Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NegativeArraySizeException and IndexOutOfBoundsException in certificate decoding #11

Open
mmeinander opened this issue May 14, 2018 · 2 comments

Comments

@mmeinander
Copy link

Hi,
While running fuzz testing (with afl and Kelinci) on the jasn1 generated java classes for PKIX1Explicit88.asn (ftp://ftp3.itu.int/t/fl/ietf/rfc/rfc3280/PKIX1Explicit88.html), crashes were discovered in five different locations during certificate decoding.

This was the Driver class used for the fuzzing:

import pkix1explicit88.Certificate;
import java.io.*;

public class Driver {
public static void main (String[] args) {
if (args.length != 1) {
System.err.println("driver: usage: driver file");
System.exit(1);
}
FileInputStream fis = null;
try {
fis = new FileInputStream(args[0]);
} catch (FileNotFoundException e) {
System.err.println("FileNotFound: " + args[0]);
System.exit(1);
}
try {
Certificate c = new Certificate();
c.decode(fis);
} catch (IOException e) {
System.err.println(e);
}
try {
fis.close();
} catch (IOException e) {
}
}
}

Crashes (inputs, i.e the der encoded certificates, to be decoded are in hex format):

  1. Input:
    3082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e6
    96365bca300d06092a864886f70d01010b05803039310b30090603550406
    13025553310f300d060355040a1306416d617a6f6e311930170603550403
    1310416d617a6f6e20526f6f742043412031301e170d3135303532363030
    303030305a170d3338303131373030303030305a3039310b300906035504
    0613025553310f300d060355040a1306416d617a6f6e3119301706035504
    031310416d617a6f6e20526f6f74204341203130820122300d06092a8648
    86f70d01010105000382010f003082010a0282010100b2788071ca78d5e3
    71af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0
    437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f8
    4968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c
    9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8
    bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f9
    48dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843
    fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb
    2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b2426
    8e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530
    030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604
    148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f7
    0d01010b0500038201010098f2375a4190a11ac57651282036230eaee628
    bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e3
    9825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d41
    8e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7
    dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74bef
    a3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d172433475
    6e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262
    a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d797
    7860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9

Crash location:
Exception occurred: java.lang.IndexOutOfBoundsException (uncaught)"thread=main", java.io.FileInputStream.readBytes(), line=-1 bci=-1

main[1] where
[1] java.io.FileInputStream.readBytes (native method)
[2] java.io.FileInputStream.read (FileInputStream.java:255)
[3] org.openmuc.jasn1.ber.internal.Util.readFully (Util.java:18)
[4] org.openmuc.jasn1.ber.types.BerAny.decode (BerAny.java:61)
[5] pkix1explicit88.AlgorithmIdentifier.decode (AlgorithmIdentifier.java:121)
[6] pkix1explicit88.TBSCertificate.decode (TBSCertificate.java:238)
[7] pkix1explicit88.Certificate.decode (Certificate.java:119)
[8] pkix1explicit88.Certificate.decode (Certificate.java:98)
[9] Driver.main (Driver.java:19)

  1. Input:
    3082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e6
    96365bca300d06092a864886f70d01010b05003039310b30090603550406
    13025553310f300d060355040a1306416d617a6f6e311930170603550403
    1310416d617a6f6e20526f6f742043412031301e170d3135303532363030
    303030305a170d3338303131373030303030305a3039310b300906035504
    0613025553310f300d060355040a1306416d617a6f6e3119301706035504
    031310416d617a6f6e20526f6f74204341203130820122300d06092a8648
    86f70d01010105000380010f003082010a0282010100b2788071ca78d5e3
    71af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0
    437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f8
    4968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c
    9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8
    bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f9
    48dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843
    fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb
    2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b2426
    8e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530
    030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604
    148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f7
    0d01010b0500038201010098f2375a4190a11ac57651282036230eaee628
    bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e3
    9825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d41
    8e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7
    dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74bef
    a3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d172433475
    6e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262
    a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d797
    7860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9

Crash location:
Exception occurred: java.lang.NegativeArraySizeException (uncaught)"thread=main", org.openmuc.jasn1.ber.types.BerBitString.decode(), line=126 bci=42

main[1] where
[1] org.openmuc.jasn1.ber.types.BerBitString.decode (BerBitString.java:126)
[2] pkix1explicit88.SubjectPublicKeyInfo.decode (SubjectPublicKeyInfo.java:117)
[3] pkix1explicit88.TBSCertificate.decode (TBSCertificate.java:264)
[4] pkix1explicit88.Certificate.decode (Certificate.java:119)
[5] pkix1explicit88.Certificate.decode (Certificate.java:98)
[6] Driver.main (Driver.java:19)

  1. Input:
    3082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e6
    96365bca300d06802a864886f70d01010b05003039310b30090603550406
    13025553310f300d060355040a1306416d617a6f6e311930170603550403
    1310416d617a6f6e20526f6f742043412031301e170d3135303532363030
    303030305a170d3338303131373030303030305a3039310b300906035504
    0613025553310f300d060355040a1306416d617a6f6e3119301706035504
    031310416d617a6f6e20526f6f74204341203130820122300d06092a8648
    86f70d01010105000382010f003082010a0282010100b2788071ca78d5e3
    71af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0
    437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f8
    4968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c
    9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8
    bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f9
    48dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843
    fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb
    2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b2426
    8e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530
    030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604
    148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f7
    0d01010b0500038201010098f2375a4190a11ac57651282036230eaee628
    bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e3
    9825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d41
    8e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7
    dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74bef
    a3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d172433475
    6e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262
    a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d797
    7860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9

Crash location:
Exception occurred: java.lang.NegativeArraySizeException (uncaught)"thread=main", org.openmuc.jasn1.ber.types.BerObjectIdentifier.decode(), line=123 bci=56

main[1] where
[1] org.openmuc.jasn1.ber.types.BerObjectIdentifier.decode (BerObjectIdentifier.java:123)
[2] pkix1explicit88.AlgorithmIdentifier.decode (AlgorithmIdentifier.java:110)
[3] pkix1explicit88.TBSCertificate.decode (TBSCertificate.java:238)
[4] pkix1explicit88.Certificate.decode (Certificate.java:119)
[5] pkix1explicit88.Certificate.decode (Certificate.java:98)
[6] Driver.main (Driver.java:19)

  1. Input:
    3082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e6
    96365bca300d06092a864886f70d01010b05003039310b30090603550406
    13025553310f300d060355040a1306416d617a6f6e311930170603550403
    1310416d617a6f6e20526f6f742043412031301e17803135303532363030
    303030305a170d3338303131373030303030305a3039310b300906035504
    0613025553310f300d060355040a1306416d617a6f6e3119301706035504
    031310416d617a6f6e20526f6f74204341203130820122300d06092a8648
    86f70d01010105000382010f003082010a0282010100b2788071ca78d5e3
    71af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0
    437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f8
    4968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c
    9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8
    bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f9
    48dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843
    fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb
    2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b2426
    8e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530
    030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604
    148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f7
    0d01010b0500038201010098f2375a4190a11ac57651282036230eaee628
    bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e3
    9825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d41
    8e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7
    dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74bef
    a3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d172433475
    6e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262
    a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d797
    7860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9

Crash location:
Exception occurred: java.lang.NegativeArraySizeException (uncaught)"thread=main", org.openmuc.jasn1.ber.types.string.BerVisibleString.decode(), line=67 bci=40

main[1] where
[1] org.openmuc.jasn1.ber.types.string.BerVisibleString.decode (BerVisibleString.java:67)
[2] org.openmuc.jasn1.ber.types.BerUtcTime.decode (BerUtcTime.java:57)
[3] pkix1explicit88.Time.decode (Time.java:92)
[4] pkix1explicit88.Validity.decode (Validity.java:107)
[5] pkix1explicit88.TBSCertificate.decode (TBSCertificate.java:251)
[6] pkix1explicit88.Certificate.decode (Certificate.java:119)
[7] pkix1explicit88.Certificate.decode (Certificate.java:98)
[8] Driver.main (Driver.java:19)

  1. Input:
    3082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e6
    96365bca300d06092a864886f70d01010b05003039310b30090603550406
    13025553310f300d060355040a1306416d617a6f6e311930170603550403
    1310416d617a6f6e20526f6f742043412031301e170d3135303532363030
    303030305a170d3338303131373030303030305a3039310b300906035504
    0613025553310f300d060355040a1306416d617a6f6e3119301706035504
    031310416d617a6f6e20526f6f74204341203130820122300d06092a8648
    86f70d01010105000382010f003082010a0282010100b2788071ca78d5e3
    71af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0
    437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f8
    4968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c
    9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8
    bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f9
    48dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843
    fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb
    2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b2426
    8e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff048030
    030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604
    148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f7
    0d01010b0500038201010098f2375a4190a11ac57651282036230eaee628
    bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e3
    9825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d41
    8e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7
    dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74bef
    a3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d172433475
    6e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262
    a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d797
    7860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9

Crash location:
Exception occurred: java.lang.NegativeArraySizeException (uncaught)"thread=main", org.openmuc.jasn1.ber.types.BerOctetString.decode(), line=64 bci=40

main[1] where
[1] org.openmuc.jasn1.ber.types.BerOctetString.decode (BerOctetString.java:64)
[2] pkix1explicit88.Extension.decode (Extension.java:136)
[3] pkix1explicit88.Extensions.decode (Extensions.java:92)
[4] pkix1explicit88.TBSCertificate.decode (TBSCertificate.java:295)
[5] pkix1explicit88.Certificate.decode (Certificate.java:119)
[6] pkix1explicit88.Certificate.decode (Certificate.java:98)
[7] Driver.main (Driver.java:19)

@sfeuerhahn
Copy link
Contributor

what makes you sure that the given bytes you used are correct?

@mmeinander
Copy link
Author

The thinking behind the fuzz testing was to verify that the library would cleanly handle all error scenarios, also when the given input bytes are tampered. The tampering might be accidential or malicious.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants