Headline
CVE-2021-27343: LibCrypto: Read buffer overflow in Crypto::der_decode_sequence · Issue #5317 · SerenityOS/serenity
SerenityOS Unspecified is affected by: Buffer Overflow. The impact is: obtain sensitive information (context-dependent). The component is: /Userland/Libraries/LibCrypto/ASN1/DER.h Crypto::der_decode_sequence() function. The attack vector is: Parsing RSA Key ASN.1.
Found with FuzzRSAKeyParsing.
File: crash-f944dcd635f9801f7ac90a407fbc479964dec024.txt (with txt extension to allow uploading to GH)
Trace:
==157609==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000008d92 at pc 0x00000056a24e bp 0x7fffa1e21750 sp 0x7fffa1e21748
READ of size 1 at 0x602000008d92 thread T0
#0 0x56a24d in Crypto::der_decode_sequence(unsigned char const*, unsigned long, Crypto::ASN1::List*, unsigned long, bool) /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibCrypto/ASN1/DER.h:345:18
#1 0x566ba4 in Crypto::PK::RSA::parse_rsa_key(AK::Span<unsigned char const>) /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibCrypto/PK/RSA.cpp:57:9
#2 0x5623de in LLVMFuzzerTestOneInput /home/lukew/Desktop/serenity-project/serenity/build/../Meta/Lagom/Fuzzers/FuzzRSA.cpp:34:5
#3 0x46a6d1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x46a6d1)
#4 0x469e15 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x469e15)
#5 0x46c0b7 in fuzzer::Fuzzer::MutateAndTestOne() (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x46c0b7)
#6 0x46cdb5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x46cdb5)
#7 0x45b76e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x45b76e)
#8 0x4845b2 in main (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x4845b2)
#9 0x7f3d406a70b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#10 0x43050d in _start (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x43050d)
0x602000008d92 is located 0 bytes to the right of 2-byte region [0x602000008d90,0x602000008d92)
allocated by thread T0 here:
#0 0x53023d in malloc (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x53023d)
#1 0x563c74 in AK::ByteBufferImpl::ByteBufferImpl(void const*, unsigned long) /home/lukew/Desktop/serenity-project/serenity/build/.././AK/ByteBuffer.h:274:35
#2 0x56383c in AK::ByteBufferImpl::copy(void const*, unsigned long) /home/lukew/Desktop/serenity-project/serenity/build/.././AK/ByteBuffer.h:313:25
#3 0x5625c4 in AK::ByteBuffer::copy(void const*, unsigned long) /home/lukew/Desktop/serenity-project/serenity/build/.././AK/ByteBuffer.h:126:79
#4 0x5623bd in LLVMFuzzerTestOneInput /home/lukew/Desktop/serenity-project/serenity/build/../Meta/Lagom/Fuzzers/FuzzRSA.cpp:33:27
#5 0x46a6d1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x46a6d1)
#6 0x469e15 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x469e15)
#7 0x46c0b7 in fuzzer::Fuzzer::MutateAndTestOne() (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x46c0b7)
#8 0x46cdb5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x46cdb5)
#9 0x45b76e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x45b76e)
#10 0x4845b2 in main (/home/lukew/Desktop/serenity-project/serenity/build/Meta/Lagom/Fuzzers/FuzzRSA+0x4845b2)
#11 0x7f3d406a70b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lukew/Desktop/serenity-project/serenity/build/../Userland/Libraries/LibCrypto/ASN1/DER.h:345:18 in Crypto::der_decode_sequence(unsigned char const*, unsigned long, Crypto::ASN1::List*, unsigned long, bool)
Shadow bytes around the buggy address:
0x0c047fff9160: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9170: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9180: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9190: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff91a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 02 fa
=>0x0c047fff91b0: fa fa[02]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff91c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff91d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff91e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff91f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==157609==ABORTING