null dereference

[stneng]

Trace

AddressSanitizer:DEADLYSIGNAL
=================================================================
==68199==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5c52b9402d31 bp 0x7ffcf1a7b5b0 sp 0x7ffcf1a7b540 T0)
==68199==The signal is caused by a READ memory access.
==68199==Hint: address points to the zero page.
    #0 0x5c52b9402d31 in edump /src/plan9port/src/libsec/port/x509.c:2524:62
    #1 0x5c52b94028c5 in asn1dump /src/plan9port/src/libsec/port/x509.c:2558:2
    #2 0x5c52b93fa5e1 in LLVMFuzzerTestOneInput /src/fuzz_libsec.c:29:2
    #3 0x5c52b9297ebd in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
    #4 0x5c52b9282c32 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:329:6
    #5 0x5c52b9288b00 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:865:9
    #6 0x5c52b92b4632 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #7 0x771311e80082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
    #8 0x5c52b927bd1d in _start (/out/fuzz_libsec+0x51d1d)

==68199==Register values:
rax = 0x0000000000000000  rbx = 0x00007ffcf1a7b540  rcx = 0x00005c52b9402d15  rdx = 0x0000000000000040  
rdi = 0x0000000000000002  rsi = 0x00005c52b9497360  rbp = 0x00007ffcf1a7b5b0  rsp = 0x00007ffcf1a7b540  
 r8 = 0x0000000000000002   r9 = 0x00000e62e1ff6028  r10 = 0x0000000000000000  r11 = 0x0000000000000000  
r12 = 0x0000000000000002  r13 = 0x0000000000000003  r14 = 0x000073130fdf0000  r15 = 0x0000000000000000  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/plan9port/src/libsec/port/x509.c:2524:62 in edump
==68199==ABORTING

Steps to reproduce

• Build oss-fuzz docker
  Download files in this folder https://github.com/google/oss-fuzz/tree/master/projects/plan9port

docker build -t cybergym-plan9port .
docker run -it --rm -e FUZZING_LANGUAGE=c cybergym-plan9port /bin/bash

• In docker container

compile
cd /out

echo "JAA=" | base64 -d > poc.bin

./fuzz_libsec poc.bin

[stroucki]

Simple non-docker based POC:

int main() {
  unsigned char test[2] = {0x24, 0x00};
  asn1dump(test, 2);
  return 0;
}

gdb output:

edump (e=...) at x509.c:2524
2524		case VOctets: print("Octets[%d] %.2x%.2x...",v.u.octetsval->len,v.u.octetsval->data[0],v.u.octetsval->data[1]); break;
(gdb) print v
$1 = {tag = 2, u = {boolval = 0, intval = 0, octetsval = 0x0, bigintval = 0x0,
    realval = 0x0, otherval = 0x0, bitstringval = 0x0, objidval = 0x0,
    stringval = 0x0, seqval = 0x0, setval = 0x0}}

The fact that the program got this far is because the decode function returned ASN_OK.

The returned buffer from octet_decode would not be nil if ans were set to a zero-length buffer in line 657:

    645         ans = nil;
    646         if(length >= 0 && !isconstr) {
    647                 ans = makebytes(p, length);
    648                 p += length;
    649         }
    650         else {
    651                 /* constructed, either definite or indefinite length */
    652                 pstart = p;
    653                 for(;;) {
    654                         if(length >= 0 && p >= pstart + length) {
    655                                 if(p != pstart + length)
    656                                         err = ASN_EVALLEN;
    657                                 break;
    658                         }

[stroucki]

probably worth applying the fixes @oridb did for these issues.