Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.0.0.-rc1 - secvarctl sigsegv while reading fuzzed ESL file #63

Closed
nasastry opened this issue Oct 3, 2023 · 2 comments
Closed

v1.0.0.-rc1 - secvarctl sigsegv while reading fuzzed ESL file #63

nasastry opened this issue Oct 3, 2023 · 2 comments
Milestone
1.0.0

Comments

@nasastry
Copy link

nasastry commented Oct 3, 2023 

[root@ltcrain80-lp2 home]# secvarctl read -e PK.esl.sigsegv
	ESL SIG LIST SIZE: 857
	GUID is : a159c0a5e494a74a87b5ab155c2bf072
	Signature type is: X509
Segmentation fault (core dumped)

and with earlier secvarctl not seen the SIGSEGV - (probable git head at e3658f2ce5d0089e72eb243e8deacaa2ddd577a4)

[root@ltcrain80-lp2 home]# /home/secvarctl/secvarctl -m guest read -e PK.esl.sigsegv
	ESL SIG LIST SIZE: 857
	GUID is : a159c0a5e494a74a87b5ab155c2bf072
	Signature type is: X509
	Found 0 ESL's

RESULT: SUCCESS
@nasastry
Copy link
Author

nasastry commented Oct 3, 2023

PK.esl.sigsegv.txt

And the bt from core:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fffae8b6390 in ASN1_get_object () from /lib64/libcrypto.so.3
Missing separate debuginfos, use: dnf debuginfo-install secvarctl-1.0.0-1.el9.ppc64le
(gdb) bt
#0  0x00007fffae8b6390 in ASN1_get_object () from /lib64/libcrypto.so.3
#1  0x00007fffae8cd780 in asn1_check_tlen.lto_priv () from /lib64/libcrypto.so.3
#2  0x00007fffae8d36b0 in asn1_item_embed_d2i () from /lib64/libcrypto.so.3
#3  0x00007fffae8d4444 in ASN1_item_d2i_ex () from /lib64/libcrypto.so.3
#4  0x00007fffae8d4520 in ASN1_item_d2i () from /lib64/libcrypto.so.3
#5  0x00007fffaeae0e38 in d2i_X509 () from /lib64/libcrypto.so.3
#6  0x000000010460aee8 in print_variables.constprop ()
#7  0x000000010460e804 in guest_read_command ()
#8  0x00000001045f3600 in main ()

erichte-ibm added a commit to erichte-ibm/secvarctl that referenced this issue Oct 5, 2023
@erichte-ibm
guest/read: rewrite print_variables function to use libstb-secvar hel…
4ded00b 
…per functions

Fixes open-power#63, and maybe open-power#61.

As reported in open-power#63, a fuzzed ESL file causes a segfault when reading.
This occurs because the fuzzed ESL contains an internal size value that
is far larger than that of the ESL file itself. Therefore, when we hand
the data to OpenSSL to parse, we give the parsing function a very
incorrect size value to expect, and therefore it overruns the buffer.

Rather than add in more size checks, the function has been rewritten to
use the ESL/ESD iteration helper functions in libstb-secvar, which
already have coverage testing.

Signed-off-by: Eric Richter <erichte@linux.ibm.com>
@erichte-ibm erichte-ibm mentioned this issue Oct 5, 2023
Merged
erichte-ibm added a commit to erichte-ibm/secvarctl that referenced this issue Oct 5, 2023
@erichte-ibm
guest/read: rewrite print_variables function to use libstb-secvar hel…
6bd75cd 
…per functions

Fixes open-power#63, and maybe open-power#61.

As reported in open-power#63, a fuzzed ESL file causes a segfault when reading.
This occurs because the fuzzed ESL contains an internal size value that
is far larger than that of the ESL file itself. Therefore, when we hand
the data to OpenSSL to parse, we give the parsing function a very
incorrect size value to expect, and therefore it overruns the buffer.

Rather than add in more size checks, the function has been rewritten to
use the ESL/ESD iteration helper functions in libstb-secvar, which
already have coverage testing.

Signed-off-by: Eric Richter <erichte@linux.ibm.com>
erichte-ibm added a commit to erichte-ibm/secvarctl that referenced this issue Oct 5, 2023
@erichte-ibm
guest/read: rewrite print_variables function to use libstb-secvar hel…
571cd41 
…per functions

Fixes open-power#63, and maybe open-power#61.

As reported in open-power#63, a fuzzed ESL file causes a segfault when reading.
This occurs because the fuzzed ESL contains an internal size value that
is far larger than that of the ESL file itself. Therefore, when we hand
the data to OpenSSL to parse, we give the parsing function a very
incorrect size value to expect, and therefore it overruns the buffer.

Rather than add in more size checks, the function has been rewritten to
use the ESL/ESD iteration helper functions in libstb-secvar, which
already have coverage testing.

Signed-off-by: Eric Richter <erichte@linux.ibm.com>
erichte-ibm added a commit to erichte-ibm/secvarctl that referenced this issue Oct 5, 2023
@erichte-ibm
guest/read: rewrite print_variables function to use libstb-secvar hel…
a303f60 
…per functions

Fixes open-power#63, and maybe open-power#61.

As reported in open-power#63, a fuzzed ESL file causes a segfault when reading.
This occurs because the fuzzed ESL contains an internal size value that
is far larger than that of the ESL file itself. Therefore, when we hand
the data to OpenSSL to parse, we give the parsing function a very
incorrect size value to expect, and therefore it overruns the buffer.

Rather than add in more size checks, the function has been rewritten to
use the ESL/ESD iteration helper functions in libstb-secvar, which
already have coverage testing.

Signed-off-by: Eric Richter <erichte@linux.ibm.com>
@erichte-ibm erichte-ibm added this to the 1.0.0 milestone Oct 5, 2023
erichte-ibm added a commit to erichte-ibm/secvarctl that referenced this issue Oct 5, 2023
@erichte-ibm
guest/read: rewrite print_variables function to use libstb-secvar hel…
75179ca 
…per functions

Fixes open-power#63, and maybe open-power#61.

As reported in open-power#63, a fuzzed ESL file causes a segfault when reading.
This occurs because the fuzzed ESL contains an internal size value that
is far larger than that of the ESL file itself. Therefore, when we hand
the data to OpenSSL to parse, we give the parsing function a very
incorrect size value to expect, and therefore it overruns the buffer.

Rather than add in more size checks, the function has been rewritten to
use the ESL/ESD iteration helper functions in libstb-secvar, which
already have coverage testing.

Signed-off-by: Eric Richter <erichte@linux.ibm.com>
erichte-ibm added a commit to erichte-ibm/secvarctl that referenced this issue Oct 6, 2023
@erichte-ibm
guest/read: rewrite print_variables function to use libstb-secvar hel…
245fc67 
…per functions

Fixes open-power#63, and maybe open-power#61.

As reported in open-power#63, a fuzzed ESL file causes a segfault when reading.
This occurs because the fuzzed ESL contains an internal size value that
is far larger than that of the ESL file itself. Therefore, when we hand
the data to OpenSSL to parse, we give the parsing function a very
incorrect size value to expect, and therefore it overruns the buffer.

Rather than add in more size checks, the function has been rewritten to
use the ESL/ESD iteration helper functions in libstb-secvar, which
already have coverage testing.

Signed-off-by: Eric Richter <erichte@linux.ibm.com>
erichte-ibm added a commit to erichte-ibm/secvarctl that referenced this issue Oct 6, 2023
@erichte-ibm
guest/read: rewrite print_variables function to use libstb-secvar hel…
36276e8 
…per functions

Fixes open-power#63, and maybe open-power#61.

As reported in open-power#63, a fuzzed ESL file causes a segfault when reading.
This occurs because the fuzzed ESL contains an internal size value that
is far larger than that of the ESL file itself. Therefore, when we hand
the data to OpenSSL to parse, we give the parsing function a very
incorrect size value to expect, and therefore it overruns the buffer.

Rather than add in more size checks, the function has been rewritten to
use the ESL/ESD iteration helper functions in libstb-secvar, which
already have coverage testing.

Signed-off-by: Eric Richter <erichte@linux.ibm.com>
nick-child-ibm pushed a commit that referenced this issue Oct 6, 2023
@erichte-ibm @nick-child-ibm
guest/read: rewrite print_variables function to use libstb-secvar hel…
39b75fc 
…per functions

Fixes #63, and maybe #61.

As reported in #63, a fuzzed ESL file causes a segfault when reading.
This occurs because the fuzzed ESL contains an internal size value that
is far larger than that of the ESL file itself. Therefore, when we hand
the data to OpenSSL to parse, we give the parsing function a very
incorrect size value to expect, and therefore it overruns the buffer.

Rather than add in more size checks, the function has been rewritten to
use the ESL/ESD iteration helper functions in libstb-secvar, which
already have coverage testing.

Signed-off-by: Eric Richter <erichte@linux.ibm.com>
@nasastry
Copy link
Author

with RC2 not seeing this error

[root@ltcrain80-lp2 home]# secvarctl read -e PK.esl.sigsegv
ESL's internal sizes are not OK
Error reading from esl buffer: 2
RESULT: FAILURE

nick-child-ibm pushed a commit that referenced this issue Feb 6, 2024
@erichte-ibm @nick-child-ibm
guest/read: rewrite print_variables function to use libstb-secvar hel…
51e0f0a 
…per functions

Fixes #63, and maybe #61.

As reported in #63, a fuzzed ESL file causes a segfault when reading.
This occurs because the fuzzed ESL contains an internal size value that
is far larger than that of the ESL file itself. Therefore, when we hand
the data to OpenSSL to parse, we give the parsing function a very
incorrect size value to expect, and therefore it overruns the buffer.

Rather than add in more size checks, the function has been rewritten to
use the ESL/ESD iteration helper functions in libstb-secvar, which
already have coverage testing.

Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.0.0
Development

No branches or pull requests
2 participants
@nasastry @erichte-ibm