Closed Bug 1949118 Opened 6 months ago Closed 6 months ago

NULL-dereference in SECITEM_CopyItem from NSS_CMSDigestContext_FinishSingle

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mdauer, Assigned: mdauer)

References

(Blocks 1 open bug)

Details

Attachments

(3 files)

clusterfuzz-testcase-minimized-smime-6254175768084480
719 bytes, application/octet-stream
Details
Bug 1949118 - Part 1: Fix smime UBSan errors, r?#nss-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Bug 1949118 - Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle, r?#nss-reviewers
48 bytes, text/x-phabricator-request
Details | Review

OSS-Fuzz: https://oss-fuzz.com/testcase-detail/6254175768084480

Details

The check here doesn't verify that dp[0] is non-null before it is then passed to SECITEM_CopyItem:

    rv = NSS_CMSDigestContext_FinishMultiple(cmsdigcx, arena, &dp);
    if (rv == SECSuccess && dp) {
        /* now copy it into poolp */
        rv = SECITEM_CopyItem(poolp, digest, dp[0]);
    }

From what I can tell, dp[0] may be NULL if we reach this case in NSS_CMSDigestContext_FinishMultiple:

	if (!pair->digcx) {
	    digests[i] = NULL;
	    continue;
	}

To reproduce, perform the following steps:

  1. You may need to comment out the line with enable_ubsan in coreconf/fuzz.sh, as there are other UBSan errors in the way
  2. Build NSS with ./build.sh -c --fuzz --disable-tests
  3. Run /path/to/dist/Debug/bin/nssfuzz-smime /path/to/testcase

Stack trace

==777638==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5fb7f48461a4 bp 0x7ffe0cb17030 sp 0x7ffe0cb16ff0 T0)
==777638==The signal is caused by a READ memory access.
==777638==Hint: address points to the zero page.
    #0 0x5fb7f48461a4 in SECITEM_CopyItem_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secitem.c:260:22
    #1 0x5fb7f3f93a3a in NSS_CMSDigestContext_FinishSingle /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/smime/cmsdigest.c:265:14
    #2 0x5fb7f3f9257b in NSS_CMSDigestedData_Decode_AfterData /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/smime/cmsdigdata.c:185:14
    #3 0x5fb7f3f91563 in nss_cms_after_data /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/smime/cmsdecode.c:356:18
    #4 0x5fb7f3f8ff27 in nss_cms_decoder_notify /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/smime/cmsdecode.c:177:21
    #5 0x5fb7f48308b4 in sec_asn1d_notify_after /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:441:5
    #6 0x5fb7f48308b4 in sec_asn1d_next_in_sequence /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:2082:5
    #7 0x5fb7f48308b4 in SEC_ASN1DecoderUpdate_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:2843:17
    #8 0x5fb7f3f90ab7 in NSS_CMSDecoder_Update /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/smime/cmsdecode.c:662:14
    #9 0x5fb7f3f910ef in NSS_CMSMessage_CreateFromDER /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/smime/cmsdecode.c:734:5
    #10 0x5fb7f3f89cd5 in LLVMFuzzerTestOneInput /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/smime.cc:20:28
    #11 0x5fb7f3e95104 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-smime+0x2f9104) (BuildId: eb4da2b00e938b3712204e3a552eb2c67a21701a)
    #12 0x5fb7f3e7e236 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-smime+0x2e2236) (BuildId: eb4da2b00e938b3712204e3a552eb2c67a21701a)
    #13 0x5fb7f3e83cea in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-smime+0x2e7cea) (BuildId: eb4da2b00e938b3712204e3a552eb2c67a21701a)
    #14 0x5fb7f3eae4a6 in main (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-smime+0x3124a6) (BuildId: eb4da2b00e938b3712204e3a552eb2c67a21701a)
    #15 0x783c3062a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #16 0x783c3062a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #17 0x5fb7f3e78e04 in _start (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-smime+0x2dce04) (BuildId: eb4da2b00e938b3712204e3a552eb2c67a21701a)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secitem.c:260:22 in SECITEM_CopyItem_Util
Attachment #9467051 - Attachment description: Bug 1949118 - Add missing check in NSS_CMSDigestContext_FinishSingle, r?#nss-reviewers → Bug 1949118 - Part 1: Fix smime UBSan errors, r?#nss-reviewers

The severity field is not set for this bug.
:beurdouche, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(bbeurdouche)
Blocks: nss-fuzzing-bugs
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: