Closed Bug 1804660 Opened 1 year ago Closed 1 year ago

Assertion failure: child_found_tag_number < SEC_ASN1_HIGH_TAG_NUMBER, at ../../lib/util/secasn1d.c:2210

Categories

(NSS :: Libraries, defect)

x86_64
Linux
defect

Tracking

(firefox-esr102 wontfix, firefox109 wontfix, firefox110 wontfix, firefox111 wontfix, firefox112 fixed)

RESOLVED FIXED
Tracking Status
firefox-esr102 --- wontfix
firefox109 --- wontfix
firefox110 --- wontfix
firefox111 --- wontfix
firefox112 --- fixed

People

(Reporter: decoder, Assigned: jschanck)

Details

(Keywords: crash, sec-other, testcase, Whiteboard: [nss-triage][post-critsmash-triage][adv-main112-])

Attachments

(3 files)

The attached testcase crashes on nss revision a3669ed2c606+ (debug build with ASan/fuzzing).

For detailed crash information, see attachment.

To reproduce the issue, perform the following steps:

  1. Build NSS with fuzzing enabled and patch from bug 1804646 applied: ./build.sh --asan --clang --fuzz (assuming mozbuild clang/clang++ is on PATH and matching NSPR with ASan is installed/used).
  2. Run nssfuzz-pkcs12 test.bin

I don't think this is a security problem but keeping this hidden until all PKCS12 issues are resolved and the fuzzer itself is public.

Attached file Testcase
Group: core-security → crypto-core-security

The severity field is not set for this bug.
:beurdouche, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(bbeurdouche)
Flags: needinfo?(bbeurdouche)
Whiteboard: [nss-triage]

If a template has an OPTIONAL field, and we find that the input does not match
that field's tag number, we mark the field as missing. If the next field is an
ASN.1 ANY, we need to write the previously-parsed tag number out. Since high
tag number forms are rare, we never implemented the necessary re-encoding of
multi-byte tags, and we noted this with an assertion. That assertion is
remotely triggerable in debug builds. This patch removes the assertion and
returns a SEC_ERROR_LIBRARY_FAILURE instead.

Assignee: nobody → jschanck
Group: crypto-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 3.89
Flags: qe-verify-
Whiteboard: [nss-triage] → [nss-triage][post-critsmash-triage]
Whiteboard: [nss-triage][post-critsmash-triage] → [nss-triage][post-critsmash-triage][adv-main112-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: