Closed
Bug 1334054
Opened 7 years ago
Closed 7 years ago
buffer overflow in CERT_FormatName
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.31
People
(Reporter: franziskus, Assigned: keeler)
References
(Blocks 1 open bug, )
Details
(Keywords: csectype-bounds, sec-other)
Attachments
(1 file)
2.00 KB,
application/octet-stream
|
Details |
==12296==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000a482 at pc 0x0000005a54b8 bp 0x7ffee119a8f0 sp 0x7ffee119a8e8 WRITE of size 4 at 0x61900000a482 thread T0 #0 0x5a54b7 in CERT_FormatName /home/franziskus/Code/nss/out/Debug/../../lib/certhigh/certhtml.c:235:9 #1 0x50aa02 in LLVMFuzzerTestOneInput /home/franziskus/Code/nss/out/Debug/../../fuzz/cert_target.cc:18:23 #2 0x513ba0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:549:13 #3 0x514392 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:500:3 #4 0x541427 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerDriver.cpp:267:6 #5 0x5466cd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerDriver.cpp:485:9 #6 0x522a62 in main /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerMain.cpp:20:10 #7 0x7fa9d0990290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) #8 0x41f9f9 in _start (/home/franziskus/Code/dist/Debug/bin/nssfuzz-cert+0x41f9f9) 0x61900000a482 is located 0 bytes to the right of 1026-byte region [0x61900000a080,0x61900000a482) allocated by thread T0 here: #0 0x4cf308 in __interceptor_malloc (/home/franziskus/Code/dist/Debug/bin/nssfuzz-cert+0x4cf308) #1 0xab29ab in PR_Malloc /home/franziskus/Code/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:435 #2 0x6383b1 in PORT_Alloc_Util /home/franziskus/Code/nss/out/Debug/../../lib/util/secport.c:85:14 #3 0x5a3ff7 in CERT_FormatName /home/franziskus/Code/nss/out/Debug/../../lib/certhigh/certhtml.c:195:19 #4 0x50aa02 in LLVMFuzzerTestOneInput /home/franziskus/Code/nss/out/Debug/../../fuzz/cert_target.cc:18:23 #5 0x513ba0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:549:13 #6 0x514392 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerLoop.cpp:500:3 #7 0x541427 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerDriver.cpp:267:6 #8 0x5466cd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerDriver.cpp:485:9 #9 0x522a62 in main /home/franziskus/Code/nss/out/Debug/../../fuzz/libFuzzer/FuzzerMain.cpp:20:10 #10 0x7fa9d0990290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
Reporter | ||
Comment 1•7 years ago
|
||
Comment 2•7 years ago
|
||
Can this be triggered via a bad cert? (unclear since libfuzzer is being used)
Flags: needinfo?(franziskuskiefer)
Comment 3•7 years ago
|
||
libcertdb exports CERT_FormatName() but we don't use it anywhere, nor does Firefox.
Updated•7 years ago
|
Keywords: csectype-bounds
Reporter | ||
Comment 5•7 years ago
|
||
Tyson, see comment 3. This is triggered by a bad cert DN in CERT_FormatName. But this function isn't used by anyone as far as I know (but exported).
Flags: needinfo?(franziskuskiefer)
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → dkeeler
Reporter | ||
Comment 6•7 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/7c60f66743b60cd0f301b138fec7f798dd4cd7f4 Bug 1334054 - fix CERT_FormatName output buffer length calculation r=franziskus
Reporter | ||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.31
Updated•7 years ago
|
Group: crypto-core-security → core-security-release
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•