Uninitialized value in HASH_GetHashTypeByOidTag (sechash.c:182)
Categories
(NSS :: Tools, defect, P3)
Tracking
(Not tracked)
People
(Reporter: nico.schiller, Assigned: jschanck)
Details
(Keywords: csectype-uninitialized, Whiteboard: [nss-nofx])
Attachments
(2 files)
Steps to reproduce:
During processing of the attached certificate for vfychain via:
'''
/dist/Debug/bin/vfychain -a /testcase
'''
an conditional jump or move which depends on uninitialised value is triggered.
For reproduction of the crash, I attach a Docker image. Run ./build_upstream.sh to build the docker image and ./reproduce-upstream.sh to reproduce the bug.
Since I have no experience with these bugs in cryptographic software, I set the security flag.
Actual results:
Valgrind output:
==1== Memcheck, a memory error detector
==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1== Command: /dist/Debug/bin/vfychain -a /testcase
==1==
==1== Conditional jump or move depends on uninitialised value(s)
==1== at 0x487B611: HASH_GetHashTypeByOidTag (sechash.c:182)
==1== by 0x4880F3D: sec_DecodeSigAlg (secvfy.c:350)
==1== by 0x486E55C: CERT_VerifySignedDataWithPublicKey (certvfy.c:177)
==1== by 0x486E7BD: CERT_VerifySignedData (certvfy.c:263)
==1== by 0x486F284: cert_VerifyCertChainOld (certvfy.c:750)
==1== by 0x486FC97: cert_VerifyCertChain (certvfy.c:1001)
==1== by 0x4870A1C: CERT_VerifyCertificate (certvfy.c:1496)
==1== by 0x10FA19: main (vfychain.c:638)
==1== Uninitialised value was created by a stack allocation
==1== at 0x4867850: ??? (in /dist/Debug/lib/libnss3.so)
==1==
==1== Conditional jump or move depends on uninitialised value(s)
==1== at 0x487B61A: HASH_GetHashTypeByOidTag (sechash.c:182)
==1== by 0x4880F3D: sec_DecodeSigAlg (secvfy.c:350)
==1== by 0x486E55C: CERT_VerifySignedDataWithPublicKey (certvfy.c:177)
==1== by 0x486E7BD: CERT_VerifySignedData (certvfy.c:263)
==1== by 0x486F284: cert_VerifyCertChainOld (certvfy.c:750)
==1== by 0x486FC97: cert_VerifyCertChain (certvfy.c:1001)
==1== by 0x4870A1C: CERT_VerifyCertificate (certvfy.c:1496)
==1== by 0x10FA19: main (vfychain.c:638)
==1== Uninitialised value was created by a stack allocation
==1== at 0x4867850: ??? (in /dist/Debug/lib/libnss3.so)
==1==
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. ST=ABC :
ERROR -8182: Peer's certificate has an invalid signature.
CERT 1. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 2. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 3. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 4. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 5. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 6. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 7. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 8. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 9. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 10. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 11. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 12. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 13. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 14. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 15. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 16. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 17. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 18. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 19. ST=ABC [Certificate Authority]:
ERROR -8182: Peer's certificate has an invalid signature.
CERT 20. ST=ABC [Certificate Authority]:
ERROR -8179: Peer's Certificate issuer is not recognized.
ST=ABC
==1==
==1== HEAP SUMMARY:
==1== in use at exit: 1,350 bytes in 7 blocks
==1== total heap usage: 3,328 allocs, 3,321 frees, 849,198 bytes allocated
==1==
==1== LEAK SUMMARY:
==1== definitely lost: 0 bytes in 0 blocks
==1== indirectly lost: 0 bytes in 0 blocks
==1== possibly lost: 0 bytes in 0 blocks
==1== still reachable: 1,350 bytes in 7 blocks
==1== suppressed: 0 bytes in 0 blocks
==1== Rerun with --leak-check=full to see details of leaked memory
==1==
==1== For lists of detected and suppressed errors, rerun with: -s
==1== ERROR SUMMARY: 38 errors from 2 contexts (suppressed: 0 from 0)
Expected results:
Expected the correct exception handling of invalid files / certificates.
|
Assignee | |
Comment 2•3 years ago
|
||
Thanks again.
The return value of sec_DecodeRSAPSSParams is not checked in sec_DecodeSigAlg.
|
|
Assignee | |
Comment 3•3 years ago
|
||
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 4•3 years ago
|
||
John: can you take a stab at a security severity rating?
|
|
Assignee | |
Comment 5•3 years ago
|
||
We can unhide this. I don't see any security implications.
|
|
Assignee | |
Comment 6•3 years ago
|
||
Description
•