1952860 - Assertion failure: state->parent != NULL && state->parent->indefinite, at ../../lib/util/secasn1d.c:2949

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P3)

Description

[Maurice Dauer [:mdauer]]

Attachment: clusterfuzz-testcase-pkcs12-5080740727685120

OSS-Fuzz: https://oss-fuzz.com/testcase-detail/5080740727685120

Details

The assertion exists since the Initial NSS Open Source checkin. Marking this security-sensitive for now.

Assertion failure: state->parent != NULL && state->parent->indefinite, at ../../lib/util/secasn1d.c:2949
==143675== ERROR: libFuzzer: deadly signal
    #0 0x5a6c8e7edf95 in __sanitizer_print_stack_trace (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x742f95) (BuildId: fd56c333efbfc859c8354c98bec15d574c2eed6f)
    #1 0x5a6c8e747aac in fuzzer::PrintStackTrace() (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x69caac) (BuildId: fd56c333efbfc859c8354c98bec15d574c2eed6f)
    #2 0x5a6c8e72db37 in fuzzer::Fuzzer::CrashCallback() (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x682b37) (BuildId: fd56c333efbfc859c8354c98bec15d574c2eed6f)
    #3 0x7380bb04532f  (/lib/x86_64-linux-gnu/libc.so.6+0x4532f) (BuildId: 42c84c92e6f98126b3e2230ebfdead22c235b667)
    #4 0x7380bb09eb2b in __pthread_kill_implementation nptl/pthread_kill.c:43:17
    #5 0x7380bb09eb2b in __pthread_kill_internal nptl/pthread_kill.c:78:10
    #6 0x7380bb09eb2b in pthread_kill nptl/pthread_kill.c:89:10
    #7 0x7380bb04527d in raise signal/../sysdeps/posix/raise.c:26:13
    #8 0x7380bb0288fe in abort stdlib/abort.c:79:7
    #9 0x5a6c8f007596 in PR_Assert /home/mdauer/mercurial/nss-nspr/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c:556:3
    #10 0x5a6c8f2c2f88 in SEC_ASN1DecoderUpdate_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:2949:17
    #11 0x5a6c8f2f58b9 in SEC_PKCS7DecoderUpdate /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:1044:17
    #12 0x5a6c8e839507 in sec_pkcs12_decoder_wrap_p7_update /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs12/p12d.c:771:5
    #13 0x5a6c8f2c3155 in SEC_ASN1DecoderUpdate_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:2953:13
    #14 0x5a6c8e838362 in sec_pkcs12_decoder_asafes_callback /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs12/p12d.c:862:10
    #15 0x5a6c8f2fc1ba in sec_pkcs7_decoder_work_data /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:172:13
    #16 0x5a6c8f2fb817 in sec_pkcs7_decoder_filter /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:216:5
    #17 0x5a6c8f2c3155 in SEC_ASN1DecoderUpdate_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:2953:13
    #18 0x5a6c8f2f58b9 in SEC_PKCS7DecoderUpdate /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs7/p7decode.c:1044:17
    #19 0x5a6c8e837c8c in sec_pkcs12_decode_asafes_cinfo_update /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs12/p12d.c:964:10
    #20 0x5a6c8f2c3155 in SEC_ASN1DecoderUpdate_Util /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/util/secasn1d.c:2953:13
    #21 0x5a6c8e82eee7 in SEC_PKCS12DecoderUpdate /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../lib/pkcs12/p12d.c:1297:10
    #22 0x5a6c8e823d43 in LLVMFuzzerTestOneInput /home/mdauer/mercurial/nss-nspr/nss/out/Debug/../../fuzz/targets/pkcs12.cc:37:18
    #23 0x5a6c8e72f104 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x684104) (BuildId: fd56c333efbfc859c8354c98bec15d574c2eed6f)
    #24 0x5a6c8e718236 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x66d236) (BuildId: fd56c333efbfc859c8354c98bec15d574c2eed6f)
    #25 0x5a6c8e71dcea in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x672cea) (BuildId: fd56c333efbfc859c8354c98bec15d574c2eed6f)
    #26 0x5a6c8e7484a6 in main (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x69d4a6) (BuildId: fd56c333efbfc859c8354c98bec15d574c2eed6f)
    #27 0x7380bb02a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #28 0x7380bb02a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #29 0x5a6c8e712e04 in _start (/home/mdauer/mercurial/nss-nspr/dist/Debug/bin/nssfuzz-pkcs12+0x667e04) (BuildId: fd56c333efbfc859c8354c98bec15d574c2eed6f)

---

To reproduce, perform the following steps:

1. Build NSS with ./build.sh -c --fuzz --disable-tests
2. Run /path/to/dist/Debug/bin/nssfuzz-pkcs12 /path/to/testcase

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:beurdouche, could you have a look please?

For more information, please visit BugBot documentation.

Comment 2

[John Schanck [:jschanck]]

Attachment: clusterfuzz-testcase-minimized-pkcs12-5080740727685120

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:jschanck, could you consider increasing the severity?

For more information, please visit BugBot documentation.

Comment 4

[John Schanck [:jschanck]]

Attachment: Bug 1952860 - fix faulty assertions in SEC_ASN1DecoderUpdate. r=#nss-reviewers

Comment 5

[John Schanck [:jschanck]]

The assertion is wrong here. There are situations where state->parent is not the enclosing GROUP or SET_OF that is expecting the end-of-contents. There can be intermediate states for implicit tags, etc.

Comment 6

[John Schanck [:jschanck]]

https://hg-edge.mozilla.org/projects/nss/rev/6d7cb6af6d40118671344b3ee4fd2aa63ce7e042

Comment 7

[Daniel Veditz [:dveditz]]

Doesn't need to be hidden based on comment 5