1330271 - Assertion failure: theTemplate->sub != NULL, at ../../lib/util/secasn1u.c:56

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P2)

Description

[Tim Taubert [:ttaubert] (inactive)]

Attachment: crash-286804a91230ee8a5c779113957217698fa9949a

Assertion failure: theTemplate->sub != NULL, at ../../lib/util/secasn1u.c:56
==29269== ERROR: libFuzzer: deadly signal
    #0 0x4cd590 in __sanitizer_print_stack_trace (/home/worker/dist/Debug/bin/nssfuzz-pkcs8+0x4cd590)
    #1 0x5139ea in fuzzer::Fuzzer::CrashCallback() /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:277:5
    #2 0x513972 in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:261:6
    #3 0x5501c8 in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerUtilPosix.cpp:37:3
    #4 0x7fcddb3e938f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1138f)
    #5 0x7fcddae40427 in gsignal /build/glibc-t3gR2i/glibc-2.23/signal/../sysdeps/unix/sysv/linux/raise.c:54
    #6 0x7fcddae42029 in abort /build/glibc-t3gR2i/glibc-2.23/stdlib/abort.c:89
    #7 0x7fcdda6bccf9 in PR_Assert /home/worker/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c:553:5
    #8 0x7fcddb9d4909 in SEC_ASN1GetSubtemplate /home/worker/nss/out/Debug/../../lib/util/secasn1u.c:56:5
    #9 0x7fcddb9c15ff in sec_asn1d_prepare_for_contents /home/worker/nss/out/Debug/../../lib/util/secasn1d.c:1122:20
    #10 0x7fcddb9bec5e in SEC_ASN1DecoderUpdate_Util /home/worker/nss/out/Debug/../../lib/util/secasn1d.c:2788:17
    #11 0x4f8198 in LLVMFuzzerTestOneInput /home/worker/nss/out/Debug/../../fuzz/pkcs8_target.cc:130:11
    #12 0x5169d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:549:13
    #13 0x5171c8 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:500:3
    #14 0x51a70a in fuzzer::Fuzzer::MutateAndTestOne() /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:756:30
    #15 0x51b1b4 in fuzzer::Fuzzer::Loop() /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:790:5
    #16 0x4ff2c8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerDriver.cpp:536:6
    #17 0x4f8733 in main /home/worker/nss/out/Debug/../../fuzz/libFuzzer/FuzzerMain.cpp:20:10
    #18 0x7fcddae2b82f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
    #19 0x41ede8 in _start (/home/worker/dist/Debug/bin/nssfuzz-pkcs8+0x41ede8)

Comment 1

[Daniel Veditz [:dveditz]]

Looks like this would lead to a null deref crash, but not otherwise be exploitable?

Comment 2

[Tim Taubert [:ttaubert] (inactive)]

We're not always dereferencing if we take the branch on line 68. The problem is that I can't really say whether we alter the ASN.1 state in some way that it might be exploitable. This code is horrible and complex...

Comment 3

[John Schanck [:jschanck]]

Attachment: Bug 1330271 - check for null template in sec_asn1{d,e}_push_state. r=#nss-reviewers

Some of our dynamic template choosers, e.g. sec_pkcs12_choose_attr_type, can
return NULL. This patch adds some defensive checks to avoid crashes when
they do.

Comment 4

[Ryan VanderMeulen [:RyanVM]]

This landed for 3.82.
https://hg.mozilla.org/projects/nss/rev/a323468db07a746bb8908f9385d7988747e939fb

Also uplifted for 3.79.1.
https://hg.mozilla.org/projects/nss/rev/d42c5a1bfe5a8463a7ac9a852dcfeb0af663b7e4