Closed Bug 1334054 Opened 7 years ago Closed 7 years ago

buffer overflow in CERT_FormatName

Tracking

(Not tracked)

Status:

RESOLVED FIXED

Milestone:

3.31

People

(Reporter: franziskus, Assigned: keeler)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: csectype-bounds, sec-other)

Attachments

(1 file)

crash-8c388e48187d40a38061da3a871c2829582c2e0b 7 years ago Franziskus Kiefer [:franziskus] 2.00 KB, application/octet-stream		Details

Franziskus Kiefer [:franziskus]

Reporter

Description

•

7 years ago

==12296==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000a482 at pc 0x0000005a54b8 bp 0x7ffee119a8f0 sp 0x7ffee119a8e8
WRITE of size 4 at 0x61900000a482 thread T0
    #0 0x5a54b7 in CERT_FormatName /home/franziskus/Code/nss/out/Debug/../../lib/certhigh/certhtml.c:235:9
    #1 0x50aa02 in LLVMFuzzerTestOneInput /home/franziskus/Code/nss/out/Debug/../../fuzz/cert_target.cc:18:23
    #2 0x513ba0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:549:13
    #3 0x514392 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:500:3
    #4 0x541427 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerDriver.cpp:267:6
    #5 0x5466cd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerDriver.cpp:485:9
    #6 0x522a62 in main /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerMain.cpp:20:10
    #7 0x7fa9d0990290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
    #8 0x41f9f9 in _start (/home/franziskus/Code/dist/Debug/bin/nssfuzz-cert+0x41f9f9)

0x61900000a482 is located 0 bytes to the right of 1026-byte region [0x61900000a080,0x61900000a482)
allocated by thread T0 here:
    #0 0x4cf308 in __interceptor_malloc (/home/franziskus/Code/dist/Debug/bin/nssfuzz-cert+0x4cf308)
    #1 0xab29ab in PR_Malloc /home/franziskus/Code/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:435
    #2 0x6383b1 in PORT_Alloc_Util /home/franziskus/Code/nss/out/Debug/../../lib/util/secport.c:85:14
    #3 0x5a3ff7 in CERT_FormatName /home/franziskus/Code/nss/out/Debug/../../lib/certhigh/certhtml.c:195:19
    #4 0x50aa02 in LLVMFuzzerTestOneInput /home/franziskus/Code/nss/out/Debug/../../fuzz/cert_target.cc:18:23
    #5 0x513ba0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:549:13
    #6 0x514392 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:500:3
    #7 0x541427 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerDriver.cpp:267:6
    #8 0x5466cd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerDriver.cpp:485:9
    #9 0x522a62 in main /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerMain.cpp:20:10
    #10 0x7fa9d0990290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)

Franziskus Kiefer [:franziskus]

Reporter

Comment 1

•

7 years ago

Attached file crash-8c388e48187d40a38061da3a871c2829582c2e0b — Details

Tyson Smith [:tsmith]

Comment 2

•

7 years ago

Can this be triggered via a bad cert? (unclear since libfuzzer is being used)

Flags: needinfo?(franziskuskiefer)

Tim Taubert [:ttaubert] (inactive)

Comment 3

•

7 years ago

libcertdb exports CERT_FormatName() but we don't use it anywhere, nor does Firefox.

Daniel Veditz [:dveditz]

Comment 4

•

7 years ago

I don't see it used in mod_nss either.

Keywords: sec-other

Daniel Veditz [:dveditz]

Updated

•

7 years ago

Keywords: csectype-bounds

Franziskus Kiefer [:franziskus]

Reporter

Comment 5

•

7 years ago

Tyson, see comment 3. This is triggered by a bad cert DN in CERT_FormatName. But this function isn't used by anyone as far as I know (but exported).

Flags: needinfo?(franziskuskiefer)

Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)

Assignee

Updated

•

7 years ago

Assignee: nobody → dkeeler

URL: https://nss-review.dev.mozaws.net/D307

Franziskus Kiefer [:franziskus]

Reporter

Comment 6

•

7 years ago

https://hg.mozilla.org/projects/nss/rev/7c60f66743b60cd0f301b138fec7f798dd4cd7f4
Bug 1334054 - fix CERT_FormatName output buffer length calculation r=franziskus

Franziskus Kiefer [:franziskus]

Reporter

Updated

•

7 years ago

Status: NEW → RESOLVED

Closed: 7 years ago

Resolution: --- → FIXED

Target Milestone: --- → 3.31

Daniel Veditz [:dveditz]

Updated

•

7 years ago

Group: crypto-core-security → core-security-release

Daniel Veditz [:dveditz]

Updated

•

5 years ago

Group: core-security-release

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

buffer overflow in CERT_FormatName

Categories

(NSS :: Libraries, defect)

Tracking

(Not tracked)

People

(Reporter: franziskus, Assigned: keeler)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: csectype-bounds, sec-other)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Updated

Comment 5

Updated

Comment 6

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type