Closed Bug 1581024 Opened 3 years ago Closed 3 years ago

Heap overflow in NSS utility "derdump"

Categories

(NSS :: Libraries, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: slei.casper, Assigned: kjacobs)

Details

(Keywords: csectype-bounds, sec-other)

Attachments

(6 files, 1 obsolete file)

Attached file crashdata

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.75 Safari/537.36

Steps to reproduce:

  1. download nss and nspr using command
hg clone https://hg.mozilla.org/projects/nspr
hg clone https://hg.mozilla.org/projects/nss
  1. compile nss with ASAN
cd nss; ./build.sh --asan -v
  1. run derdump with poc I uploaded

Actual results:

C-Sequence  (459)
   C-Sequence  (373)
      C-[0]  (3)
         Integer  (1)
            02
      Integer  (1)
         00
      C-Sequence  (13)
         Object Identifier  (9)
            1 2 840 113549 1 1 4 (PKCS #1 MD5 With RSA Encryption)
         NULL  (0)
      C-Sequence  (75)
         C-Set  (11)
            C-Sequence  (9)
               Object Identifier  (3)
                  2 5 4 6 (X520 Country Name)
               Printable String  (2)
                  "US"
         C-Set  (22)
            C-Sequence  (20)
               Object Identifier  (3)
                  2 5 4 10 (X520 Organization Name)
               Printable String  (13)
                  "VeriSign Inc."
         C-Set  (20)
            C-Sequence  (18)
               Object Identifier  (3)
                  2 5 4 11 (X520 Organizational Unit Name)
               Printable String  (11)
                  "Engineering"
         C-Set  (14)
            C-Sequence  (12)
               Object Identifier  (1426326291)
                  0 5 74 97 115 111 110 48 30 23 13 57 53 48 56 48 56 48 55 48 48 48 48 90 23 13 57 54 48 56 48 55 48 55 48 48 48 48 90 48 75 49 11 48 9 6 3 85 4 6 19 2 85 83 49 22 48 20 6 3 85 4 10 19 13 86 101 114 105 83 105 103 110 32 73 110 99 46 49 20 48 47 6 3 85 4 11 19 11 69 110 103 105 110 101 101 114 105 110 103 49 14 48 12 6 3 85 4 3 19 5 74 97 115 111 110 48 92 48 13 6 9 42 840 113549 1 1 1 5 0 3 75 0 48 72 2 65 0 774900 84 248997564 85 3469719127 12722 57 12800 62 1132239 6145 26 118 28 22 16 8438 18 122 70 14730 5 12353 40901617 1154615 18 42 242141760 2 26 491555 117 104 15041 2 3 1 0 1 4548 48 66 48 20 6 3 97 98 99 1 1 16260 10 101 120 116 101 110 115 105 111 110 49 48 20 6 3 100 101 102 1 1 16260 10 101 120 116 101 110 83 105 0 4 50 48 20 6 3 103 104 105 1 1 16260 10 101 120 116 101 110 115 105 111 110 51 48 13 6 9 42 840 113549 1 1 4 5 0 3 65 0 107 2 9944 84 3122 1513474 5266 96 1372200640 11 75 100 438 7471 2185 51 1934920 182017400 4301 81 95 104 201 15038 49 10393 150222000 1455364 962619=================================================================
==30257==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5202a4f at pc 0x081490b7 bp 0xbff60fa8 sp 0xbff60fa0
READ of size 1 at 0xb5202a4f thread T0
    #0 0x81490b6 in prettyPrintObjectID /home/casper/targets/nss/originasan/nss/out/Debug/../../cmd/lib/derprint.c:258:13
    #1 0x81490b6 in prettyPrintItem /home/casper/targets/nss/originasan/nss/out/Debug/../../cmd/lib/derprint.c:552
    #2 0x8147d64 in prettyPrintItem /home/casper/targets/nss/originasan/nss/out/Debug/../../cmd/lib/derprint.c:519:24
    #3 0x8147d64 in prettyPrintItem /home/casper/targets/nss/originasan/nss/out/Debug/../../cmd/lib/derprint.c:519:24
    #4 0x8147d64 in prettyPrintItem /home/casper/targets/nss/originasan/nss/out/Debug/../../cmd/lib/derprint.c:519:24
    #5 0x8147d64 in prettyPrintItem /home/casper/targets/nss/originasan/nss/out/Debug/../../cmd/lib/derprint.c:519:24
    #6 0x8147d64 in prettyPrintItem /home/casper/targets/nss/originasan/nss/out/Debug/../../cmd/lib/derprint.c:519:24
    #7 0x8146c88 in DER_PrettyPrint /home/casper/targets/nss/originasan/nss/out/Debug/../../cmd/lib/derprint.c:590:10
    #8 0x813c17a in main /home/casper/targets/nss/originasan/nss/out/Debug/../../cmd/derdump/derdump.c:97:14
    #9 0xb7b03b40 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1ab40)
    #10 0x8067b11 in _start (/home/casper/targets/nss/originasan/dist/Debug/bin/derdumpfuzz/derdump+0x8067b11)

0xb5202a4f is located 0 bytes to the right of 463-byte region [0xb5202880,0xb5202a4f)
allocated by thread T0 here:
    #0 0x810b355 in malloc (/home/casper/targets/nss/originasan/dist/Debug/bin/derdumpfuzz/derdump+0x810b355)
    #1 0xb7aaa778 in PR_Malloc (/lib/i386-linux-gnu/libnspr4.so+0x12778)
    #2 0x813e510 in SECU_FileToItem /home/casper/targets/nss/originasan/nss/out/Debug/../../cmd/lib/basicutil.c:150:16
    #3 0x814cd8e in SECU_ReadDERFromFile /home/casper/targets/nss/originasan/nss/out/Debug/../../cmd/lib/secutil.c:552:14
    #4 0x813c164 in main /home/casper/targets/nss/originasan/nss/out/Debug/../../cmd/derdump/derdump.c:95:10
    #5 0xb7b03b40 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1ab40)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/casper/targets/nss/originasan/nss/out/Debug/../../cmd/lib/derprint.c:258:13 in prettyPrintObjectID
Shadow bytes around the buggy address:
  0x36a404f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a40520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a40530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36a40540: 00 00 00 00 00 00 00 00 00[07]fa fa fa fa fa fa
  0x36a40550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a40570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a40580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a40590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==30257==ABORTING

JC, can you take a look, please?

Assignee: nobody → nobody
Group: firefox-core-security → crypto-core-security
Component: Untriaged → Libraries
Flags: needinfo?(jjones)
Product: Firefox → NSS
QA Contact: jjones
Version: unspecified → other
Flags: needinfo?(jjones)

Thanks for the report. Is this on any specific revision? Can you confirm it's still reproducible on the latest revision?

FWIW, I get the following output:

kjacobs-44776:nss kjacobs$ ./build.sh -c --asan
NSPR [1/5] configure ...
NSPR [2/5] make ...
NSPR [3/5] NOT building tests
NSPR [4/5] NOT running tests
NSPR [5/5] install ...
ninja: Entering directory `/Users/kjacobs/repos/nss/out/Debug'
[1169/1169] STAMP obj/nss_tests.actions_depends.stamp
kjacobs-44776:nss kjacobs$ ../dist/Debug/bin/derdump -i crashdata 
C-Sequence  (459)
   C-Sequence  (373)
      C-[0]  (3)
         Integer  (1)
            02 
      Integer  (1)
         00 
      C-Sequence  (13)
         Object Identifier  (9)
            1 2 840 113549 1 1 4 (PKCS #1 MD5 With RSA Encryption)
         NULL  (0)
      C-Sequence  (75)
         C-Set  (11)
            C-Sequence  (9)
               Object Identifier  (3)
                  2 5 4 6 (X520 Country Name)
               Printable String  (2)
                  "US"
         C-Set  (22)
            C-Sequence  (20)
               Object Identifier  (3)
                  2 5 4 10 (X520 Organization Name)
               Printable String  (13)
                  "VeriSign Inc."
         C-Set  (20)
            C-Sequence  (18)
               Object Identifier  (3)
                  2 5 4 11 (X520 Organizational Unit Name)
               Printable String  (11)
                  "Engineering"
         C-Set  (14)
            C-Sequence  (12)
               Object Identifier  (1426326291)
derdump: error -8183: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
derdump: errno=2: No such file or directory
kjacobs-44776:nss kjacobs$ 

This could be an issue with my machine, but I did confirm ASAN is working.

Flags: needinfo?(slei.casper)

i compiled nss on 32bit os.

Flags: needinfo?(slei.casper)

changeset: 15287:65ab97f03c89

Thanks, I can reproduce it on 32b. Looks like we have an integer overflow at https://searchfox.org/mozilla-central/source/security/nss/cmd/lib/derprint.c#512.

I'll submit a patch for this today.

Assignee: nobody → kjacobs.bugzilla
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P1

Thanks for this catch and fix.

As far as I can tell, this is only used by the derdump util [1] which would mean this doesn't need to be marked as a security bug, since that's not within any application. I suggest opening the bug unless there's dissent.

[1] https://searchfox.org/mozilla-central/search?q=DER_PrettyPrint&redirect=false

I'd prefer we land the fix first, but I also didn't see any uses outside of this utility.

Oops, since this isn't in Firefox or NSS's libs, this is actually sec-other.

Keywords: sec-lowsec-other
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.47
Summary: nss heap overflow → Heap overflow in NSS utility "derdump"

this bug can be reproduced after applying the patch.

Flags: needinfo?(kjacobs.bugzilla)

Hmm, not on my end.. With the patch I get the same output as on the 64b build. Without it, an ASAN dump.

Can you try a full a rebuild (-c --asan)? Is it possible you're getting a different ASAN crash (if the input has changed at all, perhaps)?

Flags: needinfo?(kjacobs.bugzilla)

I fully cloned latest nss repo and built with asan. This is still reproducible.

Flags: needinfo?(kjacobs.bugzilla)

Marcus, would you be able to take a look and confirm either way? This is no longer reproducible for me after the patch.

Flags: needinfo?(kjacobs.bugzilla) → needinfo?(marcus.apb)

(In reply to Kevin Jacobs [:kjacobs] from comment #14)

Marcus, would you be able to take a look and confirm either way? This is no longer reproducible for me after the patch.

Sure. I will do soon.

Flags: needinfo?(marcus.apb)
Group: crypto-core-security → core-security-release

I can confirm that this problem is not reproducible anymore, after this patch:

$ nss/build.sh --asan
ninja: Entering directory `/home/marcusburghardt/BUGZILLA/BUG1581024_derdump/nss/out/Debug'
ninja: no work to do.

$ export LD_LIBRARY_PATH="/home/marcusburghardt/BUGZILLA/BUG1581024_derdump/dist/Debug/lib"
$ ./dist/Debug/bin/derdump -i crashdata
C-Sequence (459)
C-Sequence (373)
C-[0] (3)
Integer (1)
02
Integer (1)
00
C-Sequence (13)
Object Identifier (9)
1 2 840 113549 1 1 4 (PKCS #1 MD5 With RSA Encryption)
NULL (0)
C-Sequence (75)
C-Set (11)
C-Sequence (9)
Object Identifier (3)
2 5 4 6 (X520 Country Name)
Printable String (2)
"US"
C-Set (22)
C-Sequence (20)
Object Identifier (3)
2 5 4 10 (X520 Organization Name)
Printable String (13)
"VeriSign Inc."
C-Set (20)
C-Sequence (18)
Object Identifier (3)
2 5 4 11 (X520 Organizational Unit Name)
Printable String (11)
"Engineering"
C-Set (14)
C-Sequence (12)
Object Identifier (1426326291)
derdump: error -8183: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.

Flags: needinfo?(kjacobs.bugzilla)
Attached file OK
here is the commit I used to compile nss: changeset:   15304:57977ceea00e

and result:
```

```
Attached file result
here is the commit I used to compile nss: changeset:   15304:57977ceea00e

and result:
```

```
debianfuzz ➜  Debug/bin  pwd
/home/casper/targets/nss/new/dist/Debug/bin
debianfuzz ➜  Debug/bin  export LD_LIBRARY_PATH=/home/casper/targets/nss/new/dist/Debug/lib
debianfuzz ➜  Debug/bin  ./derdump < /tmp/crashdata
C-Sequence  (459)
   C-Sequence  (373)
      C-[0]  (3)
         Integer  (1)
            02
      Integer  (1)
         00
      C-Sequence  (13)
         Object Identifier  (9)
            1 2 840 113549 1 1 4 (PKCS #1 MD5 With RSA Encryption)
         NULL  (0)
      C-Sequence  (75)
         C-Set  (11)
            C-Sequence  (9)
               Object Identifier  (3)
                  2 5 4 6 (X520 Country Name)
               Printable String  (2)
                  "US"
         C-Set  (22)
            C-Sequence  (20)
               Object Identifier  (3)
                  2 5 4 10 (X520 Organization Name)
               Printable String  (13)
                  "VeriSign Inc."
         C-Set  (20)
            C-Sequence  (18)
               Object Identifier  (3)
                  2 5 4 11 (X520 Organizational Unit Name)
               Printable String  (11)
                  "Engineering"
         C-Set  (14)
            C-Sequence  (12)
               Object Identifier  (1426326291)
                  0 5 74 97 115 111 110 48 30 23 13 57 53 48 56 48 56 48 55 48 48 48 48 90 23 13 57 54 48 56 48 55 48 55 48 48 48 48 90 48 75 49 11 48 9 6 3 85 4 6 19 2 85 83 49 22 48 20 6 3 85 4 10 19 13 86 101 114 105 83 105 103 110 32 73 110 99 46 49 20 48 47 6 3 85 4 11 19 11 69 110 103 105 110 101 101 114 105 110 103 49 14 48 12 6 3 85 4 3 19 5 74 97 115 111 110 48 92 48 13 6 9 42 840 113549 1 1 1 5 0 3 75 0 48 72 2 65 0 774900 84 248997564 85 3469719127 12722 57 12800 62 1132239 6145 26 118 28 22 16 8438 18 122 70 14730 5 12353 40901617 1154615 18 42 242141760 2 26 491555 117 104 15041 2 3 1 0 1 4548 48 66 48 20 6 3 97 98 99 1 1 16260 10 101 120 116 101 110 115 105 111 110 49 48 20 6 3 100 101 102 1 1 16260 10 101 120 116 101 110 83 105 0 4 50 48 20 6 3 103 104 105 1 1 16260 10 101 120 116 101 110 115 105 111 110 51 48 13 6 9 42 840 113549 1 1 4 5 0 3 65 0 107 2 9944 84 3122 1513474 5266 96 1372200640 11 75 100 438 7471 2185 51 1934920 182017400 4301 81 95 104 201 15038 49 10393 150222000 1455364 962619=================================================================
==29047==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4602ccf at pc 0x00464127 bp 0xbfb63448 sp 0xbfb6343c
READ of size 1 at 0xb4602ccf thread T0
    #0 0x464126 in prettyPrintObjectID ../../cmd/lib/derprint.c:258
    #1 0x465176 in prettyPrintItem ../../cmd/lib/derprint.c:552
    #2 0x464e5b in prettyPrintItem ../../cmd/lib/derprint.c:519
    #3 0x464e5b in prettyPrintItem ../../cmd/lib/derprint.c:519
    #4 0x464e5b in prettyPrintItem ../../cmd/lib/derprint.c:519
    #5 0x464e5b in prettyPrintItem ../../cmd/lib/derprint.c:519
    #6 0x464e5b in prettyPrintItem ../../cmd/lib/derprint.c:519
    #7 0x46541d in DER_PrettyPrint ../../cmd/lib/derprint.c:590
    #8 0x45e367 in main ../../cmd/derdump/derdump.c:97
    #9 0xb72e1b40 in __libc_start_main ../csu/libc-start.c:308
    #10 0x45dae0 in _start (/home/casper/targets/nss/new/dist/Debug/bin/derdump+0x6ae0)

0xb4602ccf is located 0 bytes to the right of 463-byte region [0xb4602b00,0xb4602ccf)
allocated by thread T0 here:
    #0 0xb79de5d4 in __interceptor_malloc (/lib/i386-linux-gnu/libasan.so.5+0xeb5d4)
    #1 0xb7228a62 in PR_Malloc ../../../../pr/src/malloc/prmem.c:435
    #2 0xb76e9c39 in PORT_Alloc_Util ../../lib/util/secport.c:87
    #3 0x45f082 in secu_StdinToItem ../../cmd/lib/basicutil.c:130
    #4 0x45f2ee in SECU_FileToItem ../../cmd/lib/basicutil.c:150
    #5 0x467497 in SECU_ReadDERFromFile ../../cmd/lib/secutil.c:552
    #6 0x45e343 in main ../../cmd/derdump/derdump.c:95
    #7 0xb72e1b40 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../cmd/lib/derprint.c:258 in prettyPrintObjectID
Shadow bytes around the buggy address:
  0x368c0540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368c0550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368c0560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x368c0570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x368c0580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x368c0590: 00 00 00 00 00 00 00 00 00[07]fa fa fa fa fa fa
  0x368c05a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x368c05b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x368c05c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x368c05d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x368c05e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29047==ABORTING

We were able to reproduce this when compiling with GCC-9, where the fix is optimized out. I'm not sure why UBSan doesn't flag this, but the check needs to be adjusted slightly.

Thanks for the report back.

Flags: needinfo?(kjacobs.bugzilla)

Slei,

Just in case you'd like to confirm this fix, I'm attaching the patch here (since you may not have access to Phabricator). Thanks again!

Comment above ^ -- thanks!

Flags: needinfo?(slei.casper)

It's not reproducible after the patch on my machine.

Flags: needinfo?(slei.casper)
Keywords: checkin-needed
Attachment #9096804 - Attachment is obsolete: true
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.