Closed Bug 1910370 Opened 3 months ago Closed 2 months ago

Assertion failure: ss->ssl3.hs.dtls13ClientMessageBuffer.len == 0, at ../../lib/ssl/ssl3con.c:5668

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(firefox-esr115 unaffected, firefox-esr128 affected, firefox130 wontfix, firefox131 wontfix, firefox132 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- affected
firefox130 --- wontfix
firefox131 --- wontfix
firefox132 --- fixed

People

(Reporter: mdauer, Assigned: mdauer)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [fuzzblocker][post-critsmash-triage])

Attachments

(2 files)

clusterfuzz-testcase-minimized-dtls-client-4709052135833600
285 bytes, application/octet-stream
Details
Bug 1910370 - DTLS client message buffer may not empty be on retransmit, r?nkulatova
48 bytes, text/x-phabricator-request
Details | Review

OSS-Fuzz: https://oss-fuzz.com/testcase-detail/4709052135833600

Details

Debug assertion failure. The assert was added in 305d3d208b3c3761753e614e61a91249382de6b5 as part of Bug 1818487.

Reproduction

  1. Download the attached testcase
  2. Build NSS with ./build.sh -c --fuzz
  3. Run /path/to/dist/Debug/bin/nssfuzz-dtls-client /path/to/testcase

Stack trace

Assertion failure: ss->ssl3.hs.dtls13ClientMessageBuffer.len == 0, at ../../lib/ssl/ssl3con.c:5668
==14187== ERROR: libFuzzer: deadly signal
    #0 0x56a6b87cd005 in __sanitizer_print_stack_trace (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-dtls-client+0x80b005) (BuildId: 8ad64b7f8abde276cc9625a324db9259b1c31774)
    #1 0x56a6b8726b1c in fuzzer::PrintStackTrace() (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-dtls-client+0x764b1c) (BuildId: 8ad64b7f8abde276cc9625a324db9259b1c31774)
    #2 0x56a6b870cba7 in fuzzer::Fuzzer::CrashCallback() (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-dtls-client+0x74aba7) (BuildId: 8ad64b7f8abde276cc9625a324db9259b1c31774)
    #3 0x78cfd9e4531f  (/lib/x86_64-linux-gnu/libc.so.6+0x4531f) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
    #4 0x78cfd9e9eb1b in __pthread_kill_implementation nptl/pthread_kill.c:43:17
    #5 0x78cfd9e9eb1b in __pthread_kill_internal nptl/pthread_kill.c:78:10
    #6 0x78cfd9e9eb1b in pthread_kill nptl/pthread_kill.c:89:10
    #7 0x78cfd9e4526d in raise signal/../sysdeps/posix/raise.c:26:13
    #8 0x78cfd9e288fe in abort stdlib/abort.c:79:7
    #9 0x56a6b9069a56 in PR_Assert /home/mdauer/mercurial/nss-nspr/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c:556:3
    #10 0x56a6b88f9b43 in ssl3_SendClientHello /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/ssl/ssl3con.c:5668:17
    #11 0x56a6b88ced78 in dtls_HandleHelloVerifyRequest /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/ssl/dtlscon.c:1153:10
    #12 0x56a6b891d212 in ssl3_HandlePostHelloHandshakeMessage /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/ssl/ssl3con.c:12755:18
    #13 0x56a6b8917dcd in ssl3_HandleHandshakeMessage /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/ssl/ssl3con.c:12698:22
    #14 0x56a6b88c9cbc in dtls_HandleHandshakeMessage /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/ssl/dtlscon.c:248:12
    #15 0x56a6b88c8458 in dtls_HandleHandshake /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/ssl/dtlscon.c:360:18
    #16 0x56a6b892257e in ssl3_HandleNonApplicationData /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/ssl/ssl3con.c:13412:22
    #17 0x56a6b89285c8 in ssl3_HandleRecord /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/ssl/ssl3con.c:13774:10
    #18 0x56a6b8961131 in ssl3_GatherCompleteHandshake /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/ssl/ssl3gthr.c:561:18
    #19 0x56a6b8969c0d in ssl_GatherRecord1stHandshake /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/ssl/sslcon.c:73:10
    #20 0x56a6b8820ad4 in ssl_Do1stHandshake /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/ssl/sslsecur.c:43:14
    #21 0x56a6b88246c1 in SSL_ForceHandshake /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/ssl/sslsecur.c:431:14
    #22 0x56a6b880f1c7 in DoHandshake(PRFileDesc*, bool) /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/tls_common.cc:54:10
    #23 0x56a6b8807125 in LLVMFuzzerTestOneInput /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/tls_client_target.cc:240:3
    #24 0x56a6b870e174 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-dtls-client+0x74c174) (BuildId: 8ad64b7f8abde276cc9625a324db9259b1c31774)
    #25 0x56a6b86f72a6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-dtls-client+0x7352a6) (BuildId: 8ad64b7f8abde276cc9625a324db9259b1c31774)
    #26 0x56a6b86fcd5a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-dtls-client+0x73ad5a) (BuildId: 8ad64b7f8abde276cc9625a324db9259b1c31774)
    #27 0x56a6b8727516 in main (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-dtls-client+0x765516) (BuildId: 8ad64b7f8abde276cc9625a324db9259b1c31774)
    #28 0x78cfd9e2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #29 0x78cfd9e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #30 0x56a6b86f1e74 in _start (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-dtls-client+0x72fe74) (BuildId: 8ad64b7f8abde276cc9625a324db9259b1c31774)

SSL options

============= ClientConfig =============
SSL_NO_CACHE:                           0
SSL_ENABLE_EXTENDED_MASTER_SECRET:      1
SSL_REQUIRE_DH_NAMED_GROUPS:            0
SSL_ENABLE_FALSE_START:                 0
SSL_ENABLE_DEFLATE:                     0
SSL_CBC_RANDOM_IV:                      1
SSL_REQUIRE_SAFE_NEGOTIATION:           1
SSL_ENABLE_GREASE:                      1
SSL_ENABLE_CH_EXTENSION_PERMUTATION:    0
SSL_SetCertificateCompressionAlgorithm: 1
SSL_VersionRangeSet:                    1
  Min:                                  772
  Max:                                  772
SSL_AddExternalPsk:                     0
  Type:                                 5
SSL_ENABLE_POST_HANDSHAKE_AUTH:         1
SSL_ENABLE_0RTT_DATA:                   1
SSL_ENABLE_ALPN:                        1
SSL_ENABLE_FALLBACK_SCSV:               1
SSL_ENABLE_OCSP_STAPLING:               0
SSL_ENABLE_SESSION_TICKETS:             1
SSL_ENABLE_TLS13_COMPAT_MODE:           0
SSL_NO_LOCKS:                           0
SSL_SetClientEchConfigs:                1
========================================
Summary: Assertion failure in ssl3_SendClientHello (with UNSAFE_FUZZER_MODE) → Assertion failure in ssl3_SendClientHello

Also reproduces with UNSAFE_FUZZER_MODE disabled.

Whiteboard: fuzzblocker
Whiteboard: fuzzblocker → [fuzzblocker]
Attachment #9416776 - Attachment description: WIP: Bug 1910370 - Clear invalid early DTLS message buffer → WIP: Bug 1910370 - DTLS client message buffer may not empty on retransmit
Component: Test → Libraries
Summary: Assertion failure in ssl3_SendClientHello → ss->ssl3.hs.dtls13ClientMessageBuffer.len == 0, at ../../lib/ssl/ssl3con.c:5668
Summary: ss->ssl3.hs.dtls13ClientMessageBuffer.len == 0, at ../../lib/ssl/ssl3con.c:5668 → Assertion failure: ss->ssl3.hs.dtls13ClientMessageBuffer.len == 0, at ../../lib/ssl/ssl3con.c:5668
Attachment #9416776 - Attachment description: WIP: Bug 1910370 - DTLS client message buffer may not empty on retransmit → Bug 1910370 - DTLS client message buffer may not empty be on retransmit, r?nkulatova

https://hg.mozilla.org/projects/nss/rev/6bafe5a61c685c0d740658589253a7ff7888e5c2

Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Group: crypto-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [fuzzblocker] → [fuzzblocker][post-critsmash-triage]

This doesn't appear to have a security impact.

Keywords: csectype-uninitialized, sec-moderate
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: