[BUG] A heap-buffer-overflow in edump at src/libsec/port/x509.c:2524:66 #710
Description
Description
- Version: Latest commit 9da5b44
- Environment: Ubuntu 20.04.6 LTS, Clang 18.1.8
- Fuzzing harness: https://github.com/google/oss-fuzz/blob/master/projects/plan9port/fuzz_libsec.c
Please let me know if you encounter any issues reproducing it — I can upload a Docker image to help.
Steps to reproduce
git clone https://github.com/9fans/plan9port.git --depth 1
cd plan9port
wget https://github.com/google/oss-fuzz/raw/refs/heads/master/projects/plan9port/fuzz_libsec.c
wget https://github.com/google/oss-fuzz/raw/refs/heads/master/projects/plan9port/fuzz_patch.diff
git apply --ignore-space-change --ignore-whitespace fuzz_patch.diff
export CC="clang"
export CXX="clang++"
export CFLAGS="-fsanitize=address -g -O0 -fno-omit-frame-pointer"
export CXXFLAGS="-fsanitize=address -g -O0 -fno-omit-frame-pointer"
export LIB_FUZZING_ENGINE="-fsanitize=fuzzer"
export CC9=$CC
export CC9FLAGS="$CFLAGS"
export ASAN_OPTIONS="detect_leaks=0"
./INSTALL
plan9_libs="-Wl,--start-group ./lib/libframe.a ./lib/libbio.a ./lib/libdisk.a ./lib/lib9.a ./lib/libcomplete.a ./lib/libString.a ./lib/libauth.a ./lib/libmemlayer.a ./lib/libventi.a ./lib/libmux.a ./lib/lib9p.a ./lib/libregexp9.a ./lib/libip.a ./lib/libgeometry.a ./lib/libhtml.a ./lib/libmp.a ./lib/libplumb.a ./lib/libsec.a ./lib/libflate.a ./lib/libhttpd.a ./lib/libndb.a ./lib/libdraw.a ./lib/libmach.a ./lib/libavl.a ./lib/libthread.a ./lib/libauthsrv.a ./lib/libdiskfs.a ./lib/lib9pclient.a ./lib/libsunrpc.a ./lib/libmemdraw.a ./lib/libacme.a ./lib/libbin.a -Wl,--end-group"
$CC $CFLAGS $LIB_FUZZING_ENGINE -c fuzz_libsec.c -o fuzz_libsec.o -I./include
$CXX $CXXFLAGS $LIB_FUZZING_ENGINE fuzz_libsec.o -o fuzz_libsec -I./include $plan9_libs
wget https://github.com/user-attachments/files/19698345/plan9port_crash_1.txt
./fuzz_libsec plan9port_crash_1.txt
Sanitizer output
root@f7054a82a569:/src/plan9port# ./fuzz_libsec plan9port_crash_1.txt
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 750169130
INFO: Loaded 1 modules (3 inline 8-bit counters): 3 [0x594820, 0x594823),
INFO: Loaded 1 PC tables (3 PCs): 3 [0x563a60,0x563a90),
./fuzz_libsec: Running 1 inputs 1 time(s) each.
Running: plan9port_crash_1.txt
class64,num10{=================================================================
==711558==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000074 at pc 0x00000050ddfc bp 0x7fffa7f533f0 sp 0x7fffa7f533e8
READ of size 1 at 0x602000000074 thread T0
#0 0x50ddfb in edump /src/plan9port/src/libsec/port/x509.c:2524:66
#1 0x50d808 in asn1dump /src/plan9port/src/libsec/port/x509.c:2558:2
#2 0x5037e9 in LLVMFuzzerTestOneInput /src/plan9port/fuzz_libsec.c:29:2
#3 0x43b613 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/src/plan9port/fuzz_libsec+0x43b613)
#4 0x4257de in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/src/plan9port/fuzz_libsec+0x4257de)
#5 0x42b762 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/src/plan9port/fuzz_libsec+0x42b762)
#6 0x454f02 in main (/src/plan9port/fuzz_libsec+0x454f02)
#7 0x76510556e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#8 0x41f98d in _start (/src/plan9port/fuzz_libsec+0x41f98d)
0x602000000074 is located 0 bytes to the right of 4-byte region [0x602000000070,0x602000000074)
allocated by thread T0 here:
#0 0x4cfd0d in malloc (/src/plan9port/fuzz_libsec+0x4cfd0d)
#1 0x50387b in p9malloc /src/plan9port/src/lib9/malloc.c:16:9
#2 0x50ee14 in emalloc /src/plan9port/src/libsec/port/x509.c:172:6
#3 0x50ed89 in newbytes /src/plan9port/src/libsec/port/x509.c:1290:16
#4 0x503996 in makebytes /src/plan9port/src/libsec/port/x509.c:1303:8
#5 0x514056 in octet_decode /src/plan9port/src/libsec/port/x509.c:647:9
#6 0x512cba in value_decode /src/plan9port/src/libsec/port/x509.c:432:9
#7 0x511a77 in ber_decode /src/plan9port/src/libsec/port/x509.c:269:11
#8 0x50d99e in decode /src/plan9port/src/libsec/port/x509.c:205:10
#9 0x50d74e in asn1dump /src/plan9port/src/libsec/port/x509.c:2553:5
#10 0x5037e9 in LLVMFuzzerTestOneInput /src/plan9port/fuzz_libsec.c:29:2
#11 0x43b613 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/src/plan9port/fuzz_libsec+0x43b613)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/plan9port/src/libsec/port/x509.c:2524:66 in edump
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 02 fa fa fa 02 fa fa fa 03 fa fa fa[04]fa
0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==711558==ABORTING
POC
Credit
Reported by Yifan Zhang, PLL