Headline
CVE-2020-24659: CVE-2020-24659: read-heap-buffer-overflow found by fuzz (#1071) · Issues · gnutls / GnuTLS · GitLab
An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application’s error handling path, where the gnutls_deinit function is called after detecting a handshake failure.
Skip to content
Open Issue created Aug 20, 2020 by lutianxiong@ltx2018
CVE-2020-24659: read-heap-buffer-overflow found by fuzz
Description of problem:
I got a heap-buffer-overflow while fuzzing gnutls-master
==8==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000000 at pc 0x000000ba4514 bp 0x7ffe4031ba00 sp 0x7ffe4031b9f8
READ of size 4 at 0x602000000000 thread T0
SCARINESS: 17 (4-byte-read-heap-buffer-overflow)
#0 0xba4513 in __gmpz_clear /src/gmp/mpz/clear.c:38:7
#1 0x7be127 in wrap_nettle_mpi_release /src/gnutls/lib/nettle/mpi.c:212:2
#2 0x80a21f in _gnutls_mpi_release /src/gnutls/lib/./mpi.h:71:2
#3 0x80dea3 in gnutls_pk_params_release /src/gnutls/lib/pk.c:536:3
#4 0x673445 in deinit_keys /src/gnutls/lib/state.c:380:3
#5 0x672b86 in _gnutls_handshake_internal_state_clear /src/gnutls/lib/state.c:444:2
#6 0x676a57 in gnutls_deinit /src/gnutls/lib/state.c:669:2
#7 0x55475e in LLVMFuzzerTestOneInput /src/gnutls/fuzz/gnutls_psk_client_fuzzer.c:86:2
#8 0x45a1c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#9 0x444de1 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
#10 0x44aa9e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:774:9
#11 0x474c12 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#12 0x7f1470de882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x41e198 in _start (/out/gnutls_psk_client_fuzzer+0x41e198)
0x602000000000 is located 16 bytes to the left of 16-byte region [0x602000000010,0x602000000020)
freed by thread T0 here:
#0 0x52176d in __interceptor_free /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
#1 0xb8de31 in _asn1_delete_list /src/libtasn1/lib/parser_aux.c:590:7
#2 0xb947c8 in asn1_array2tree /src/libtasn1/lib/structure.c:278:5
#3 0x64b073 in _gnutls_global_init /src/gnutls/lib/global.c:293:8
#4 0x64a936 in gnutls_global_init /src/gnutls/lib/global.c:224:9
#5 0x553da4 in init /src/gnutls/fuzz/./fuzzer.h:36:2
#6 0xcdfa1c in __libc_csu_init (/out/gnutls_psk_client_fuzzer+0xcdfa1c)
previously allocated by thread T0 here:
#0 0x5219ed in malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0xb8a993 in _asn1_add_static_node /src/libtasn1/lib/parser_aux.c:76:7
#2 0xb93d03 in asn1_array2tree /src/libtasn1/lib/structure.c:199:11
#3 0x64b073 in _gnutls_global_init /src/gnutls/lib/global.c:293:8
#4 0x64a936 in gnutls_global_init /src/gnutls/lib/global.c:224:9
#5 0x553da4 in init /src/gnutls/fuzz/./fuzzer.h:36:2
#6 0xcdfa1c in __libc_csu_init (/out/gnutls_psk_client_fuzzer+0xcdfa1c)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/gmp/mpz/clear.c:38:7 in __gmpz_clear
Version of gnutls used:
master
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu 16.04
How reproducible:
run oss-fuzz locally
Steps to Reproduce: use attach file as the corpus to reproduce, like: python infra/helper.py reproduce gnutls gnutls_psk_client_fuzzer gnutls_psk_client_fuzzer-heap-buffer-overflow gnutls_psk_client_fuzzer-heap-buffer-overflow
Actual results:
as description, ASAN report a heap-buffer-overflow bug
Expected results:
no error report
Edited Aug 26, 2020 by Daiki Ueno
Related news
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.