Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

one-byte-heap-overread (wolfcrypt/src/asn.c:7584) #2421

Closed
flyroom opened this issue Aug 21, 2019 · 1 comment
Closed

one-byte-heap-overread (wolfcrypt/src/asn.c:7584) #2421

flyroom opened this issue Aug 21, 2019 · 1 comment
Assignees
@JacobBarthelmeh
Labels
bug Resolved

Comments

@flyroom
Copy link

flyroom commented Aug 21, 2019

tested on wolfSSL 4.1.0 / ubuntu 14.04/ clang / asan
Hi, I've came upon an one-byte-heap-overread bug
due to corner case mishandling in GetLength_ex(wolfcrypt/src/asn.c:189), you could trigger it by loading attached DER certificate using API wolfSSL_X509_d2i (or example_cert_parsing_app) (test_crt.zip)
Corner cases:

if (check && (**idx + length**) > maxIdx) {   /* for user of length */

      WOLFSSL_MSG("GetLength value exceeds buffer length");

      return BUFFER_E;

  }

If idx + length == maxIdx which passed the check, it will trigger a buffer over read in (wolfcrypt/src/asn.c:7584)

if (**input[idx]** == ASN_BOOLEAN) {
            ret = GetBoolean(input, &idx, sz);
            if (ret < 0) {
                WOLFSSL_MSG("\tfail: critical boolean");
                return ret;
            }

            critical = (byte)ret;
        }

ASAN report

==49107==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000048f at pc 0x7f755c0cd6cc bp 0x7ffce2a2cc00 sp 0x7ffce2a2cbf8
READ of size 1 at 0x61900000048f thread T0
    #0 0x7f755c0cd6cb in DecodeCertExtensions wolfcrypt/src/asn.c:7584
    #1 0x7f755c0cd6cb in ParseCertRelative wolfcrypt/src/asn.c:8174
    #2 0x7f755c062097 in wolfSSL_X509_d2i src/ssl.c:15361
    #3 0x7f755c04b685 in main (/opt/disk/wolfSSL_X509_d2i_gcc+0x1e685)
    #4 0x7f755ad94f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #5 0x7f755c04b2eb  (/opt/disk/wolfSSL_X509_d2i_gcc+0x1e2eb)

0x61900000048f is located 0 bytes to the right of 1039-byte region [0x619000000080,0x61900000048f)
allocated by thread T0 here:
    #0 0x7f755b4fc479 in __interceptor_malloc /home/nwani/m3/conda-bld/compilers_linux-64_1560109574129/work/.build/x86_64-conda_cos6-linux-gnu/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7f755c04b5aa in main (/opt/disk/wolfSSL_X509_d2i_gcc+0x1e5aa)
    #2 0x7f755ad94f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-buffer-overflow wolfcrypt/src/asn.c:7584 in DecodeCertExtensions
Shadow bytes around the buggy address:
  0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8090: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represen
[test_crt.zip](https://github.com/wolfSSL/wolfssl/files/3524394/test_crt.zip)

ts 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==49107==ABORTING
@JacobBarthelmeh JacobBarthelmeh mentioned this issue Aug 22, 2019
Merged
@JacobBarthelmeh
Copy link
Contributor

Hi @flyroom,

Thank you for the report!

I created a PR (#2425) that does a check on the buffer before reading the ASN_BOOLEAN byte. The ASAN I have on my development system was not reporting the issue but printing out the values when running the test case it does look like it is accessing one index over.

$ ./a.out 
idx = 135 sz = 135

Am considering a PR also for the GetLength check. Can you tell us some about your project? And if you send a mailing address to our support (at) wolfssl we would like to send you some swag.

Regards,
Jacob

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JacobBarthelmeh JacobBarthelmeh

Labels
bug Resolved
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@flyroom @kaleb-himes @JacobBarthelmeh