuzzer::Fuzzer::MutateAndTestOne() (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x46c0b7)
    #6 0x46cdb5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x46cdb5)
    #7 0x45b76e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x45b76e)
    #8 0x4845b2 in main (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x4845b2)
    #9 0x7f3d406a70b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x43050d in _start (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x43050d)

0x602000008d92 is located 0 bytes to the right of 2-byte region [0x602000008d90,0x602000008d92)
allocated by thread T0 here:
    #0 0x53023d in malloc (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x53023d)
    #1 0x563c74 in AK::ByteBufferImpl::ByteBufferImpl(void const*, unsigned long) /home/lukew/Desktop/serenity-project/serenity/build/.././AK/ByteBuffer.h:274:35
    #2 0x56383c in AK::ByteBufferImpl::copy(void const*, unsigned long) /home/lukew/Desktop/serenity-project/serenity/build/.././AK/ByteBuffer.h:313:25
    #3 0x5625c4 in AK::ByteBuffer::copy(void const*, unsigned long) /home/lukew/Desktop/serenity-project/serenity/build/.././AK/ByteBuffer.h:126:79
    #4 0x5623bd in LLVMFuzzerTestOneInput /home/lukew/Desktop/serenity-project/serenity/build/../Meta/Lagom/Fuzzers/FuzzRSA.cpp:33:27
    #5 0x46a6d1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x46a6d1)
    #6 0x469e15 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x469e15)
    #7 0x46c0b7 in fuzzer::Fuzzer::MutateAndTestOne() (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x46c0b7)
    #8 0x46cdb5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x46cdb5)
    #9 0x45b76e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x45b76e)
    #10 0x4845b2 in main (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x4845b2)
    #11 0x7f3d406a70b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibCrypto/ASN1/DER.h:345:18 in Crypto::der_decode_sequence(unsigned char const*, unsigned long, Crypto::ASN1::List*, unsigned long, bool)
Shadow bytes around the buggy address:
  0x0c047fff9160: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9170: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9180: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9190: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff91a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 02 fa
=>0x0c047fff91b0: fa fa[02]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff91c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff91d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff91e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff91f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==157609==ABORTING
Lubrsi added a commit to Lubrsi/serenity that referenced this issue Feb 13, 2021
@linusg linusg added the bug Something isn't working label Feb 13, 2021
awesomekling pushed a commit that referenced this issue Feb 13, 2021
@alimpfard
Copy link
Member

I think I'll write a new ASN.1 parser, and hopefully avoid the footguns of raw pointers (we now have ReadonlyBytes!)
Not sure when I'll manage to get to that one though; if anyone feels like doing this (or fixing this issue), go right ahead!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants