Closed Bug 1935984 Opened 8 months ago Closed 8 months ago

Uninitialised value(s) in CERT_DecodeCertFromPackage

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(firefox-esr115 wontfix, firefox-esr128135+ fixed, firefox133 wontfix, firefox134 wontfix, firefox135 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 135+ fixed
firefox133 --- wontfix
firefox134 --- wontfix
firefox135 --- fixed

People

(Reporter: mdauer, Assigned: mdauer)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uninitialized, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main135+r][adv-ESR128.7+r])

Attachments

(3 files, 2 obsolete files)

valgrind.log
69.97 KB, text/x-log
Details
repro.patch
1.16 KB, patch
Details | Diff | Splinter Review
Bug 1935984 - Ensure zero-initialization of collectArgs.cert, r?djackson,#nss-reviewers
48 bytes, text/x-phabricator-request
Details | Review

OSS-Fuzz: https://oss-fuzz.com/testcase-detail/5627490141274112

Details

Frequent crash that is not reproducible with the single testcase, though I was able to reproduce locally by running afl-fuzz.
The stacktrace for the alloc/free points to a completly different location than the alleged use-after-free. Running with valgrind reveals a lot of uninitialised value errors.

Reproduction

Since valgrind doesn't like ASan, you will need to apply repro.patch and build with ./build.sh -c --fuzz --disable-tests and then run valgrind -s --track-origin=yes /path/to/dist/Debug/bin/nssfuzz-pkcs7 /path/to/testcase.

Stacktrace

==83562==ERROR: AddressSanitizer: heap-use-after-free on address 0x51d0013a2ea0 at pc 0x5d05850252ca bp 0x7ffd67d96ea0 sp 0x7ffd67d96e98
	READ of size 1 at 0x51d0013a2ea0 thread T0
	SCARINESS: 40 (1-byte-read-heap-use-after-free)
	    #0 0x5d05850252c9 in definite_length_decoder nss/lib/util/quickder.c:34:11
	    #1 0x5d05850252c9 in GetItem nss/lib/util/quickder.c:128:18
	    #2 0x5d0585023f3a in DecodeItem nss/lib/util/quickder.c:658:14
	    #3 0x5d0585023bc5 in SEC_QuickDERDecodeItem_Util nss/lib/util/quickder.c:829:14
	    #4 0x5d0584f39b0b in CERT_IssuerNameFromDERCert nss/lib/certdb/certdb.c:267:10
	    #5 0x5d0584fed586 in nssPKIX509_GetIssuerAndSerialFromDER nss/lib/pki/pki3hack.c:264:13
	    #6 0x5d05850013fb in nssCertificateStore_FindCertificateByEncodedCertificate nss/lib/pki/pkistore.c:538:13
	    #7 0x5d0584f74abd in CERT_NewTempCertificate nss/lib/certdb/stanpcertdb.c:368:13
	    #8 0x5d0584693020 in CERT_DecodeCertFromPackage nss/lib/pkcs7/certread.c:527:16
	    #9 0x5d05846862be in LLVMFuzzerTestOneInput nss/fuzz/targets/pkcs7.cc:17:9
	    #10 0x5d0584e9b029 in LLVMFuzzerRunDriver /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:423:13
	    #11 0x5d0584e9ac4d in main /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:311:10
	    #12 0x7945620d8082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
	    #13 0x5d05845adb9d in _start
	
	0x51d0013a2ea0 is located 32 bytes inside of 2048-byte region [0x51d0013a2e80,0x51d0013a3680)
	freed by thread T0 here:
	    #0 0x5d0584646916 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
	    #1 0x5d058506c0fd in FreeArenaList nspr/lib/ds/plarena.c:201:5
	    #2 0x5d058504fca6 in PORT_FreeArena_Util nss/lib/util/secport.c:380:9
	    #3 0x5d0584692cb9 in SEC_ReadCertSequence nss/lib/pkcs7/certread.c:217:9
	    #4 0x5d05846911a4 in CERT_DecodeCertPackage nss/lib/pkcs7/certread.c:365:29
	    #5 0x5d0584692fba in CERT_DecodeCertFromPackage nss/lib/pkcs7/certread.c:524:10
	    #6 0x5d05846862be in LLVMFuzzerTestOneInput nss/fuzz/targets/pkcs7.cc:17:9
	    #7 0x5d0584e9b029 in LLVMFuzzerRunDriver /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:423:13
	    #8 0x5d0584e9ac4d in main /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:311:10
	    #9 0x7945620d8082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
	    #10 0x5d05845adb9d in _start
	
	previously allocated by thread T0 here:
	    #0 0x5d0584646baf in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
	    #1 0x5d058506b595 in PL_ArenaAllocate nspr/lib/ds/plarena.c:132:21
	    #2 0x5d058504f853 in PORT_ArenaAlloc_Util nss/lib/util/secport.c:318:13
	    #3 0x5d058502e904 in sec_asn1d_alloc nss/lib/util/secasn1d.c:327:17
	    #4 0x5d058502e904 in sec_asn1d_zalloc nss/lib/util/secasn1d.c:346:13
	    #5 0x5d058502e904 in sec_asn1d_concat_substrings nss/lib/util/secasn1d.c:2278:39
	    #6 0x5d058502e904 in SEC_ASN1DecoderUpdate_Util nss/lib/util/secasn1d.c:2846:17
	    #7 0x5d058503bd42 in SEC_ASN1Decode_Util nss/lib/util/secasn1d.c:3134:11
	    #8 0x5d058503bd42 in SEC_ASN1DecodeItem_Util nss/lib/util/secasn1d.c:3148:12
	    #9 0x5d0584692bb4 in SEC_ReadCertSequence nss/lib/pkcs7/certread.c:188:9
	    #10 0x5d05846911a4 in CERT_DecodeCertPackage nss/lib/pkcs7/certread.c:365:29
	    #11 0x5d0584692fba in CERT_DecodeCertFromPackage nss/lib/pkcs7/certread.c:524:10
	    #12 0x5d05846862be in LLVMFuzzerTestOneInput nss/fuzz/targets/pkcs7.cc:17:9
	    #13 0x5d0584e9b029 in LLVMFuzzerRunDriver /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:423:13
	    #14 0x5d0584e9ac4d in main /src/aflplusplus/utils/aflpp_driver/aflpp_driver.c:311:10
	    #15 0x7945620d8082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16
	    #16 0x5d05845adb9d in _start
Attached file valgrind.log (obsolete) —
Attached file valgrind.log

with --track-origin=yes

Attached patch repro.patchSplinter Review
Attachment #9442453 - Attachment is obsolete: true
Keywords: sec-other
Summary: Heap-use-after-free READ in definite_length_decoder → Uninitialised value(s) in CERT_DecodeCertFromPackage

https://hg.mozilla.org/projects/nss/rev/a25bcb7b76094cf1331efc366d249f6428b0d911

Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Assignee: nobody → mdauer
Blocks: 1936150
Group: crypto-core-security → core-security-release
status-firefox133: --- → wontfix
status-firefox134: --- → wontfix
status-firefox135: --- → fixed
status-firefox-esr115: --- → wontfix
status-firefox-esr128: --- → affected
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main135+]
Whiteboard: [post-critsmash-triage][adv-main135+] → [post-critsmash-triage][adv-main135+][adv-ESR128.7+]
Attached file advisory.txt (obsolete) —
Whiteboard: [post-critsmash-triage][adv-main135+][adv-ESR128.7+] → [post-critsmash-triage][adv-main135+r][adv-ESR128.7+r]
Attachment #9462942 - Attachment is obsolete: true
Blocks: nss-fuzzing-bugs
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: