Closed Bug 1660676 Opened 5 years ago Closed 1 year ago

use after poison in SECU_PrintAsHex

Categories

(NSS :: Tools, defect, P3)

Product:
NSS
Component:
Tools
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: slei.casper, Assigned: jschanck)

Details

Attachments

(2 files)

poc
684 bytes, application/octet-stream
Details
Bug 1660676 - correct length of raw SPKI data before printing in pp utility. r=#nss-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Attached file poc

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36

Steps to reproduce:

  1. compile nss with address sanitizer
  2. run ./pp -t c -i poc

Actual results:

==78399==ERROR: AddressSanitizer: use-after-poison on address 0x61d00000996b at pc 0x0000004f2ce6 bp 0x7ffff6017ae0 sp 0x7ffff6017ad8
READ of size 1 at 0x61d00000996b thread T0
    #0 0x4f2ce5 in SECU_PrintAsHex /home/casper/targets/struct/nss/afl/BUILD/nss/out/Debug/../../cmd/lib/basicutil.c
    #1 0x4f34df in SECU_PrintInteger /home/casper/targets/struct/nss/afl/BUILD/nss/out/Debug/../../cmd/lib/basicutil.c:406:9
    #2 0x4fd217 in SECU_PrintEncodedInteger /home/casper/targets/struct/nss/afl/BUILD/nss/out/Debug/../../cmd/lib/secutil.c:905:9
    #3 0x4fd217 in secu_PrintUniversal /home/casper/targets/struct/nss/afl/BUILD/nss/out/Debug/../../cmd/lib/secutil.c:993:13
    #4 0x5098e5 in SECU_PrintAny /home/casper/targets/struct/nss/afl/BUILD/nss/out/Debug/../../cmd/lib/secutil.c:1052:17
    #5 0x5098e5 in secu_PrintSubjectPublicKeyInfo /home/casper/targets/struct/nss/afl/BUILD/nss/out/Debug/../../cmd/lib/secutil.c:1451:13
    #6 0x50a8ad in SECU_PrintCertificate /home/casper/targets/struct/nss/afl/BUILD/nss/out/Debug/../../cmd/lib/secutil.c:2378:5
    #7 0x510976 in secu_PrintSignedDataSigOpt /home/casper/targets/struct/nss/afl/BUILD/nss/out/Debug/../../cmd/lib/secutil.c:3164:10
    #8 0x4ef79a in main /home/casper/targets/struct/nss/afl/BUILD/nss/out/Debug/../../cmd/pp/pp.c
    #9 0x7f23c0660b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41df99 in _start (/home/casper/targets/struct/nss/afl/fuzzrun/pp+0x41df99)

0x61d00000996b is located 747 bytes inside of 2048-byte region [0x61d000009680,0x61d000009e80)
allocated by thread T0 here:
    #0 0x4aab50 in malloc /home/casper/fuzz/fuzzdeps/llvm-9.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145
    #1 0x7f23bff4c0be in PR_Malloc /home/casper/targets/struct/nss/afl/BUILD/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:448:55

SUMMARY: AddressSanitizer: use-after-poison /home/casper/targets/struct/nss/afl/BUILD/nss/out/Debug/../../cmd/lib/basicutil.c in SECU_PrintAsHex
Shadow bytes around the buggy address:
  0x0c3a7fff92d0: 00 00 00 00 00 00 00 00 00 00 03 00 02 00 00 00
  0x0c3a7fff92e0: 00 00 00 00 00 00 03 00 00 01 00 00 00 00 00 00
  0x0c3a7fff92f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fff9300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03
  0x0c3a7fff9310: 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fff9320: 00 00 00 00 07 00 00 00 00 00 00 00 00[03]f7 f7
  0x0c3a7fff9330: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c3a7fff9340: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c3a7fff9350: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c3a7fff9360: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c3a7fff9370: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==78399==ABORTING

JC: I think this is only used in non-shipping utilities, not Firefox itself, in which case it could be unhidden. Is that right?

Flags: needinfo?(jjones)

That's correct, this is a utility function for the CLI tools, and is not exported to the rest of the library.

Severity: -- → S2
Component: Libraries → Tools
Flags: needinfo?(jjones)
Priority: -- → P3
QA Contact: jjones

Thanks for this report!

Group: crypto-core-security
Assignee: nobody → jschanck
Severity: S2 → S4
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

https://hg.mozilla.org/projects/nss/rev/df9a082c85814892f7a534e29feb606b440a803c

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: