Closed Bug 1330952 Opened 7 years ago Closed 7 years ago

Assertion failure: ss->ssl3.prSpec->version <= SSL_LIBRARY_VERSION_TLS_1_2, at ../../lib/ssl/ssl3con.c:9773

Categories

(NSS :: Libraries, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1341002

People

(Reporter: ttaubert, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Assertion failure: ss->ssl3.prSpec->version <= SSL_LIBRARY_VERSION_TLS_1_2, at ../../lib/ssl/ssl3con.c:9773
==83716== ERROR: libFuzzer: deadly signal
    #0 0x1146947c0 in __sanitizer_print_stack_trace (/Users/tim/bin/clang-3.9/lib/clang/3.9.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x5c7c0)
    #1 0x10bbccb43 in fuzzer::Fuzzer::CrashCallback() (/Users/tim/workspace/nss-code/nss/../dist/Debug/bin/nssfuzz-client+0x10002fb43)
    #2 0x10bbccac2 in fuzzer::Fuzzer::StaticCrashSignalCallback() (/Users/tim/workspace/nss-code/nss/../dist/Debug/bin/nssfuzz-client+0x10002fac2)
    #3 0x10bc39e18 in fuzzer::CrashHandler(int, __siginfo*, void*) (/Users/tim/workspace/nss-code/nss/../dist/Debug/bin/nssfuzz-client+0x10009ce18)
LLVMSymbolizer: error reading file: fat file does not contain x86_64h
    #4 0x7fff9731d529  (/usr/lib/system/libsystem_platform.dylib+0x2529)
    #5 0x114602e8a  (/Users/tim/workspace/nss-code/dist/Debug/lib/libnspr4.dylib+0x185e8a)
LLVMSymbolizer: error reading file: fat file does not contain x86_64h
    #6 0x7fff988546de  (/usr/lib/system/libsystem_c.dylib+0x5e6de)
    #7 0x11449febb in PR_Assert (/Users/tim/workspace/nss-code/dist/Debug/lib/libnspr4.dylib+0x22ebb)
    #8 0x1142d6b43 in ssl3_HandleCertificateVerify (/Users/tim/workspace/nss-code/dist/Debug/lib/libssl3.dylib+0x58b43)
    #9 0x1142bcad3 in ssl3_HandlePostHelloHandshakeMessage (/Users/tim/workspace/nss-code/dist/Debug/lib/libssl3.dylib+0x3ead3)
    #10 0x1142b77ba in ssl3_HandleHandshakeMessage (/Users/tim/workspace/nss-code/dist/Debug/lib/libssl3.dylib+0x397ba)
    #11 0x1142c1d0e in ssl3_HandleHandshake (/Users/tim/workspace/nss-code/dist/Debug/lib/libssl3.dylib+0x43d0e)
    #12 0x1142bdf47 in ssl3_HandleRecord (/Users/tim/workspace/nss-code/dist/Debug/lib/libssl3.dylib+0x3ff47)
    #13 0x1142fb2bb in ssl3_GatherCompleteHandshake (/Users/tim/workspace/nss-code/dist/Debug/lib/libssl3.dylib+0x7d2bb)
    #14 0x11430635b in ssl_GatherRecord1stHandshake (/Users/tim/workspace/nss-code/dist/Debug/lib/libssl3.dylib+0x8835b)
    #15 0x11431131c in ssl_Do1stHandshake (/Users/tim/workspace/nss-code/dist/Debug/lib/libssl3.dylib+0x9331c)
    #16 0x114314f8f in SSL_ForceHandshake (/Users/tim/workspace/nss-code/dist/Debug/lib/libssl3.dylib+0x96f8f)
    #17 0x10bba92d7 in LLVMFuzzerTestOneInput (/Users/tim/workspace/nss-code/nss/../dist/Debug/bin/nssfuzz-client+0x10000c2d7)
    #18 0x10bbd0b3b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/Users/tim/workspace/nss-code/nss/../dist/Debug/bin/nssfuzz-client+0x100033b3b)
    #19 0x10bbd133f in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) (/Users/tim/workspace/nss-code/nss/../dist/Debug/bin/nssfuzz-client+0x10003433f)
    #20 0x10bbaaa96 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/Users/tim/workspace/nss-code/nss/../dist/Debug/bin/nssfuzz-client+0x10000da96)
    #21 0x10bbaef2d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/Users/tim/workspace/nss-code/nss/../dist/Debug/bin/nssfuzz-client+0x100011f2d)
    #22 0x10bbe4763 in main (/Users/tim/workspace/nss-code/nss/../dist/Debug/bin/nssfuzz-client+0x100047763)
LLVMSymbolizer: error reading file: fat file does not contain x86_64h
    #23 0x7fff9df4b5ac  (/usr/lib/system/libdyld.dylib+0x35ac)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x16,0x3,0x1,0x0,0x4,0xf,0x0,0x0,0x0,
\x16\x03\x01\x00\x04\x0f\x00\x00\x00
Blocks: nss-fuzz
INFO: MaxLen: 20000
INFO: Seed: 3948298322
INFO: Loaded 0 modules (0 guards): 
../dist/Debug/bin/nssfuzz-client: Running 1 inputs 1 time(s) each.
Running: ./crash-03c0546658fa10eb13a50dbfd5fced760f0e3cb2
SSL: tracing set to 100
83810: SSL: grow buffer from 0 to 18432
83810: SSL: grow buffer from 0 to 18432
ssl3_GatherCompleteHandshake
83810: SSL3[48080]: gather state 1 (need 5 more)
83810: SSL[48080]: raw gather data: [Len: 5]
   16 03 01 00 04                                    .....
83810: SSL: grow buffer from 0 to 18432
83810: SSL3[48080]: gather state 2 (need 4 more)
83810: SSL[48080]: raw gather data: [Len: 4]
   0f 00 00 00                                       ....
83810: SSL[48080]: got record of 4 bytes
83810: SSL[-]: disabling group 19
83810: SSL[-]: disabling group 17
83810: SSL[-]: disabling group 15
83810: SSL[-]: disabling group 16
83810: SSL[-]: disabling group 1
83810: SSL[-]: disabling group 2
83810: SSL[-]: disabling group 3
83810: SSL[-]: disabling group 18
83810: SSL[-]: disabling group 4
83810: SSL[-]: disabling group 5
83810: SSL[-]: disabling group 21
83810: SSL[-]: disabling group 20
83810: SSL[-]: disabling group 6
83810: SSL[-]: disabling group 7
83810: SSL[-]: disabling group 8
83810: SSL[-]: disabling group 22
83810: SSL[-]: disabling group 9
83810: SSL[-]: disabling group 10
83810: SSL[-]: disabling group 11
83810: SSL[-]: disabling group 12
83810: SSL[-]: disabling group 13
83810: SSL[-]: disabling group 14
83810: SSL3[48080]: handle handshake message: certificate_verify  (15)
83810: SSL: grow buffer from 0 to 18432
83810: SSL3[48080]: handle certificate_verify handshake
Assertion failure: ss->ssl3.prSpec->version <= SSL_LIBRARY_VERSION_TLS_1_2, at ../../lib/ssl/ssl3con.c:9773
==83810== ERROR: libFuzzer: deadly signal
    #0 0x116d517c0 in __sanitizer_print_stack_trace (/Users/tim/bin/clang-3.9/lib/clang/3.9.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x5c7c0)
    #1 0x10e28eb43 in fuzzer::Fuzzer::CrashCallback() (/Users/tim/workspace/nss-code/nss/../dist/Debug/bin/nssfuzz-client+0x10002fb43)
    #2 0x10e28eac2 in fuzzer::Fuzzer::StaticCrashSignalCallback() (/Users/tim/workspace/nss-code/nss/../dist/Debug/bin/nssfuzz-client+0x10002fac2)
    #3 0x10e2fbe18 in fuzzer::CrashHandler(int, __siginfo*, void*) (/Users/tim/workspace/nss-code/nss/../dist/Debug/bin/nssfuzz-client+0x10009ce18)
LLVMSymbolizer: error reading file: fat file does not contain x86_64h
    #4 0x7fff9731d529  (/usr/lib/system/libsystem_platform.dylib+0x2529)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x16,0x3,0x1,0x0,0x4,0xf,0x0,0x0,0x0,
\x16\x03\x01\x00\x04\x0f\x00\x00\x00
ss->version is still 0 at this point because certificate_verify is the first message we see. Should we turn the assertion into something like:

> PORT_Assert(ss->version == 0 || ss->ssl3.prSpec->version <= SSL_LIBRARY_VERSION_TLS_1_2)

? Also, this isn't security sensitive as we'll bail out right below.
Group: crypto-core-security
Flags: needinfo?(ekr)
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(ekr)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: