1674819 - nss:tls-server: Undefined-shift in ssl_FindServerCert

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P2)

Description

[Kevin Jacobs [:kjacobs]]

    #0 0x470e31 in ssl_FindServerCert nss/lib/ssl/sslcert.c:212:14
    #1 0x497823 in tls13_CanResume nss/lib/ssl/tls13con.c:1402:10
    #2 0x496819 in tls13_HandleClientHelloPart2 nss/lib/ssl/tls13con.c:1900:14
    #3 0x4d11f4 in ssl3_HandleClientHello nss/lib/ssl/ssl3con.c:8880:14
    #4 0x4cfcff in ssl3_HandleHandshakeMessage nss/lib/ssl/ssl3con.c:12132:18
    #5 0x4d3b89 in ssl3_HandleHandshake nss/lib/ssl/ssl3con.c:12318:18
    #6 0x4d2966 in ssl3_HandleNonApplicationData nss/lib/ssl/ssl3con.c:12843:22
    #7 0x4d4ae9 in ssl3_HandleRecord nss/lib/ssl/ssl3con.c:13140:12
    #8 0x4ed266 in ssl3_GatherCompleteHandshake nss/lib/ssl/ssl3gthr.c:523:18
    #9 0x4f077c in ssl_GatherRecord1stHandshake nss/lib/ssl/sslcon.c:73:10
    #10 0x476753 in ssl_Do1stHandshake nss/lib/ssl/sslsecur.c:42:14
    #11 0x4780d2 in SSL_ForceHandshake nss/lib/ssl/sslsecur.c:386:14
    #12 0x4387f7 in DoHandshake(PRFileDesc*, bool) nss/fuzz/tls_common.cc:44:10
    #13 0x42cc12 in LLVMFuzzerTestOneInput nss/fuzz/tls_server_target.cc:123:3
    #14 0x7ffd86 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:595:15
    #15 0x8275b1 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:323:6
    #16 0x82ac1a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:852:9
    #17 0x80d85a in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #18 0x7fbe48ec582f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
    #19 0x409048 in _start
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../lib/ssl/sslcert.c:212:14

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26854

Reported-2020-11-01
Disclosure-2021-02-01

I'm pretty sure this is not a security bug, just the fuzzer hitting an unrealistic case (i.e. of the server writing bad data into a SID, such as in bug 1618915), but the reproducer isn't working for me for some reason.

To run the test case: ./build.sh --fuzz --asan and LD_LIBRARY_PATH=../dist/Debug/lib/ ../dist/Debug/bin/nssfuzz-tls-server <TEST CASE>

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:jcj, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 2

[Kevin Jacobs [:kjacobs]]

Attachment: Bug 1674819 - Fix undefined shift when fuzzing

In fuzzer mode, session tickets are serialized without any encryption or integrity protection. This leads to a post-deserialize UBSAN error when shifting by a fuzzed (large) authType value.

Comment 3

[Kevin Jacobs [:kjacobs]]

There's no security impact here.

Comment 4

[Kevin Jacobs [:kjacobs]]

https://hg.mozilla.org/projects/nss/rev/a51fae403328264e84eab35f55f0226aa6c3532a

Comment 5

[Kevin Jacobs [:kjacobs]]

Apparently, the oss-fuzz compiler uses a signed integer here. I didn't notice this because the PoC never worked on my machine (which compiled as unsigned). We need to reduce the value of the shift by one.

Comment 6

[Kevin Jacobs [:kjacobs]]

Attachment: Bug 1674819 - Fixup a51fae403328, enum type may be signed.

Comment 7

[Kevin Jacobs [:kjacobs]]

https://hg.mozilla.org/projects/nss/rev/2004338a20808ab182a7b0066212429c5fb2a4d6